Soft targets for cyber criminals
As corporations wake up to the danger of cyber attacks, a surprising weakness has emerged as a threat to their most confidential data – their law firms.
Combating cyber threats may require a different approach, as law firms emerge as a weak link in clients’ risk management armour. There is growing evidence cyber criminals are targeting lawyers, who as a group tend to have weaker cyber security than their clients.
A recent survey found UK law firms less confident than other sectors in the ability of their in-house IT systems to withstand cyber attacks. Worryingly, the sector reported the highest proportion of victims of cyber crime, with financial services a distant second.
In a changing cyber crime-scape, hackers are turning their attention to softer targets that can offer easier access or, sometimes, even a wide-open backdoor. Law firms fit this brief. Lawyers are being targeted for two primary reasons – they hold valuable client data and tend to operate with relatively lax IT security.
There is evidence lawyers have been hacked to uncover the details of mergers and acquisitions before they happen (to facilitate insider trading), to understand the details of competitive auctions (to improve a bidder’s likelihood of success), and to gain advantage in litigation.
Law firms face a greater cyber threat from their own employees than organisations in any other industry sector
The aborted $40-billion take-over by Australian natural resources giant BHP Billiton of Potash Corporation, Saskatchewan is one high-profile case, where seven law firms reportedly came under attack. While the actual facts may never be known, experts believe this action bears the hallmark of state-sponsored espionage, perhaps as an attempt to derail the acquisition, in favour of a local, Canadian competitor.
The profile of hackers has also changed. From the early days of opportunistic individuals looking for peer-recognition, nowadays hackers are more likely to have links to organised crime, political causes or state-sponsored espionage.
Most law firms recognise the importance of safeguarding data, from a legal, commercial and reputational perspective, but in a world where multi-platform technologies and mobile devices have become commonplace, the potential risk of suffering a data breach has increased exponentially. The question is no longer if, but when, an organisation will suffer a data breach.
What causes the lax security at many law firms? First and foremost, law firms have not been prioritising IT security. Partnerships often are not interested in spending the money on security and partners do not want the reduced convenience that good security requires.
Lawyers expect to be able to be reachable and connected, whenever and wherever they are. But constant connectivity comes with risks – the easier it is for a lawyer to access data remotely, the more opportunities there are for a hacker to also obtain such data.
Clients and law firms must work together to develop effective strategies and cultures to combat cyber threats, but there are seven common themes and basic steps that should be addressed.
1. Prioritise IT security
Firms must view cyber security as an urgent and business-critical issue. Unless senior managers believe that preventive security measures are crucial, they will not be implemented. Organisations should designate a chief security officer, who will co-ordinate security and the response to any breach.
2. Segregate and limit access to sensitive data
Across most organisations and law firms, in particular, many more people have access to sensitive data than actually require such rights. Data should be segregated and permissions set so that sensitive information is available on a need-to-know basis. The strategy reduces the risk that rogue employees steal the data, which will also make an external hacker’s job harder.
This step is particularly difficult for law firms, which have long cultivated a professional culture where people liberally share knowledge and work well beyond the inner circle of any given case. Firms have to carefully balance the need for data segregation with the need for knowledge sharing. Law firms have a particular challenge in this respect, with independent research suggesting they face a greater cyber threat from their own employees than organisations in any other industry sector.
3. Encrypt data
Clients should ensure sensitive data is encrypted, which makes it unreadable by anyone without a special key. This makes it much harder for even a successful hacker to obtain the underlying data and prevents data loss if a laptop or other mobile device goes astray.
4. Train employees on preventing and responding to hacking
How do you stop a user from clicking on an innocent-looking link in a phishing e-mail, which may activate malware to log keystrokes, copy e-mails or even record phone conversations? Education, ongoing training and regular tests to check employees’ response to a fictitious phishing attack will help address this issue. As part of developing a culture of awareness, firms should also focus on creating an understanding among staff of how and when a suspected breach should be reported.
5. Require the use of strong passwords
Many people use very weak passwords, opting for “password”, “123456”, or common names or words that appear in a dictionary. By using a dictionary attack, cycling through all the possibilities that are most likely to succeed, such passwords can quickly be broken by hackers. The use of strong passwords will dramatically reduce the risk of this type of attack.
6. Prepare an incident response plan and team
Part of any security system is creating an incident response plan to mitigate any damage after a breach occurs. If the roles and responsibilities of the team responding to an incident are unclear in advance, opportunities to mitigate the attack will be lost during the time it takes to organise the team.
7. Test and revise the incident response plan frequently
Computer networks and cyber risks are constantly evolving, and the security plan must be kept up to date. Failure to keep the incident response plan current will quickly render this ineffective, and periodic audits should be carried out to identify and secure weaknesses. However, the process does not end there. All users, at all levels, must also be reminded and re-educated about the constantly evolving threats.
Lawyers have become so focused on the convenient use of technology that many have overlooked the risks that come with this convenience. However, there are signs firms are starting to realise that this is untenable and may soon have no choice but to take cyber security threats seriously. In the meantime, clients must work with their legal advisers to safeguard personal information, intellectual property and sensitive commercial information and, in the event of a successful attack, mitigate the potential damage.