Law firm data breaches aren’t random, happy accidents for cyberthieves. The time and effort some bad actors devote to laying the groundwork for a single cyberattack is mind-boggling.
Oh, wait. You thought data breaches and other forms of cyberattack were purely the results of luck?
On the contrary. Quite often, attempts to breach a law office’s confidential data are the product of meticulous research and preparation.
Cyberthieves — generally a sophisticated bunch to start — have become quite savvy in their approach to their craft. In particular, they have harnessed a practice employed by legitimate marketers to identify sales prospects. The difference is that cybercrooks use this practice to identify prospective victims rather than customers.
I’m talking about the practice of creating an ICP — “ideal client profile” — and then scoping you out to see how closely you match that perfect picture.
How Hackers Learn About You
Cybercriminals find out whether you fit their ICP by plumbing readily available public information, a lot of which you have freely supplied (albeit innocently).
- The starting point is your LinkedIn profile. LinkedIn is a veritable goldmine of criminally exploitable information. Among the valuable details bad actors can extract from your profile are the names (and contact information) of people familiar to you, past employers, schools you attended and so forth. That makes it easy for a cunning cybercriminal to contact you via LinkedIn messaging posing as an old friend or associate. He may claim he’s resurfacing because he stumbled on a fun bit of nostalgia while reorganizing his desk and suggest you too will get a kick out a little trip back through time — if only you’ll send your personal email address so he can shoot the thing over to you as an attachment. Of course, to view it, you need to log in to your Office 365 or G-Workspace. It’s a sly phishing tactic that thousands fall prey to daily.
- The next place a cybercrook will trawl is Twitter. And Facebook, and Instagram, and any social media platform you use to publicly share the things you do, places you go, foods you like, friends you make, shows you watch, things you believe, and worldviews you support or oppose. Again, the insights afforded by this expedition enable the baddies to masquerade as someone you know, or someone with shared interests, to gain your confidence. This can quickly establish trust.
- The last stop for profilers is public records. Cybercriminals will research data from legitimate governmental agencies and business concerns as well as the records found in the seedy electronic back alleys of the Dark web.
Is This You? Cybercrooks Look for These ICP Traits
On “paper,” you’re going to be considered a suitable target for a cyberattack if you tick these checkboxes:
1. You have no gray hairs.
Scientists have documented that the younger you are, the more inclined you are to trust others. In the context of a hacker-world ICP, the more trusting you are, the easier it is for you to be conned into taking action urged upon you by a cyberthief to render your data vault vulnerable to attack.
2. You’re open to new experiences.
According to a study in the journal Cyberpsychology, Behavior, and Social Networking, people who like trying new things tend to be strongly susceptible to propositions from conniving cyber-schemers. The openness to new experiences causes people to drop their guard when, for example, they are invited to download a free app that promises to make their lives better.
3. You’re frequently stressed out.
Or fearful. Or happy. Or in love. Cybercriminals who follow your online musings know what you’re feeling and stand by to offer you emotional support. It could be the start of a beautiful friendship (one that ends with a law firm data breach).
4. You’ve got money.
The evidence of your affluence is public record. A data thief simply needs to Google your name and note the ZIP code to get an idea of how much dough you have (and thus can afford to pay in a ransomware demand). Using your home address as your business address? Criminals use Zillow, too. Real estate sites give literal insight into what your home looks like and where your loved ones sleep. Other available gauges of your wealth include social media posts that reveal your preferences in restaurants, cars, fashion accessories, leisure travel, hobbies and club memberships.
5. You employ people.
Cybercrooks can make hay if they identify people who work for you (or at one time did). Your website probably has a page titled “Our Team” that names your key employees. Websites such as Glassdoor publish reviews from former employees. Cybercrooks checking these reviews can look for disgruntled ex-employees to befriend and convince to supply a wealth of intel about your cybersecurity practices and tech-based defenses.
6. You have unsecured internet-connected devices.
Searchable websites collect this kind of information (for example, Shodan). Cyberthieves use these sites the same way you use Google or DuckDuckGo for legitimate purposes.
7. You represent a notorious client.
Such representation draws the attention of hacktivists who declare you anathema and therefore deserving of a career-destroying punishment, such as suffering reputational damage or financial ruin from a law firm data breach that exposes all your confidential data.
Cyberstalkers Know You Well
The big takeaway here is that cybercriminals are skilled at identifying vulnerabilities. The extent of the insights they have into your life is nothing short of frightening.
This is why you can’t go about your business blithely, imagining that your law practice is too small for cybercrooks to bother with. If you fit the profile of the lawyer ripe for the digital pickings, you will be attacked sooner rather than later.
The Bad Actors Know About You
And they know exactly why you keep putting off addressing your cybersecurity vulnerabilities. Don’t give attackers any more advantages when it comes to breaching your law practice. My advice?
- Be more reticent when it comes to sharing personal information on social media. (For example, if you work from home, register as an online business when you set up your Google Business profile so that your physical address and photos of your home won’t show up on Google Maps.)
- Be less trusting of seemingly friendly messages and emails that cross your transom. While technology solutions can greatly improve your defenses, humans are the last line of defense. Don’t click on attachments from unknown senders. If a large file arrives from someone you haven’t heard in for a long time, call them to say hello and ask about the email before you click.
- Be more vigilant in general — including asking qualified cybersecurity professionals to assess your current level of protection and recommend safeguards. (Read: “Law Firm Cyber Risk: 7 Things You Can Do to Lower Your Risk of Being Attacked.”)
Rereading this, even I got stressed. My intent is not to scare you or make you feel you should unplug from the digital world or not use LinkedIn to build your network. (I’m very active on it myself.) My intention is to educate you so that you can be proactive and reduce your chances of falling prey to a law firm data breach.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.