Lawyers need to take proactive steps to avoid becoming victims of cyber-crime
By George Takach
THE SUPREME IRONY of the Internet is that all the features of this wonderful communications medium that make it the best productivity tool in history also conspire to make it a dream come true for criminals. Lawyers know this — indeed, technology lawyers base their advice to clients regarding security, confidentiality and privacy on an understanding of it. But this just in — all lawyers need to understand it in order to avoid becoming victims of Internet-related crime.
What are these features that make the Internet so good and so bad? In no particular order, consider ease of use. The core browser technology is simple and intuitive. Toddlers pick it up in minutes. But browsing in a way that is “safe” and “defensive,” with all the appropriate security settings engaged — well, that's tougher.
The Internet is also fairly inexpensive, especially compared to the “long-distance” telecom services that predated it just 10 or 15 years ago. And this attractive price point (in some cases free, if you include Wi-Fi at the local coffee shop) has helped make the Net ubiquitous, at least for urban dwellers. But even people in rural areas are seeing improving broadband service through satellite-based services (though, granted, they are more expensive).
Easy-to-use, inexpensive, widely available — no wonder the Internet has become such a compelling tool for communication, whether in a social, business or government setting. I recently had a deal where my client, a Toronto-based tech company, was buying another tech company in a city in the south of France. My client's controlling shareholder was in Asia, and the investment banker for the target company was in Paris, as was their law firm. With the help of Internet-based phone and conference calls, emails and legal drafts sent as attachments, a digital “data room” that could be accessed by authorized persons from anywhere over the Internet, and ultimately with wire transfers of the purchase price, this deal closed in a very short period of time — a process that took much longer in the pre-Internet era. Nowadays, I can't even imagine how deals like this used to be done without the Internet as our indispensable communications infrastructure.
> CRIMINALS LOVE THE INTERNET TOO!
From the time humans were first hunting and gathering – thousands of years ago – the technology that made life easier and business more productive was also used for nefarious purposes by criminals. The invention of the wheel has facilitated huge leaps in transportation productivity, resulting in immeasurable gain for farmers, manufacturers and people wanting to visit their friends or relatives. Wheels, however, are also indispensable for bank robbers.
In effect, the ironic “dual use” nature of technology – i.e., that the intended use is followed closely by criminal use – will likely be with us so long as unprincipled people continue to commit crimes against their industrious neighbours. The Internet is not the first example of this, merely the latest.
Myriad means exist for criminals to take advantage of the Internet. They can access other people's computers remotely – over the Internet – and steal valuable information and money. It used to be that robbers had to get in a car, drive to your home (or bank or law office) and physically gain entry to your files or the bank's vaults to get at the cash. And while some criminals continue to ply their trade in this old-fashioned, physical way, today's tech-savvy criminals can achieve more or less the same result without leaving the comfort of their home (or local Internet café or Wi-Fi hotspot to better cover their digital tracks).
> FROM HACKING TO PHISHING
Cyber-criminals are getting smarter and more sophisticated. They are quite expert today at hacking into computer systems remotely. Their ability to exploit weaknesses in computers is constantly improving.
A good example of this unfortunate evolution is the graduation from viruses to malware. It used to be that many digital miscreants were content to launch a software virus that would rattle around in your computer infecting files and destroying data. A prime objective of the hacker was simply to wreak havoc, thereby impressing fellow hackers through the digital equivalent of weightlifters flexing biceps.
Today, many criminals have moved up the value chain. Their objective is to get your computer to accept some of their so-called “malware,” — essentially a software program that, once loaded up on your computer, can allow the criminal to take over many of the functions of your machine, typically without your knowledge.
This is frightening stuff. It means the criminal malware implanter can get access to your passwords, your online e-banking accounts and more. And all this is done stealthily. At least with an old-fashioned hacker attack, you knew when you had an unauthorized intruder in your computer — now, not so much. The equivalent would be that the physical break-and-enter criminal is rummaging around the upstairs of your home, while you and your family are having dinner downstairs, completely unaware of the dangerous predator one floor above. Scary indeed.
