My cyber security awareness training never stops; and even though much of it is self-inflicted I often feel like I’m still losing ground. In fact, today I’m thinking that selling everything I have, disconnecting from the wired world, and moving to some remote island where I could live out my life running a small tapas stand near a beach might be the way to go. I suspect more than a few of you feel similarly from time to time.
What got me going today was continuing to read up on the recent MGM Resort ransomware attack, which appears to have been quite sophisticated and yet so frustratingly easy to execute. If you’re curious as to how it all went down, it was a cross-tenant impersonation attack. Yes, I know. What the heck is that, am I right? Here’s the crazy part, this devastating attack started with a quick call to the company’s IT help desk with a password reset request. To pull that off, all the hacker needed to know was an employee name, ID number, and date of birth, all of which were easily obtainable.
Of course, my day was just getting started. While I’ve been talking about caller ID spoofing for quite some time, today I’ve learned how widely available services such as SpoofCard actually are. Now, for a fee, anyone can quickly and easily change their caller ID, change the sound of their voice, and even change the background noise of the call. That’s certainly not good news and my learning didn’t stop there. Attackers are now using powerful AI tools to clone victim’s voices. What about those banks, credit card companies, and corporations that rely on voice-based authentication systems? They’ve got a new problem to deal with, and so do the rest of us. If you think your bank account or other types of accounts can’t be breached or think a member of your staff can’t be fooled, think again. All a hacker needs to do is call you or anyone at your office under the guise of being a prospective client, press record and they’re well on their way.
Today I want to share a cyberbreach call I received that has stuck with me for a while. Here is the gist of it. Upon arriving at their office one morning, a couple of lawyers discovered their firm had been broken into. Three laptops containing all kinds of client information were on the list of items taken. The first question asked of me was “What should we do now?” It was a legitimate question and one deserving of an answer, but I needed to know more. That was when I learned the laptops were not password protected, were not encrypted, and contained no laptop tracking software. In response, I shared that the only thing that could be done now was to take whatever steps they could to prevent anyone from using the stolen hardware to break into the firm’s network. They should also file a claim with their cyber insurance carrier and notify all clients impacted by the theft. Beyond that, everyone was going to have to live with the reality that the data on those laptops was in someone else’s hands, and may in fact, eventually fall into the hands of others, none of whom will have the firm’s or the firm’s clients’ best interests at heart.
After that call ended, I just sat there shaking my head wondering why these lawyers never took any steps to try to prevent access to client and firm data should something unexpected, like this break-in, ever occur. Sadly, I have an inkling. Security experts tell me they see this all the time. We live in a crazy cybercrime world and, the crazier it becomes, the more we all look for ways to escape from it, be it dreaming of walking away to sell tapas on the beach, choosing to remain in denial that something bad will ever happen, or ignoring it because there’s nothing anyone can do anyway.
While these are all normal responses when something seems overwhelming, they can also lead to serious trouble if any particular response prevents you from taking steps to responsibly deal with the reality of the situation. This is what I believe is behind the failure of a firm to take proactive steps and do all it can to become as cyber secure as possible. In all seriousness, I’ve seen it in the eyes of too many. We’ll be talking about things like the use of encryption, strong passwords coupled with password managers, or even the necessity of conducting ongoing cybersecurity awareness training when the willingness and motivation to do something just seems to waft away.
Look, I really do get it. As the Borg, an alien race in the Star Trek Next Generation TV series, used to say: “Resistance is futile.” That line hits home for me when I start to think about cyber security because the headlines tell us daily that it’s a losing effort so why even try? But try we must. If the lawyers mentioned above had just taken the single and simple step of encrypting the hard drives of those laptops, the difficult and problematic task of notifying all clients of the breach, not to mention the potential long-term fallout of having their own personal identities stolen, could have been avoided entirely.
If you count yourself as one of the folks who believe it won’t ever happen to you, feel that ignorance is bliss, believe there’s nothing you can do to prevent it so why bother, or are just counting the days until the dream of getting away can become a reality, all I can say is this. Yes, becoming cyber secure is a pain. Do it anyway. Trust me, the headache that comes with being proactive is going to be far less than the one that comes with being a hacker’s next victim. Want proof? The MGM ransomware attack cost the company $100 million so far, and the lawsuits are just getting started. Oh, and remember this attack started with a simple request to reset a user password, something that a basic cybersecurity awareness training program could have easily prevented. (mic drop)
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.