As go-to experts for online marketing for law firms, we get a lot of data security questions from how to prevent ransomware to the security of cloud computing. In light of huge data breaches and corresponding lawsuits for large companies like Target, Home Depot, and Equifax, and even government departments like the US Dept. of Health and Human Services, these questions land in our laps even more frequently.
While most of the team is fairly technical, being an expert digital marketer for law firms and being a data security expert for law firms are very different skill sets.
We found that not only were lawyers turning to us for answers on data security, Bar Associations were asking us to present on the ethics issues surrounding technology such as cloud computing and e-discovery. We needed our own go-to expert for many of these topics, so we turned to Tim Rettig, president & CEO of Intrust-IT, a business technology provider headquartered in Cincinnati, Ohio.
In addition to leading his company, Tim often speaks on data security topics for small businesses around the country. Read our recent Q&A session below.
Mark: Tim, can you give me your background in information technology and data security?
Tim: I started Intrust IT 25 years ago actually, so we’ve been around for quite some time. Prior to that my father started a software company in the mid-70s and I worked with him in grade school, high school and college, so I’ve been in the industry for almost 35 years. In that time, I’ve helped a lot of companies with their technology and the one thing I built a passion for in that time was security. This was due to the fact that I saw a lot of small businesses deeply affected by security breaches and issues that came up.
Therefore, one of the things we focus on with our clients we consult and/or provide IT services for is their security. We make sure their systems are secure, but also that their user security is in place by giving them training and educating people on what security issues they should be worried about and what systems that hackers are going after.
Mark: Lawyers have an ethical obligation to maintain client confidentiality. But maintaining that confidentiality has taken on new concerns as we see that large organizations and even political organizations are not able to stop hackers breaching their security. Are small businesses like law firms also a target?
Rettig: Absolutely, that’s definitely what we are seeing. The fact is that we are talking about cybercrime organizations; these are well-funded, organized crime rings, not the old stereotype of the lone wolf hacker. These cyber crime organizations can now scale and run their operations efficiently enough that they’re able to go after small businesses with more frequency. While small businesses have traditionally not been as secure as large organizations, in the past they weren’t as much of a target because it was a very cumbersome effort for a cyber criminal to perform a hack, so they focused on large businesses to get more data for their effort. However, now, cybercriminals can go after hundreds and hundreds of small businesses faster than ever, so the possible smaller payoff is now worth the effort.
There are three things that are really driving this:
- The first is the cloud. It’s not that the cloud is less secure than servers and systems in-house—it’s actually more secure. But criminals are using the cloud to scale their operations just like a small businesses would. In the past, if you are a criminal, when you wanted to set up a server to hack into somebody’s system or collect data over the internet, you’d have to buy the equipment and put it somewhere, like your apartment. Now, with a stolen credit card, cyber-criminals can spin up a server in the cloud in a matter of minutes and easily move it around from data centers in-between countries and cloud companies very easily before it is discovered. That’s giving the cyber criminals a lot of scale.
- The second thing that we are seeing is TOR (an acronym for “The Onion Router”), a piece of software that that US government actually created to let people that are in compromised or censored parts of the world, like North Korea and China, securely communicate outside of the borders. It encrypts your communications and hides where you are on the Internet, which enables you to have anonymity online. It was created by the government for a good purpose, but criminals found that they can use this software to hide anywhere on the internet and people will not be able to figure out where they are. You may have heard of it called “the dark web”, but it’s not a place or a secret chat room, it’s just secret software on your computer that gives them total encrypted communication, allowing criminals to hide in plain site.
- The third thing we are seeing is digital currency. In the past, if you wanted to do a transaction like buying or selling credit card numbers or confidential corporate data numbers for example, criminals would have to physically meet somewhere with a bag of unmarked bills. Now, anyone can go to Wal-Mart and buy a gift card and use it to buy Bitcoin over the internet. With digital currency like Bitcoin, cyber-criminals can trade over the internet, anonymously.
In the past, if you were able to hack into a large company like Target and you got a million credit card numbers, it was very difficult to sell that data. You couldn’t put out a classified ad or on a bulletin board and it was hard to try to get somebody to buy it from you on the street corner. Now, hackers can sell your confidential data or credit card information for pennies or dollars at a time anonymously out on the internet. The criminal is likely not actually using those credit card numbers to go to a retail store or buy things on Amazon, they are typically just selling the data and letting someone else deal with it, often because they are in another country altogether where they can’t even use what they’ve stolen. For example, a criminal in another country would have a difficult time to use a credit card that’s from Texas, but they can sell it to a bunch of people that live in Texas who could use it to go to the store, the gas station, or buy things online.
Mark: You are actually seeing this affect small businesses more and more?
Rettig: Definitely. Symantec had a recent study where they found that 1 out of every 135 emails received contained a malicious link trying to get a user at a small business to click on it. People receive hundreds of emails a day. That means you and your law firm’s employees could be getting multiple emails per day that have malicious links in them. This is when I often have to remind business owners about the scale of cybercrime. These criminals are sending out tens of thousands of emails every day. For very little cost and effort they can send out these malicious emails to thousands of employees at thousands of small businesses, then all they need is a few people to click on it. They are able to make $300 or more for every person that clicks on these links because they can then encrypt their data and then hold it for ransom. Or they can install a key logger on your employee’s computer along with thousands of other computers out there and collect logins to things like cloud email servers, cloud file servers, bank and credit card websites, and more.
This interview has been edited and condensed.