The current state-of-the-art Internet-related crime is “phishing,” where the criminal sends an email message that looks and feels like it's coming from a reputable source, such as your bank. Consider the following real case reported by a law firm to its insurer in Canada in December 2012. The criminal infects the victim firm's computer with what's called a “Trojan banking” software program. The criminal, impersonating a bank representative, then calls the law firm's bookkeeper by telephone and gets her to type account and password data, which is then recorded for the criminal by the previously installed malware.
Armed with the account and password data, the criminal was able to access the law firm's trust accounts at the law firm's bank. And, you guessed it, they were able to wire several hundred thousands of dollars from the law firm's bank accounts to the criminal's offshore accounts. All done without the criminal leaving the comfort of their home. Again, in the physical world it would be as if the break-and-enter criminal had managed to convince you to not only enter the house, but also to give him the password to the safe and all the jewellery inside. Very scary indeed.
> RESPONDING TO CYBER-CRIME
Given the amount of cyber-crime hitting law firms, at least one mandatory lawyer insurance organization has introduced, effective January 1, 2014, cyber-crime coverage. But this should not lead to complacency on the part of lawyers.
First, the coverage amount is quite modest — $250,000 covering an incursion, intrusion, penetration, impairment, use or attack of a computer system by electronic means by a third party. Indeed, the coverage is so modest that law firms would do well to explore the cost and feasibility of additional cyber-crime coverage.
Second, what is required beyond insurance is a concerted, diligent effort to take appropriate, pro-active measures to avoid being a victim of cyber-crime. This involves undertaking a range of activities, including (but not limited to) the following.
On the technical front, there are numerous software tools that can help keep Internet-based criminality at bay, or at least lessen its likelihood. You need to be implementing so-called Internet firewalls, for example, and not just any kind of firewall, but one that you keep updating to match the ever increasing ingenuity of cyber-criminals. And when you work remotely, use a VPN connection that is initiated through a two-factor password system.
Equally, there is anti-spam and anti-malware software to install on your systems and devices. Again, these need to be updated regularly to take into account threats that surface constantly. Similarly, your Internet browser has different security settings, and it needs to be configured properly, while offering optimal protection against cyber-felons. And when you discard an old computer, you have to ensure the drive is wiped properly; otherwise you might be sending it out the door with data still on it.
If you're tech-savvy, then you might be able to stay on top of all these best practices. Chances are, though, you'll need to retain an expert for this — someone who fights cyber-criminals for a living. For example, did you know that after April 8, 2014, Microsoft will no longer be supporting Windows XP with security updates? Well, such an expert would know, and well in advance, so the replacement can be installed on time and in a manner that doesn't cause other problems that often arise from transitioning to new technology.
There are, however, some prophylactic measures against cyber-crime that you will have to take on yourself. Like keeping sensible passwords — it is amazing how many people use as a password the name of their pet dog or cat. And guess what, said canine and feline name is often easy to learn from a quick visit to a relevant Facebook page or other social-media service. So, in addition to working with a technical expert, you have to exercise some common sense, though it is surprising how often common sense is not as common as you would think.
It's imperative to teach all your lawyers, as well as all other staff, about the perils of not following best practices when using the Internet or networked devices. Remember, your digital security fence is only as strong as its weakest human link.
Finally, because even with all these precautions it is difficult to stop the determined cyber-criminal, you need to have a plan as to what you're going to do if you are hit with some cyber-criminality. You need to assemble the right team, take the right steps, and generally aim to minimize the fall out. Some advance planning on this front will pay solid dividends, if in fact the bad guys get through your defences.
George Takach is a senior partner at McCarthy Tétrault LLP, the author of Computer Law, and an Adjunct Professor in Computer Law at Osgoode Hall Law School.
