The revelation that a Russian hacker targeted elite UK and US law firms to steal mergers and acquisitions information for insider trading, coupled with the Panama Papers scandal, has put law firms’ data security under the microscope
Targeting the “trusted adviser” is becoming an increasingly common tactic among the hacking community, which is waking up to the fact that many law firms do not yet have good cyber defences despite the value of the information they hold, and the extent of their client and office accounts.
Given the scale of attacks – cyber crime was included in the Office for National Statistics figures for the first time last year and is now officially the UK’s most common criminal offence – it is not surprising that clients are increasingly checking that their law firms aren’t the weak link in their security chain.
Mark Jones, Allen & Overy’s chief information and security officer (CISO), has seen a 300 per cent increase in requests from clients for assurances about the firm’s controls. “Major clients will send in their own IT people to audit our systems, with some even carrying out their own penetration testing,” he says. “The number of questions clients are putting to us has also gone up by a third on top of the hundreds they are already asking.”
At the same time, the personal data protection landscape is changing. The Information Commissioner’s Office (ICO) maximum fines of £500,000 will pale in comparison with the new European Union data security regulations, which come into force in 2018, with fines of up to 2 per cent of global turnover or €10 million.
So do law firms need a wake-up call? PwC’s Annual Law Firms’ Survey last year found 62 per cent had suffered from a security incident, up from 45 per cent in 2014. However, only 32 per cent felt very confident of their IT disaster recovery capabilities and only 49 per cent of senior management had participated in relevant training.
Attacks can come from any quarter so it is vital, says Mr Jones, to know “where your vulnerabilities are before your enemy does and identify your main risks so you can work out who your adversaries may be so you can prioritise your response”.
Recent attacks show how hackers can blindside their targets. The self-styled “John Doe”, who exploited weaknesses in the computer system at Panamanian law firm Mossack Fonseca to leak the largest-ever cache of 11.5 million documents, wanted to trigger worldwide political and business repercussions.
Sony was left embarrassed by the content of leaked e-mails, while an extortion hack demanding the infidelity website Ashley Madison close down resulted in the exposure of millions of e-mail addresses. Big corporates are mined for personal data to be sold to criminal gangs.
New York security analysts at Flashpoint, who revealed the Russian M&A hacking attempts, describe a dark web where hackers are recruited and forums exchange counter-intelligence to outfox law enforcers.
But what all hackers want, whether they are state-backed, highly organised criminals or opportunists who have learnt how to spoof an e-mail via a YouTube clip, is to find the easiest route in and law firms make attractive targets because their unique selling point is their people.
Hackers getting cleverer
Benedict Hamilton, who leads Kroll’s Europe, Middle East and Africa business and cyber investigations team, says about 90 per cent of losses of confidential information are, deliberately or inadvertently, by insiders – recently departed employees, people in the “circle of trust” such as sub-contractors or disaffected partners.
But many attacks succeed because a partner or employee has been tricked into clicking on a compromised link or is foolish enough to log on to sensitive work systems on insecure wi-fi or personal devices, he says.
And he warns that the hackers’ tradecraft is becoming increasingly clever. “Hacking is all about getting a fingerhold and then escalating your privileges so you can hack into the computer at will,” says Mr Hamilton. Phishing e-mails remain a favourite, but increasingly hackers will research a target’s digital profile for a way in. They may impersonate a partner’s e-mail and send a colleague a link to a draft marketing brochure wrapped around malware.
“You click on the link and I am in your machine,” he says. One defence is to have a very good detection and response system with competent staff looking out for warning signs. “Simple as that sounds, we spend a lot of time helping people develop that capacity because, on some of the most destructive hacks we have investigated, the alarms were there, but no one was paying attention,” he says.
One of the most common ways into a firm is via its suppliers, so it is critical to secure the supply chain. “We have tried to investigate breaches where clients haven’t had the right contracts in place and the third party won’t let us access their system,” says Mr Hamilton. “That would be very embarrassing for a law firm to get wrong.”
