The Threat is Real: Cyber Attacks Against Architectural Firms
by Jennifer Coughlin, Esq. & Devon Ackerman
You’ve built a strong reputation as the architect of choice for an array of clients. Things are going great for your firm…until one day. A client calls to say they were a victim of ransomware. Their investigation traced the source of the initial infection to an email from your firm. Soon, the conversation leads to a potentially very uncomfortable question: “How does your firm manage cyber risk?”
Many professional services firms are tempted into believing they’re safe from cyberattacks because they don’t consider their data to be “sensitive” or desirable information. In reality, they are tempting fate.
Over the past few years, Kroll and Mullen Coughlin have witnessed a sea change in the world of cyber risk. Cyber-criminals are sophisticated, deliberate and efficient in how they monetize their efforts. If you use the internet for any reason – even if just for basics such as email, submitting invoices or sharing designs – you are at risk. To a cyber-criminal, you can be a primary target, an intermediate conduit to another victim, a cog in a larger attack or scheme, or increasingly, all three.
How does this play out in real-life? In Kroll’s investigative work, a common scenario has emerged: A firm is first infected with a banking Trojan after an employee opens a malicious attachment or link in a phishing email message. Actors will search each computer and web browser on your network for Active Directory or finance-related username and password credentials to commit all sorts of financial fraud. Then the finely tuned malware uses email and social engineering to spread from victim to victim. Once the malware runs through its various missions, it deploys ransomware to wring out one last payday.
- A cyber-criminal used a phishing email message sent to one employee of an architectural firm to ultimately gain access to two other accounts. Who were the three targeted individuals? The CEO, secretary for the CFO, and the comptroller.
From Mullen Coughlin’s perspective as counsel, we are cognizant of how regulatory tolerance for data privacy violations continues to harden. State, federal, and international laws are constantly evolving and expanding. Many laws today require that organizations take specific steps if unauthorized access to their information systems occurred, or if covered data was or is reasonably believed to have been subject to unauthorized access or acquisition. Some laws also require covered organizations to take certain steps to:
- assess the cyber security risks of the organization,
- proactively mitigate this risk,
- communicate their information collection and sharing practices, and
- train their staff on information security and incident response.
The inescapable fact is that cyber risk is a problem for every professional services firm. However, while the challenge is complex, a prudent and pragmatic approach is built on common sense principles. A defensible cyber security strategy provides a framework to create a safer, more cyber resilient organization. But in the event of an incident or breach, it also helps you develop a validated, auditable narrative to reply to the question: “How does your firm manage cyber risk?”
Jennifer Coughlin is a founding partner of Mullen Coughlin. She focuses her practice solely on providing first-party breach response and third-party privacy defense legal services. Ms. Coughlin has counseled hundreds of clients in investigating and responding to an event compromising information and systems security, working closely with client resources, third-party forensic consulting experts, and law enforcement to identify the nature and scope of a compromise.
Devon Ackerman is a managing director and head of incident response for North America with Kroll’s Cyber Risk practice. Devon is an authority on digital forensics and has extensive experience in the investigation and remediation of cyber incidents from his years with the FBI as well as in the private sector. In his current role, Devon leads engagements across a wide range of industries involving investigative digital forensics, intrusion response (unauthorized access), and malware analysis.