By George Takach
THE SUPREME IRONY of the Internet is that all the features of this wonderful communications medium that make it the best productivity tool in history also conspire to make it a dream come true for criminals. Lawyers know this — indeed, technology lawyers base their advice to clients regarding security, confidentiality and privacy on an understanding of it. But this just in — all lawyers need to understand it in order to avoid becoming victims of Internet-related crime.
What are these features that make the Internet so good and so bad? In no particular order, consider ease of use. The core browser technology is simple and intuitive. Toddlers pick it up in minutes. But browsing in a way that is “safe” and “defensive,” with all the appropriate security settings engaged — well, that's tougher.
The Internet is also fairly inexpensive, especially compared to the “long-distance” telecom services that predated it just 10 or 15 years ago. And this attractive price point (in some cases free, if you include Wi-Fi at the local coffee shop) has helped make the Net ubiquitous, at least for urban dwellers. But even people in rural areas are seeing improving broadband service through satellite-based services (though, granted, they are more expensive).
Easy-to-use, inexpensive, widely available — no wonder the Internet has become such a compelling tool for communication, whether in a social, business or government setting. I recently had a deal where my client, a Toronto-based tech company, was buying another tech company in a city in the south of France. My client's controlling shareholder was in Asia, and the investment banker for the target company was in Paris, as was their law firm. With the help of Internet-based phone and conference calls, emails and legal drafts sent as attachments, a digital “data room” that could be accessed by authorized persons from anywhere over the Internet, and ultimately with wire transfers of the purchase price, this deal closed in a very short period of time — a process that took much longer in the pre-Internet era. Nowadays, I can't even imagine how deals like this used to be done without the Internet as our indispensable communications infrastructure.
> CRIMINALS LOVE THE INTERNET TOO!
From the time humans were first hunting and gathering – thousands of years ago – the technology that made life easier and business more productive was also used for nefarious purposes by criminals. The invention of the wheel has facilitated huge leaps in transportation productivity, resulting in immeasurable gain for farmers, manufacturers and people wanting to visit their friends or relatives. Wheels, however, are also indispensable for bank robbers.
In effect, the ironic “dual use” nature of technology – i.e., that the intended use is followed closely by criminal use – will likely be with us so long as unprincipled people continue to commit crimes against their industrious neighbours. The Internet is not the first example of this, merely the latest.
Myriad means exist for criminals to take advantage of the Internet. They can access other people's computers remotely – over the Internet – and steal valuable information and money. It used to be that robbers had to get in a car, drive to your home (or bank or law office) and physically gain entry to your files or the bank's vaults to get at the cash. And while some criminals continue to ply their trade in this old-fashioned, physical way, today's tech-savvy criminals can achieve more or less the same result without leaving the comfort of their home (or local Internet café or Wi-Fi hotspot to better cover their digital tracks).
> FROM HACKING TO PHISHING
Cyber-criminals are getting smarter and more sophisticated. They are quite expert today at hacking into computer systems remotely. Their ability to exploit weaknesses in computers is constantly improving.
A good example of this unfortunate evolution is the graduation from viruses to malware. It used to be that many digital miscreants were content to launch a software virus that would rattle around in your computer infecting files and destroying data. A prime objective of the hacker was simply to wreak havoc, thereby impressing fellow hackers through the digital equivalent of weightlifters flexing biceps.
Today, many criminals have moved up the value chain. Their objective is to get your computer to accept some of their so-called “malware,” — essentially a software program that, once loaded up on your computer, can allow the criminal to take over many of the functions of your machine, typically without your knowledge.
This is frightening stuff. It means the criminal malware implanter can get access to your passwords, your online e-banking accounts and more. And all this is done stealthily. At least with an old-fashioned hacker attack, you knew when you had an unauthorized intruder in your computer — now, not so much. The equivalent would be that the physical break-and-enter criminal is rummaging around the upstairs of your home, while you and your family are having dinner downstairs, completely unaware of the dangerous predator one floor above. Scary indeed.
