Marquez: New year, same old fears: AI makes threats more sophisticated

As 2024 begins, what challenges should law firms anticipate when it comes to technology, specifically cybersecurity? The adage, “The more things change, the more they stay the same,” is probably as true as it has ever been. Artificial intelligence will continue to advance in its usefulness and be integrated into every facet of our days (whether we like it or not). I am personally waiting for the return of Clippy to our “favorite” word processor, but this time overpowered and more annoying. I certainly can’t be alone in this.

As powerful and useful as AI can be in making us more efficient at our tasks, we shouldn’t forget that the “bad guys” have access to AI’s capabilities, too, and will most definitely be looking to harness its power into their nefarious schemes. The ability to use AI tools to write more legitimate-looking emails will continue to make it so phishing attempts will have much higher success rates of making it through your firm’s spam filters.

TMI (too much information)

When I conduct cybersecurity training, I make it a point to warn users to minimize and be cautious about what they post on public platforms such as LinkedIn and Facebook — especially avoid those annoying “get to know me,” 20-question-type things where people answer about what their first car was (and probably their current first verification question on some platform), what year they graduated, their favorite food and so on. It takes very little effort, and much of it can automated, to mine these sites and build a file on you. This isn’t new. But it only gets worse.

In an article on TechTarget by Kyle Johnson, “9 cybersecurity trends to watch in 2024,” Oliver Tavakoli, CTO at Vectra AI, shares this grim epiphany for what we can expect: “It’s easy to take all this data and dump it into something like ChatGPT and tell it to write something using this specific person’s style.” AI is going to make it easier for the bad guys to write very convincing emails that seem to come from a named partner to a young associate eager to impress, or someone in accounts payable — and you see where this going.

So how does one combat this? The genie is already out of the bottle. The internet is forever, and it would likely be an exercise in futility to try and go back and lock down or delete posts where you may have shared too much personal information. And certainly, you’re not going to tell your attorneys who create posts and articles on LinkedIn to stop. AI is here, and we have to come to terms with the fact that it will be a tool for both good and evil.

As I always like to tell clients, if you give me a blank check, I can solve all your problems (and some of mine, too), but really, there is nothing better that a law firm can invest in that is going to be more effective than end user training and awareness.

Phishing attempts, impersonation and social engineering are nothing new. But the enemy has more and better tools now, and we can’t rest thinking our spam filtering solution is going to save us from disaster. Even if we could crank the settings to 11 (for anyone who remembers “Spinal Tap”) we would just end up blocking more legitimate emails and IT would be asked to whitelist every domain under the sun (a very bad idea).

If you haven’t already implemented some type of cybersecurity awareness training for your attorneys and staff, I don’t believe it is too late to make this a new year’s resolution for your firm. My suggestion is that this type of training should be done when: you onboard a new employee, once a quarter as a refresher and whenever a new specific threat is making the rounds. Here are two more ideas beyond training your end users.

Establishing protocols

Establish protocols for your firm that you can implement during this training and enforce them across the board. We tell our clients that when in doubt, always forward suspicious emails to IT to review. It’s always better to be safe than sorry, and IT will have different views into the email’s origin than what the usual end user has. If the suspicious email appears to be from an internal address, your users have even more options to confirm its authenticity. Most desks still have this old piece of technology that one can use; it is called a telephone. Pick it up and call the person to confirm they sent you a request to purchase a bunch of gift cards to send to a client. If your desk doesn’t have a phone, don’t worry; doing a Teams/Zoom call with them with video would be the surest way of confirming the email was legitimate.

Also consider limiting the use of email communications to specific and necessary work-related functions. For all the fun stuff and extracurricular activities that have nothing to do with mission-critical client matters or business operations, use your intranet. Don’t have an intranet set up yet? Talk to your IT personnel about the potential of leveraging Yammer, which already comes with your Microsoft 365 subscription, to set up a basic intranet with different discussion areas.

Prohibit email for specific requests

Another protocol your firm can establish is that specific forms be used for certain requests instead of email. Do not allow emails to be used for making requests to pay a vendor, change direct deposit information or other sensitive information. This process doesn’t have to be complicated — in fact, it can be quite easy using Microsoft Forms, which already comes with your Microsoft 365 subscription. You make the form and lock it down to only people in your organization and post it on your firm’s intranet.

Never let down your guard

No doubt many of you have seen your fair share of phishing emails and impersonation attempts over the years. With AI, these attacks are going to become way more sophisticated and frequent. It will become more of a challenge to identify a legitimate email versus a malicious email. Even with the more obvious ones that make it through your spam filter, it will eat minutes in your day. When it comes to AI versus AI, end user training for the attorneys and staff in your firm is going to make all the difference. It is important to remember that with all the safeguards and technology at your disposal, the end user is the last line of defense against bad actors using AI.•

__________

Tino Marquez ([email protected]) is a co-owner of the Indianapolis based legal technology company Modern Information Solutions LLC. Areas of service include traditional IT services, software training and litigation support including trial presentation services. Opinions expressed are those of the author.