Practice-management platform Clio sees new patterns in attacks
The most effective way to protect your practice from malicious actors online is a simple, but often overlooked rule: don’t recycle your passwords.
With more than 150,000 subscribers worldwide, software engineers at Clio often have first-hand visibility of security breaches and attempts that their clients experience.
These attempted breaches at the cloud-based practice-management platform can be excessive login attempts, where a hacker has identified that a particular email address is attached to a Clio account and is applying brute force to try and crack it open. This often happens when a Clio subscriber has a user ID or password that overlaps with another service.
“We're diagnosing, I would say, symptomatic issues of password and credential reuse where an attacker is gaining foothold in a firm through a reused password from something that's been breached,” says Scott Kramer, director of information security at Clio. “Then, from gaining that foothold within the firm's email accounts, we see attackers that are then pivoting and trying to access ancillary services. Clio, being one of those.”
“The passwords are being reused on really mundane things, like a parking meter app,” adds Joshua Lenon, Clio’s lawyer in residence. “That parking meter app gets, unfortunately, hacked or leaked, and that information is then just being applied to anything and everything they can find in an email address or any other linked accounts. They'll just go to every website they can think of and start pounding that in.”
Clio is seeing a rise in lawyer-specific phishing attempts. These attacks use plausible messaging to corral employees. Once firms’ email systems are vulnerable, this can then compromise their cloud services, says Lenon.
Legal vendors need to invest in security and be transparent about the nature of those services because lawyers' ethical standards require them to know the security that is available or unavailable, and the shared roles and responsibilities, he adds.
“Like password management,” says Lenon. “Clio can help with that. But if you're going to reuse the same password for your parking meter, there's absolutely no way we can do that. So, it’s that shared responsibility.”
Phishing is the biggest source of cyberattacks in the legal industry, he says. According to the American Bar Association’s Techreport 2022, 32 percent of the law firms surveyed said they had been infected by a virus, spyware, or malware.
While email is the “big, weak link,” all communication channels are a potential risk, says Lenon. There is more texting between lawyers, and they need to maintain the same vigilance because text messaging is a “potential vector” for malware, he says.
“Industry-wide, we're also seeing social-media messaging, along with texting, becoming an avenue for establishing a foothold,” says Kramer. “The general premise of an attacker is to first get that initial point of compromise within an organization and then to pivot.”
A receptionist or employee doing intake, who may not be as aware of the risks and the data and process to which they have access, may have family members working on the same computer they use for work, he says. This establishes an opportunity for that foothold, and for the attacker to access other systems and services within the organization.
Lenon and Kramer note that in the ABA’s recent survey for Techreport 2022, it found that 27 percent of respondents said they had experienced a security breach, but another 25 percent did not know whether they had or not. Less than half – only 48 percent – said they had not experienced a security breach.