Law firms are being targeted by cyber criminals in attacks which can cost millions and ruin reputations as client confidentiality is breached
High-profile hacking attacks on telephone and broadband provider TalkTalk and adultery website Ashley Madison have put cyber security firmly in the public eye. And from hacktivists to state-sponsored industrial spies, law firms are in the front line of the growing threat.
Over the last year, 62 per cent of law firms reported they had suffered from a security incident, up from 45 per cent in 2014, according to the latest figures from accountants PwC.
Law firms are honey pots, targeted due to the amount of sensitive client data they hold
Steve Wilmott, director of intelligence and investigations at the Solicitors Regulation Authority (SRA), reveals cyber criminals have caused substantial losses to 50 law firms this year, ranging from £50,000 to £2 million, and a further 20 firms had fallen victim to e-mail redirection scams, involving very substantial amounts of money. Government figures estimate that cyber crime costs £27 billion a year.
Stealing corporate secrets
Law firms are honey pots, targeted due to the amount of sensitive client data they hold, says Richard Cumbley, global head of Linklaters’ TMT (telecom, media and technology) and IP practice.
Heyrick Bond Gunning, chief executive of Salamanca Risk Management, says they are seen as holders of secrets. The cost of cyber security breaches can be high, both financially and reputationally.
Mr Bond Gunning warns that it is only a matter of time before a law firm suffers a TalkTalk-scale breach.
The greater sophistication and tactics of hackers, and increasing scale of the risk, has pushed the issue higher up the agenda. IT security is no longer a matter that can be left to a couple of junior techies. The risk posed, says Scott McVicar, general manager of commercial solutions at BAE Systems in Europe, the Middle East and Africa, is now being addressed at partner level and is a key business-level decision.
Taking security seriously
Richard Hodkinson, chief technology officer at Manchester-headquartered DWF, says information security is in every project plan.
“Woe betide any firm that does not take information security seriously,” adds Rhory Robertson, partner and head of the cyber investigation unit at Collyer Bristow.
The big challenge for law firms is to maintain an effective defensive posture to match an ever-evolving threat
Clients, both individuals and corporates, are taking a greater interest in the security of their chosen legal adviser. “Law firms are no different from any other supplier when it comes to cyber security. We handle information and clients are entitled to ask how we handle it and keep it secure,” says Mr Cumbley. “We expect to be asked by clients and we are regularly asked.
“Clients are increasingly doing audit inspections of suppliers and using IT security as part of the audit process. We need to demonstrate we have appropriate IT security in place and can show what we are doing in practice.”
Mr Robertson notes he has not seen evidence of clients losing confidence in their lawyers keeping their information confidential. “But then, if any firm has been hacked, they are going to keep as quiet as they can about it. I suspect that many clients simply assume their private matters are held confidentially,” he adds.
The threats come from a frightening array of sources. There are cyber criminals, like normal villains, but who use technology for their nefarious purposes, usually theft or, as with the Ashley Madison and TalkTalk incidents, blackmail.
Then there are journalists, who seek to target firms through their employees to get stories on clients, and hacktivists, political or ideological activists opposed to a firm’s client, who seek to make a statement through sabotaging its website or disabling its systems to cause the firm reputational harm and encourage it to drop the client.
Industrial spies, sponsored by national states, are also a reality, not just something out of cold war novels. There are outfits, says Mr Bond Gunning, with armies of workers who do nothing but hack blue-chip companies.
However, one of the biggest risks to IT security is internal and comes from firms’ own employees, either maliciously or unintentionally, he says.
E-mail is used by everyone and its security, warns the SRA, must be taken more seriously as it is expected to become a bigger issue of focus in 2016.
Its ubiquity already makes it a common means to stage an attack. According to the latest Data Breach Investigation Report, 20 per cent of breaches originate from phishing attacks – often digital con tricks pretending to be genuine – and more than two thirds of cyber espionage incidents have featured phishing.
These are targeted scams originated through e-mails containing attachments or links to websites infected with malware – malicious software that disrupts a firm’s computer operations or servers – giving hackers access to sensitive information.
Why is this done, asks BAE Systems’ Dr McVicar? Answering his own question, he says: “Because it works – nearly 50 per cent of users open e-mails and click on phishing links within the first hour.”
E-mail is also the most common way in which employees cause data breaches; for example, through inadvertently sending a message to the incorrect recipient. Basic security and cyber hygiene can go a long way to mitigate these risks, says Dr McVicar.
Andrew Taylor, technical director of Converge Technology Specialists, says law firms should use a system that includes encryption, scans content and detects security issues, as well as the standard anti-spam filtering services. “Staff need to be trained and made aware of potential threats, including bogus e-mails and suspicious requests for information,” he says.
And firms should have a policy of making clients aware of possible fraudulent e-mails and encourage them to check the return e-mail address, and never respond to e-mails asking for payment arrangements to be changed. In addition, there are the basics of ensuring regular password changes and using a reputable personal e-mail service.
Mr Bond Gunning of Salamanca Risk Management says to prevent accidental e-mail breaches, a two-minute delay can be put on e-mails before they are sent. “It can save a whole lot of drama,” he says, warning that if you make e-mail security too burdensome, staff may bypass it and use personal accounts, exposing the firm to risk.
“The proliferation of devices and their ability to be mass-storage devices has made management of risk more challenging,” says DWF’s Mr Hodkinson.
“Multiple devices open up new avenues for the hacker to burrow deep into clients’ confidential information,” adds Mr Robertson at Collyer Bristow.
Dark hotel is one scam that travelling lawyers should be aware of. Mr Bond Gunning explains that it is similar to phishing, attacking users’ laptops when they think they are connecting to their hotel’s wi-fi.
The simple telephone also poses risk, with so-called vishing attacks, when fraudsters obtain sensitive information over the telephone. One firm, Mr Bond Gunning recounts, said it had had 12 vishing attempts in the past month. “It happens on a Friday afternoon when people are in a rush and others, who might be able to verify information, are not there,” he notes.
Reducing your exposure
So, how can firms minimise their exposure to risk and satisfy clients their data is in safe hands?
There is no silver bullet that guarantees 100 per cent defence, says Dr McVicar. “The big challenge for law firms is how to maintain an effective defensive posture, which can evolve with time to match an ever-evolving threat,” he says. “They need to do this cost effectively so they remain cost effective in the marketplace while maintaining customer confidence and trust.”
Firms have to make a risk-based decision, understanding the level of risk and putting in place a mitigation strategy that reduces this to an acceptable level, he advises.
This means identifying the information that matters most – typically e-mail and document management systems – and putting in place a mitigation strategy that prevents the attacks you can, detects quickly attacks you can’t and respond effectively to minimise the effect of a breach in the event the attack is successful.
He says law firms should do the basics – use threat intelligence to understand the changing nature of cyber risk, develop and maintain cyber security awareness of staff, regularly patch IT vulnerabilities, use penetration testing to test security and monitor the security of their IT networks.
All this should be backed up with an incident response and business continuity plan to minimise the impact should the worst happen.
As Mr Bond Gunning concludes: “Firms spend time on prevention, but often don’t have a plan for what to do when the crisis comes. In many cases they can get away with it, if they have a good plan in place and execute it.”