The impulse to rely on well-established security practices like installing anti-virus software and operating system updates is certainly understandable. Who wants to invest time, effort, or money in new security approaches which rarely increase efficiency or add measurable value to clients? Unfortunately, as the Internet has evolved and so many aspects of our daily lives take place online, anti-virus software has simply not been able to keep pace with threats emerging in the web 2.0 world. As a result, lawyers need to exert more caution than ever when reading email or surfing the Internet, or they may find themselves among the growing number of malware victims.
Here are three major reasons that Internet users must look beyond anti-virus software alone as a security strategy:
Reason 1: There Are Too Many Viruses To Defend Against
Traditional anti-virus software (now often referred to more broadly as anti-malware software) is often very effective against known viruses, but less reliable against newly released viruses. anti-virus engineers need to understand how a virus works in order to program anti-virus software to properly detect and stop a newly discovered attack. New viruses are typically able to infect at least a few organizations before anti-virus vendors can effectively tailor their software to protect against a newly emergent threat.
Hackers know that a virus will enjoy a limited lifespan before they get caught by anti-virus software, so they constantly write and release new viruses. Over the years, anti-virus vendors have attempted to keep pace with virus development, but the explosion of malware over the past few years has made this an increasingly difficult task. McAfee estimates that new malware is being released at a rate of about one new virus per second and anti-virus vendors are inevitably falling behind.
Evidence of this lag surfaced in the recent New York Times hacking scandal, where it was discovered that Chinese hackers infected the Times’ computers with multiple pieces of malware. The New York Times had deployed Symantec anti-virus software to protect their systems, but Symantec’s software was only able to successfully detect 1 of the 45 viruses which were installed on the New York Times computers (about a 2.2% success rate). When asked why their anti-virus software failed to protect the Times, Symantec frankly stated: “Anti-virus software alone is not enough.” Instead they recommended a blended security approach using multiple types of protections. If the anti-virus vendors themselves are telling consumers not to rely too heavily on their software’s protections, then consumers should probably pay attention.
Reason 2: Many New Attacks Don’t Even Involve Your Computer
Even if anti-virus vendors were able to immediately detect and block every new virus intended for your personal computer, consumers would remain vulnerable to the growing number of attacks targeting social media accounts, cloud services, and mobile devices. The first Facebook malware was discovered back in 2007, and the past year has seen a renewed focus on hacking a variety of social media platforms, including the popular Pinterest and Twitter. These attacks often extend beyond installing a virus on your computer to the hijacking of your social media profile in order to send out spam advertisements or links to dangerous websites. These types of attacks are often carried out entirely in your web browser, not by viruses installed on your computer, which means that anti-virus software can do little to protect your account from being compromised.
Cloud computing services and cloud-based accounts bring a similar set of concerns. As an increasing number of lawyers embrace cloud computing as a critical business tool, hackers see cloud computing accounts as another means to steal valuable data. The data stored in the cloud resides outside the protection of your anti-virus software, and lawyers rely on their cloud service providers to implement the appropriate protections. When you store highly sensitive data in the cloud, selecting a cloud provider with defenses strong enough to ward off the growing number of hacking attempts becomes critically important.
While not every lawyer has embraced the cloud or needs to worry about cloud security, smartphone adoption among lawyers is nearly universal. The ABA 2012 Legal Technology Survey Report found that 89% of attorneys reported using a smartphone for law-related tasks. How many of those lawyers have bothered to install anti-virus software on their mobile phone or tablet? Mobile malware is experiencing exponential growth, with the Android operating system currently the favorite target. If smartphone users (especially those who use Android) do not take the same basic precautions on their mobile devices as they do on their computers, we can expect a repeat of the widespread virus infections of the late 1990s and early 2000s.
Reason 3: The Stakes Are Higher Than Ever
Because the evolution of how we use the Internet has been gradual, many users may not recognize that the consequences of a security incident have been significantly heightened over the years. Ten years ago, the biggest risk most of us faced from a bad virus infection was the loss of files and a temporarily disabled computer. Now attackers can affect not only an people’s personal files but also their public persona, their ability to do billable work, and their client relationships. Lawyers have more to lose than ever from a hijacked account or virus-infected computer simply because we manage so much more of our personal and professional lives online than we did just a few years ago. Sticking to the 1999 security playbook no longer makes sense when facing the risks of 2013.
Take the time to evaluate your information security exposure to identify and prioritize your largest risks. Are your biggest cyber risks personal or professional in nature (or both)? How would you respond if your Twitter or LinkedIn account was hijacked and used to send out spam or malware to friends and clients? Could a serious security incident cost you a major client? Are you handling data that is covered by the various breach notification laws? How long could you be without a laptop or smartphone before it started to impact your billable hours? These types of questions will build awareness of your current cyber exposure and will help identify deficiencies.
While anti-virus is undoubtedly an important security measure, recognizing that it no longer represents a silver bullet against emerging online threats is a good first step. When lawyers and staff understand that anti-virus software simply can’t protect them as well as it used to, they will be more likely to exercise caution when working with sensitive data. Indeed, a healthy dose of paranoia on the part of Internet users can provide stronger protection than many expensive security products, and is a good place to start for small practices with limited security budgets. There is no “one-size-fits-all” security strategy that will work for every law firm, but any firm employing an “anti-virus-only approach” is almost guaranteed to be facing more exposure than an informed analysis would recommend.