The current state-of-the-art Internet-related crime is “phishing,” where the criminal sends an email message that looks and feels like it's coming from a reputable source, such as your bank. Consider the following real case reported by a law firm to its insurer in Canada in December 2012. The criminal infects the victim firm's computer with what's called a “Trojan banking” software program. The criminal, impersonating a bank representative, then calls the law firm's bookkeeper by telephone and gets her to type account and password data, which is then recorded for the criminal by the previously installed malware.
Armed with the account and password data, the criminal was able to access the law firm's trust accounts at the law firm's bank. And, you guessed it, they were able to wire several hundred thousands of dollars from the law firm's bank accounts to the criminal's offshore accounts. All done without the criminal leaving the comfort of their home. Again, in the physical world it would be as if the break-and-enter criminal had managed to convince you to not only enter the house, but also to give him the password to the safe and all the jewellery inside. Very scary indeed.
> RESPONDING TO CYBER-CRIME
Given the amount of cyber-crime hitting law firms, at least one mandatory lawyer insurance organization has introduced, effective January 1, 2014, cyber-crime coverage. But this should not lead to complacency on the part of lawyers.
First, the coverage amount is quite modest — $250,000 covering an incursion, intrusion, penetration, impairment, use or attack of a computer system by electronic means by a third party. Indeed, the coverage is so modest that law firms would do well to explore the cost and feasibility of additional cyber-crime coverage.
Second, what is required beyond insurance is a concerted, diligent effort to take appropriate, pro-active measures to avoid being a victim of cyber-crime. This involves undertaking a range of activities, including (but not limited to) the following.
On the technical front, there are numerous software tools that can help keep Internet-based criminality at bay, or at least lessen its likelihood. You need to be implementing so-called Internet firewalls, for example, and not just any kind of firewall, but one that you keep updating to match the ever increasing ingenuity of cyber-criminals. And when you work remotely, use a VPN connection that is initiated through a two-factor password system.
Equally, there is anti-spam and anti-malware software to install on your systems and devices. Again, these need to be updated regularly to take into account threats that surface constantly. Similarly, your Internet browser has different security settings, and it needs to be configured properly, while offering optimal protection against cyber-felons. And when you discard an old computer, you have to ensure the drive is wiped properly; otherwise you might be sending it out the door with data still on it.
If you're tech-savvy, then you might be able to stay on top of all these best practices. Chances are, though, you'll need to retain an expert for this — someone who fights cyber-criminals for a living. For example, did you know that after April 8, 2014, Microsoft will no longer be supporting Windows XP with security updates? Well, such an expert would know, and well in advance, so the replacement can be installed on time and in a manner that doesn't cause other problems that often arise from transitioning to new technology.
There are, however, some prophylactic measures against cyber-crime that you will have to take on yourself. Like keeping sensible passwords — it is amazing how many people use as a password the name of their pet dog or cat. And guess what, said canine and feline name is often easy to learn from a quick visit to a relevant Facebook page or other social-media service. So, in addition to working with a technical expert, you have to exercise some common sense, though it is surprising how often common sense is not as common as you would think.
It's imperative to teach all your lawyers, as well as all other staff, about the perils of not following best practices when using the Internet or networked devices. Remember, your digital security fence is only as strong as its weakest human link.
Finally, because even with all these precautions it is difficult to stop the determined cyber-criminal, you need to have a plan as to what you're going to do if you are hit with some cyber-criminality. You need to assemble the right team, take the right steps, and generally aim to minimize the fall out. Some advance planning on this front will pay solid dividends, if in fact the bad guys get through your defences.
George Takach is a senior partner at McCarthy Tétrault LLP, the author of Computer Law, and an Adjunct Professor in Computer Law at Osgoode Hall Law School.
Lawyer(s)
George S. Takach