Allen & Overy’s Mr Jones says ideally firms should have a perfect map between all the people who work for them and everyone who is on their network. “But in large global organisations there are lots of joiners, movers, collaborators, temporary contractors and leavers so you need to work closely with human resources to make sure access is tightly monitored.”
There is certainly no silver bullet to mitigate cyber security threats, says Simon Viney, cyber resilience director with risk management specialists Stroz Friedberg.
While predictive technology and people analytics are increasingly helping organisations understand employee behaviour and identify insider risks, firms need to build a culture of cyber resilience from the top down because absolute security is unattainable.
The scale of the risk means cyber security can no longer just be managed as part of the IT function; it needs leadership with real clout across the firm and there is a move among bigger firms to take on dedicated risk professionals.
Mr Jones, who took over the newly created role in February, previously worked as CISO for BAA Group Heathrow and as a provider of security services including at the London 2012 Olympics.
“We want the very best, but there is a shortfall of fully qualified people,” he says. “What I am pleased to do here is help our people develop by sponsoring them through PhDs in cyber security.”
Keeping on top of the challenges is critical because it will help limit any potential fallout. On the regulatory front, the Solicitors Regulation Authority expects firms to contact the authority if there is a breach of the code of conduct, such as not keeping a client’s information confidential, and it will want evidence that the breach has been dealt with and systems improved to stop it happening again.
At the ICO, Garreth Cameron, group manager for business and industry, says there is currently no legal requirement to self-report a security breach involving personal data, though this will change in 2018 with the EU regulations which make reporting mandatory within 72 hours.
Once a breach is reported, he says the ICO will want to know any aggravating or mitigating factors. It has a team of technical experts who know what to ask and any degree of recklessness or negligence will be reflected in the fine which it will publicise widely. “In a competitive market, if your clients cannot trust you, you are lost,” he warns.
But, however resilient you are, some attacks will succeed, so it is crucial to have a well-rehearsed crisis plan.
“If you are attacked, the first thing is to assess how bad the damage is and then get information out to those clients who are affected,” advises Alex Cochrane, senior associate with Collyer Bristow’s media and privacy team, “Be upfront about what has happened, what you are doing and how you will prevent it happening again – and apologise.”
Firms’ professional indemnity (PI) insurers will also want to be kept informed, given the potential for legal and regulatory action.
Costs can escalate dramatically. While PI policies provide some cover for third-party losses arising from cyber attacks, they do not typically cover first-party losses. There is dedicated cyber insurance on the market, but it is still unchartered waters for insurers so premiums tend to be high. Anecdotal evidence indicates only a minority of larger firms have taken it out so far.
Against such a fast-moving background, there is no one-response-fits-all option, but firms don’t have to fight this alone.
The Law Society’s dedicated cyber security site has been viewed more than 4,300 times already this year, while forums, such as the government’s confidential Cyber Security Information Sharing Partnership, are increasingly recognised as an important line of defence.
What is clear in today’s information world is that it is dangerous to underestimate the magnitude of the risk law firms face.
FIVE TOP CYBER SECURITY TIPS
01 Assume you may be targeted at some point so identify the greatest risks and likely attack points. Understand what sensitive client data you hold, encrypt when in transit across unprotected networks and minimise the volume retained when it’s no longer required, says Simon Viney of Stroz Friedberg.
02 Raising awareness across the firm is probably the cheapest and most important step because so many breaches involve people being caught out by scams. If you are attacked, investigate aggressively so you don’t get a reputation for being a soft target, says Benedict Hamilton of Kroll.
03 Have a well-rehearsed plan so you can quickly assess and contain the problem. Then put out an informative message to clients before considering a general press release. Handle it well and you can limit reputational fallout, says Alex Cochrane of Collyer Bristow.
04 Firms should consider joining the Cyber Security Information Sharing Partnership, following GCHQ’s Ten Steps to Cyber Security and acquiring Cyber Essentials or Cyber Essentials Plus certification, says Catherine Dixon of the Law Society.
05 You can know your vulnerabilities, identify potential adversaries, have the most gobsmackingly pure, cohesive strategy and great relationships with the senior team, but you won’t perform to your best capability if you don’t have sufficient resources, says Mark Jones of Allen & Overy.