Charles Hoff, CEO and Co-Founder of PCI University, joins us today to discuss how cybercriminals are targeting the legal industry and the steps that law firms can take to protect their business and their clients. PCI University provides an innovative, secure cloud-based platform geared towards helping Small and Mid-sized business owners and franchisors/franchisees understand the complex issues of PCI DSS. PCI University is a Bluefin partner and provides our clients secure access to our Bluefin-branded PCI University website for PCI education and awareness.
“The first thing we do, let’s kill all the lawyers.”
This famous quote from Shakespeare’s Henry VI is often used to poke some good-natured (I hope) fun at the legal profession. Ironically, this is one of the most misinterpreted expressions, as Shakespeare was not speaking ill of lawyers, but was paying a compliment. In Henry VI, the phrase was uttered by conspirators who were concerned that lawyers would be on the front line of those who were savvy enough to see through their rebellious plot.
Fast forward from Shakespeare’s time to 2017 and our age of cybercrime, where it is apparent that the legal profession is having a difficult time upholding its reputation for seeing through the modern day rebellious plot, the fraudulent schemes that lead to ID theft and fraud. I was reminded of such when I received a Notice from both the Georgia Bar Association and the state Attorney General warning lawyers of fake emails from scammers posing as a government agency.
The emails targeted law firms and purported to be from the Department of Consumer Affairs. The email “advises” that a complaint had been filed against the recipient’s law firm or that of the firm’s client, and urges the recipient to click on a link or attachment to view the complaint. Following through with the instructions permits the hacker to install malware on the attorney’s computer system.
The fraud alert to lawyers in Georgia and South Carolina comes on the heels of several high-profile data security breaches of some of the nation’s most prominent law firms. It may be the case of the “cobbler not having any shoes” as these are some of the same law firms that have very reputable data security lawyers.
In their 2015 Annual Security Report, Cisco Systems ranks law firms as the seventh most-vulnerable industry to malware encounters. The Digital Guardian estimated that at least 80% of the biggest 100 law firms have had some form of a security breach. Why target law firms? They store a treasure trove of sensitive, confidential client information involving trade secrets, mergers and acquisitions, and government contracts.
The fact is that no individual, organization, or commercial industry is immune from the clever and devious means by which cybercriminals are utilizing social engineering and its sub elements, such as phishing and watering holes, to effectuate data security breaches. In fact, these have become the overwhelming causes for breaches, as well as ID theft and fraud.
Phishing is the practice that cybercriminals engage in when they send fraudulent emails or place telephone calls purporting to be from a person’s employer, a government agency, or another reputable company to induce an individual to reveal personal information such as passwords or credit card numbers. These fraudulent emails may also contain false links or attachments containing malware.
Watering Hole is the industry term used to describe when malware is injected into a legitimate website that organizations in the target industry are likely to visit, to infect the IT systems of the organization visiting what they thought was a secure website. The consequences for being lulled into such clever schemes can be devastating. It can cripple or even destroy a business.
Given that we are all vulnerable to cybercriminals, it is incumbent on every organization to protect itself by taking a comprehensive and layered approach to data security. For instance, it is necessary to:
- Engage in regular training of your personnel to recognize and guard against the clever bag of social engineering tricks being employed by cybercriminals.
- Understand the critical need for each organization to implement protective technology solutions. Examples are PCI-Validated Point to Point Encryption (P2PE) and Tokenization as provided by Bluefin.
These steps will help accomplish what Shakespeare was originally referring to about lawyers in Henry VI: putting you back on the front lines of seeing through the modern day plots of scheming hackers.
Charles Hoff is the CEO and Co-Founder of PCI University, an innovative, secure cloud-based platform geared towards helping Small and Mid-sized business owners and franchisors/franchisees understand the complex issues of PCI DSS in plain English. PCI University’s patented and customizable PCI-Q assessment tool has been developed for non-technical users, and its creative educational tools are offered to merchant customers across all industries including merchant acquirers, chain and franchise operators seeking to achieve PCI education, assessment, and customized action plans leading to compliance.