Cybersecurity tip #1 for lawyers: don't recycle your passwords

Practice-management platform Clio sees new patterns in attacks

Cybersecurity tip #1 for lawyers: don't recycle your passwords
Joshua Lenon and Scott Kramer

The most effective way to protect your practice from malicious actors online is a simple, but often overlooked rule: don’t recycle your passwords.

With more than 150,000 subscribers worldwide, software engineers at Clio often have first-hand visibility of security breaches and attempts that their clients experience.

These attempted breaches at the cloud-based practice-management platform can be excessive login attempts, where a hacker has identified that a particular email address is attached to a Clio account and is applying brute force to try and crack it open. This often happens when a Clio subscriber has a user ID or password that overlaps with another service.

“We're diagnosing, I would say, symptomatic issues of password and credential reuse where an attacker is gaining foothold in a firm through a reused password from something that's been breached,” says Scott Kramer, director of information security at Clio. “Then, from gaining that foothold within the firm's email accounts, we see attackers that are then pivoting and trying to access ancillary services. Clio, being one of those.”

“The passwords are being reused on really mundane things, like a parking meter app,” adds Joshua Lenon, Clio’s lawyer in residence. “That parking meter app gets, unfortunately, hacked or leaked, and that information is then just being applied to anything and everything they can find in an email address or any other linked accounts. They'll just go to every website they can think of and start pounding that in.”

Clio is seeing a rise in lawyer-specific phishing attempts. These attacks use plausible messaging to corral employees. Once firms’ email systems are vulnerable, this can then compromise their cloud services, says Lenon.

Legal vendors need to invest in security and be transparent about the nature of those services because lawyers' ethical standards require them to know the security that is available or unavailable, and the shared roles and responsibilities, he adds.

“Like password management,” says Lenon. “Clio can help with that. But if you're going to reuse the same password for your parking meter, there's absolutely no way we can do that. So, it’s that shared responsibility.”

Phishing is the biggest source of cyberattacks in the legal industry, he says. According to the American Bar Association’s Techreport 2022, 32 percent of the law firms surveyed said they had been infected by a virus, spyware, or malware.

While email is the “big, weak link,” all communication channels are a potential risk, says Lenon. There is more texting between lawyers, and they need to maintain the same vigilance because text messaging is a “potential vector” for malware, he says.

“Industry-wide, we're also seeing social-media messaging, along with texting, becoming an avenue for establishing a foothold,” says Kramer. “The general premise of an attacker is to first get that initial point of compromise within an organization and then to pivot.”

A receptionist or employee doing intake, who may not be as aware of the risks and the data and process to which they have access, may have family members working on the same computer they use for work, he says. This establishes an opportunity for that foothold, and for the attacker to access other systems and services within the organization.

Lenon and Kramer note that in the ABA’s recent survey for Techreport 2022, it found that 27 percent of respondents said they had experienced a security breach, but another 25 percent did not know whether they had or not. Less than half – only 48 percent – said they had not experienced a security breach.

Recent articles & video

BC Supreme Court refuses to strike privacy claims of union official

Alberta Court of Appeal awards enhanced costs in child support appeal

BC Court of Appeal raises motor vehicle accident damages award to $417,000 from $385,500

Ontario Health Professions Appeal and Review Board declines to reprimand gynecologist

Nova Scotia Supreme Court discharges bankrupt with $484,000 debt to tax authority

Morgan & Morgan seeks to dismiss personal injury lawyer's suit alleging advertising claims

Most Read Articles

Top 25 Most Influential Lawyers for 2024 unveiled by Canadian Lawyer

SCC will not hear appeals over Covid-19 vaccine travel mandate

Cozen O’Connor boosts ranks at Vancouver office with 13 Clark Wilson lawyers

Ontario Court of Appeal upholds $25-million counsel fee award in overtime class action