Guest post: Law firms must make their staff an effective part of their cyber defence

Law firms are seen by hackers as a valuable yet soft target. 73% of the UK’s top 100 law firms were the target of cyber-attacks last year.

How would a major cyber breach affect your business?

Canadian Lawyer Magazine in 2016 speculated in relation to the breach at law firm Mossack Fonseca:

‘It’s unlikely it will survive the leak, at least in its current form. It’s engaged in a business of trust and trust quickly erodes when your clients’ affairs are laid out in world newspapers — even if you are the victim of a hack. Who will trust the firm that it won’t happen again?’

What can you do to drastically improve your cyber security and reduce the potential for reputational damage resulting from a breach? Make your staff an effective and active part of your cyber defence.

Why are law firms such an attractive target?

The breadth and depth of sensitive information law firms hold on behalf of their clients makes them an attractive target for a wide and varied range of would-be attackers. This includes:

– Criminals looking to extort money via the delivery of ransomware or the sale of personal information on the dark web;

– The theft of sensitive client information by organisations, criminals or nation states looking to gain a competitive advantage through the use of corporate espionage or acquisition of intellectual property; and

– The deliberate leaking of sensitive information for political, commercial or ideological reasons.

These threats aren’t by any means exhaustive and neither are they hypothetical. In 2016 alone, many law firms globally experienced significant numbers of attacks, many with devastating consequences:

– April 2016: Mossack Fonsecca had 11.5m documents leaked (the biggest leak in history) These documents contained sensitive financial information on the tax dealings of individuals from FIFA delegates to political and world leaders. [1]

– June 2016: Over a dozen law firms were held ransom by cyber criminals using ransomware and demanding tens of thousands of euros.[2]

– December 2016: Some of the biggest law firms on Wall Street were attacked by Chinese hackers which led to millions of dollars of profits for them from insider trading[3]

How do the attackers break through your defences?

Figures show the most common type of attack (84%) is phishing[4] therefore reducing you firm’s susceptibility to phishing will significantly improve your cyber security.

Phishing is the preferred attack method because the barrier to entry is low and the success rates are high. The reason for this is because the phishes are designed to utilise common techniques that prey on human emotions in order to achieve a response. The response can be as simple as replying to the email, clicking on a link, submitting information on a web form or opening an attachment. The themes, tone and content used can vary widely but often include:

– An urgent request;

– An instruction from someone in authority;

– Content to peak our curiosity; and/or

– Appealing to our compassion.

If the phish is crafted well enough, it can be hard to spot and if the subject matter is compelling, it will make it even harder for the recipient not to respond to the attacker’s request.

The good news is, there are always some tell tail signs in every phish and with the right training and education, your staff should be able to identify them.  Even if they are not sure, their training should enable them to alert the appropriate person or team that something looks suspicious or unusual.  However, to be able to identify these wolves in sheep’s clothing, they must first understand and appreciate the threats. If they don’t, the likelihood is they’ll be much less likely to tailor their behaviour to prevent a successful attack.

It is the recognition that it’s everyone’s responsibility to identify and protect their organisation from these threats that is missing in many firms. Cyber security is often seen as someone else’s responsibility; the IT team, the compliance team or the security team. There is a mistaken belief that the company’s firewalls and anti-virus will protect them.  Whilst this is always the hope, history and the news are littered with examples of companies where this wasn’t the case. Not through any fault of the technology or the way it was implemented, but because the attackers found an easier entry point……the staff!

To combat this, communication campaigns highlighting everyone’s cyber security responsibilities can be effective depending on the culture of the firm however, sometimes this needs supplementing with a more formal approach whereby these responsibilities are included in all staff job descriptions and responsibilities. This isn’t meant as a “stick” approach, the opposite in fact. Staff need to feel empowered to take ownership and that it’s within their remit to.

Once the basic principles of responsibility and ownership are instilled, providing your staff with the requisite knowledge and confidence to empower them to recognise the threats is the next step.  Many companies believe they provide this via their once a year compliance training.  However, experience shows this can offer a false sense of security. Whilst compliance training provides a tick in the box for the firm to pass an audit, it rarely changes behaviours throughout the entire firm.

For a threat as prevalent as phishing, 1-2 hours of generic training a year simply isn’t enough.

So what is the answer?

Good cyber behaviours and practices need to be embedded and reinforced every day within the culture of the firm. To achieve this, having the right awareness programme in place is critical. It must be an ongoing engagement that’s measurable, regular, concise, adaptive, personalised and appropriate. The content must be pertinent to the threats that your firm face.

Subject areas can also cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.

Finally, by using gamification techniques to make it competitive and engaging, knowledge is more easily retained.

Starting out by addressing a single risk area such as phishing is a great way to effect real behavioural change. Once embedded, it can then grow to include other risk areas such as password security, social media, information handling and other relevant subject areas.

Ethical phishing campaigns provide a good source of benchmarking and trend analysis as well as evidence of return on investment. By attaining a baseline at the outset, you can follow up regularly with ‘all staff’ campaigns and campaigns to specific teams (Spear Phishing) or individuals (Whaling), based on the risks you face.

There some key underpinning foundations that must be at the heart of your staff cyber awareness programme:

– Stakeholder buy in and sponsorship: The partnership must be behind the programme and be included in it for it to be success as they set the tone for the whole firm. Equally, they are often the biggest targets for threats such as Whaling (highly targeted phishing attacks that are aimed at senior executives.)

– Communication: Ensure you talk to your peers and gain their buy-in as HR, training, legal, compliance and many other areas will all have a role to play

– Champions: Have champions throughout the firm to help spread the word, maintain momentum and share the workload. These champions can come from anywhere in the firm and the more diverse the better. You’ll be surprised by the passion that people can bring to cyber security if it’s delivered in the right way and they feel it’s relevant to them.

– Recognise people for the right behaviours: The carrot is always better than the stick and recognition can take many forms.

To summarise

Your staff should be one of your strongest defences against cyber-attacks. However, for you to make the most of their capabilities or to improve their vulnerabilities, your staff will need to:

– Feel it is their responsibility to understand the threats the firm faces;

– Feel confident they have had the necessary training to know what to look for in a potential attack;

– Be vigilant in spotting attempted attacks; and

– Be diligent in reporting anything suspicious.

Investment in the right technology to protect your firm is very important and many law firms have robust technical defences but can the same be said of your staff? Only by having both robust technical defences and a cyber aware workforce with a cyber security culture embedded, can you be confident in your ability to be resilient to the cyber threats your firm faces.





Daryl Flack is co-founder and CIO of Blockphish, which helps organisations to improve their resilience to phishing attacks.

Note: We do not carry advertorials or charge corporates for posting comments with genuine editorial value.