Cybersecurity Awareness Month: “Near Miss” Cyber Incidents Reported to CLIA

Cyber Awareness
Written By Ashlan Friesen

Many cyber incidents are reported to CLIA that never materialize into a claim because effective preventative steps had already been taken, and appropriate mitigation strategies were implemented by the law firm. “Near miss” incidents are prime opportunities to learn what can be done to prevent cyber incidents before they occur.

Here are a few examples of cyber incidents reported to CLIA, in which the law firm’s preventative and mitigating steps helped avoid a claim:

  1. Ransomware was installed on a law firm’s computer system due to weak security on the system. The firm took immediate action and contacted a local IT firm for support. Since the firm had appropriate backups in place prior to the ransomware attack, the IT professional was able to restore the systems and nearly all their data. A ransom was not paid to the attacker.

  2. A lawyer’s email was hacked, likely due to a weak or leaked password. The impersonator sent an email to the lawyer’s paralegal requesting funds be removed from the firm’s trust account. The lawyer noticed the email in their account and determined that their email had been hacked. The lawyer reported the incident, engaged the firm’s IT personnel, changed their password, and implemented dual factor authentication. The paralegal also noticed the request was in a form different than how the lawyer normally would do it, which caused them to be suspicious and cautious. No trust funds were transferred to the fraudster.

  3. A lawyer’s work cell phone was reported stolen. The phone contained email and text communication with clients. The device was password protected. As soon as the lawyer realized it was missing, the lawyer was able to remotely delete the phone’s apps and data. The phone was later recovered and determined to be lost and not stolen. The data was not compromised.

  4. A law firm was notified by their firewall vendor that they were experiencing suspicious activity and was advised to install an update to the firewall. By the time the install was complete, it was suspected that some user information may have been removed from the firm’s network. The firm immediately took steps to protect their data, such as shutting down internet access and engaging a forensic firm to investigate further. It was determined that no client data was compromised.

  5. A lawyer noticed unusual spam emails coming to their email inbox. The lawyer contacted the firm’s IT contractor, who discovered that the lawyer’s email account had been hacked. The IT contractor froze the account, reset the password, set up dual factor authentication, and took steps to investigate and ensure that other email accounts at the firm were secure and unaffected. It was investigated and confirmed that client files and the firm’s computer network were unaffected. Affected parties were notified of a potential privacy breach, and otherwise, the matter was concluded.

From these examples, we can identify effective preventative measures that the law firms already had in place:

  • Appropriate backups

  • Strong passwords on devices and accounts

  • Maintaining up-to-date software

  • Ability to remotely wipe mobile devices, like cell phones and laptops

  • IT professionals accessible for assistance

  • Lawyers and staff who could identify red flags/unusual behaviour

And effective mitigation measures that the law firms took after noticing a potential cyber incident:

  • Froze accounts

  • Turned off internet access

  • Reset passwords

  • Notified their respective IT professional

  • Their IT professional investigated source of the incident

  • Through investigation, the IT professional determined whether client data was accessed and/or compromised

  • Following the incident, they enhanced their protection by implementing dual factor authentication

Even though these incidents did not result in a loss, the following were weaknesses that may have contributed to a cyber incident occurring in the first place:

  • Weak system security, including weak passwords

  • Lack of multi factor authentication

  • Software in need of updates

  • Mobile devices left unaccounted for

Note that, even in instances where a cyber incident did not result in a financial loss or compromised data, there may still be a privacy breach if data was accessed by an unauthorized party, which would be investigated and managed alongside any investigation into the cyber incident.

If you have questions about whether you should report a potential cyber incident to CLIA or how to report a cyber incident to CLIA, see our previous blog post Managing and Reporting a Cyber Attack.

Ashlan Friesen
Next

Cybersecurity Awareness Month: Risks of AI-Powered Deepfakes