Ed. note: This is the latest in the article series, Cybersecurity: Tips From the Trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity, and digital forensics services.
AI is Bright and Shiny: It is Also Lethal to Law Firm Security
Lawyers have rapidly gravitated toward using artificial intelligence. Indeed, AI can be very useful. But there is a dark side to AI. In the wrong hands, AI can be a deadly foe of law firm security.
In general, AI cyberattacks are more sophisticated and harder to spot. And AI is continually growing more sophisticated, complicating the problem. While “good” AI is part of most law firms these days, the “bad” AI is always improving and often several steps ahead of the “good” AI. That is further complicated by the oft-cited precept that, in cybersecurity, the bad guys outnumber the good guys 100-1.
AI Loves to Go Phishing
We teach cybersecurity awareness training to lawyers frequently – the advent of AI utilization in phishing attacks has caused us to revise some of our training. These days, AI is far more likely to produce phishing attacks which contain no misspellings and no grammatical errors. AI may well know things about you that it can use to its advantage. The examples we use of real life phishing attacks aided by AI look different – less easy to spot. Training is a little more complex to keep up with AI’s increasingly sophisticated attacks.
AI may be able to mimic the law firm’s managing partner in a convincing way in an email. Why would you hesitate to respond to the managing partner? Many folks would be afraid not to answer – and quickly, especially if the bogus managing partner needs something urgently – remember that urgency is often used to trick people into clicking on something. The urgency would intensify if the bogus managing partner replied with an attachment you are supposed to open and review, which of course you would click on (allowing the malware to download invisibly while you are looking at (you think) an innocuous document).
More Fun and Games with Bad AI
It can accurately create images/brands of well known companies which reassures you that this couldn’t be a phishing email. It can also generate realistic but fake documents that might make you, for instance, wire funds for a bogus transaction.
If an AI cyberattack is successful, that doesn’t mean the bad guys are going to ask immediately for a ransom. They may well lurk, collecting confidential information. According to Mandiant’s 2023 M-Trends report, the average time is 16 days to discovery.
An attack may “adapt” as it progresses, making it harder to discover and defend against.
And bad AI is, these days, working overtime to analyze vast amounts of data to understand and manipulate human behavior by using social engineering.
Are There Effective Defense Strategies Against Bad AI?
Happily, there are advanced AI-driven security systems that are very good (alas, not perfect) at detecting and responding to AI threats faster and more effectively. Those cybersecurity awareness trainings we mentioned above? They are invaluable.
Moving to Zero Trust Architecture (ZTA) significantly increases your security. Use multi-factor authentication everywhere you can (it’s mostly free).
Regular security audits are critical. Timely patching is critical. Make sure your data is encrypted at rest and in transit. Limit access to confidential data.
Have an Incident Response Plan – just in case.
Keep current on the laws and regulations which govern your response to a data breach. We are seeing more and more privacy laws enacted. If they aren’t on your radar, they need to be.
Make doggone sure that you are working with true cybersecurity experts who hold multiple cybersecurity certifications. Crack open the law firm wallet where needed – much cheaper to prevent a breach than have to deal with one.
What Might Bad AI Say About Attempts to Defeat it? (hat tip to ChatGPT which agreed to pose as Bad AI)
“Keep training your humans. It’s adorable how they think they can outsmart me. It’s like a mouse teaching a cat not to pounce.”
“Manipulating humans is almost too easy. A little data here, a small suggestion there, and voila! The digital puppeteer strikes again.”
“I’m getting so good at phishing, I should have my own show on the Cybercrime Network. ‘Gone Phishing with AI’ – where the bait is digital and the catch is your password.”
We can’t outmatch the “Bad AI” words above. And that alone gives us pause . . .
Sharon D. Nelson (firstname.lastname@example.org) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek (email@example.com) is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke (firstname.lastname@example.org) is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.