The days of law firms needing to be reminded of the importance of investing in appropriate cybersecurity solutions or how much of a target they are have long gone, but greater awareness has not been matched by greater clarity over how much is ‘enough’, when the risks are sky high, but the budget is finite.
In a roundtable discussion hosted in conjunction with Accenture, Legal IT Insider brought together a handful of high profile CIOs or COOs from firms including Dentons; Baker McKenzie; Clyde & Co; Herbert Smith Freehills and Ashurst to discuss some of the biggest security issues facing the legal industry today, and to get input into the datapoints needed for a cyber benchmark for legal industry. We were privileged to have at the meeting Kelly Bissell (pictured), the global head of security at Accenture, who prior to our gathering was at a not dissimilar dinner with the head of GCHQ, the head of National Cyber Security Centre, and the former head of MI5 and MI6.
Setting out some of a few objectives at the outset of the discussion, Marcel Henri, global CIO at Dentons said: “I’ve been at Dentons for nearly 18 years and obviously a lot has changed during that time. At Dentons at present we have around 15,000 lawyers around the world, which inevitably presents challenges and opportunities, not least from a security and data privacy standpoint. What I’d like to get out of today is some kind of scorecard or rating with a number of baseline requirements so that we can assess the degree of sophistication and maturity of security platforms.”
Haig Tyler, CIO at HSF, said: “For me it comes back to the fact that we need a technology operations baseline of what is good enough. In terms of managing infrastructure security, those sorts of things are pretty well defined. But the whole pushing out into the cloud is an area where I’d love for us to be able to define some more comfortable benchmarks, baselines and approaches.”
Leading cyber solutions and employees such as chief information security officers (CISOs) do not come cheap – why would they in the current environment? But for CIOs trying to convince their boards to raise levels of investment it isn’t easy and the focus has shifted from building castle walls to how to prevent or pick up the pieces when the next member of staff falls for a phishing attack.
At Ashurst, outgoing global IT director Bruna Pellici said: “[Cyber] doesn’t come cheap: it’s expensive and how do we fix the gaps with technology when people are still your weakest link?”
While lawyers are among some of the brightest people on the planet, many are notoriously uncompromising and still put the need to act quickly ahead of security considerations. Chris White, global CIO of Clyde & Co said: “The thing that always intrigues me working with lawyers is that they spend their lives working with highly confidential material and if anyone should understand the nature of and the value of data it’s them, but so often they don’t act accordingly.”
That is in spite of the fact that law firms are viewed as the soft underbelly of UK PLC; Rick Hemsley, managing director for Accenture Security Practice, reporting to Bissell, said: “Ultimately we look at the supply chain: the ecosystem around organisations become the root in to attack. If I wanted to attack an oil giant or a drug company to get market sensitive data I would attack the law firm because it will typically be far simpler than attacking the organisation itself.”
Law firms have already been publicly embroiled in full scale cyber attacks as in the case of DLA Piper, or suffered leaks as in the Panama Papers that ultimately led to the downfall of Mossack Fonseca – the only surprise in that case, was that it took so long.
Gareth Ash, deputy CIO at Hogan Lovells said: “In DLA it was quite a wakeup call for all of us in the legal industry since it’s the first time you’ve seen law firms spread across the front pages of the broadsheets and the BBC website. For me it’s not just a question of ‘if’ but ‘when’, so not just defending the perimeter but how quickly can you detect something. If you are hit you want to ensure you had done as much as possible to protect yourself.”
This is made no easier when client demands, which often force a certain discipline on an industry, are inconsistent. Simon Thompson, COO at Baker McKenzie said: “I’ve consulted and worked in a number of law firms and sometimes we will not use cloud services because the clients says we can’t. But then you go to another law firm and they use cloud services but have the same set of clients.”
The client
Information security starts with the client, which should be central to any assessment of appropriate risk parameters.
Pellicci said: “You need to understand the type of information that you are dealing with and the markets that you are working in and consider the risk appetite of the business. You need to consider risk tolerance and how you achieve the relevant environment with the right mix of technologies, policies and procedures, governance is key. Information Security isn’t only about technology.”
Hemsley added: “From my experience, law firm tolerance has to be in line with the business and clients that they are working with.”
The fact that clients send mixed messages means that one law firm’s interpretation can be vastly different to another, particularly when it comes to cloud services, and Thompson adds: “What I’m genuinely confused about is that two global law firms can come up with two sets of answers to the same question.”
Clients may refuse to entertain the idea of a law firm providing a cloud-based service when they themselves are ‘in the cloud’.
Bissell said: “Not only do we have our own internal tolerances of risk, so do our clients, and clients do have double standards sometimes. Because they have different risk tolerance for third parties than they do themselves.”
Some obstacles can be overcome via old fashioned communication and White said: “A lot of it comes down to your relationship with the client. There are certain government departments who require you to tick every single box otherwise they won’t deal with you. I have come across this time and time again and where the client asks for something and you can’t tick that box but you can have a discussion with them. What they are interested in is that you have thought about your cyber security in a professional manner and that you’re not taking it lightly. So, if they say “Are you ISO-accredited” and we say we are not, we can say, ‘however, this is what we are doing” and then they are satisfied. So, I think it’s often used as an excuse.”
White adds: “CIOs also need to be more robust. If someone comes and tells me that we can’t go to the cloud I explain that going to the cloud is no different to bringing in any other service I’d argue very strongly that in many occasions, it’s more secure.”
The cost
While the amount spent on cyber must be in proportion with the overall budget, there is also now a huge cost associated with not spending enough. Henri said: “It’s not just the cost of doing this, it’s the cost of not doing it. We can’t underestimate the marketing value of cyber security. I’m sure everyone spends a lot of time talking to clients. We’re all pitching for the same panels and in my experience GCs all now want to talk about two things: predictably and security. It’s not just a question of how much is enough. If you don’t do it properly you are not going to win business, you’re going to lose business.”
Bissell, who specialises in breach incident response and privacy and data protection, said: “It’s a big challenge in the market because if you’re a big bank, they are spending a billion dollars in security and no law firm is going to do that.”
Law firms spend 1-3.99% of their turnover on technology according to ILTA’s 2016* technology survey, but typically the Magic Circle and large global firms spend around 4.5-5%, which is high compared to other industries and sectors.
Hemsley said: “In the consumer goods sector it will be around 2%.”
Competition from cyber for that budget is growing and Bissell said: “I want to offer a couple of ranges of percentages, because if you are a law firm that just does paperwork, nothing electronic – that doesn’t exist but for argument’s sake – you don’t need much cyber security technology. But if you’re a law firm like most of us who are really almost all electronic, then there is a percentage that you should be spending as a percentage of IT spend. And the ranges I would offer is if you’ve got nothing you’re going to spend a lot to catch up and that’s in the 10 to 15% range or even 20% of your IT spend, which is gigantic. And if you’re already mature in your security then it will be lower than that, in the 3 to 5% range but those are just guidelines, because everyone is different.”
Tyler said: “It’s got to be case driven how you build that spend up. You can spin whatever you want with numbers and percentages and benchmarks, just go and read any Gartner paper. I just think about what we’re doing now, think about the level of effort we now put into patching, which is probably a quantum leap above the level of effort four or five years ago. And multiply all those those heads and outsourced contracts and all that bit you’re paying extra for because you’re patching more regularly and there are a whole load of costs over and above the security costs.”
Other significant added costs include the appointment within many firms of a dedicated CISO, and performing background checks, which until fairly recently was uncommon in the legal sector.
Henri said: Security spend is split across three different budgets. There’s the cyber budget. The compliance budget in risk. And this year we appointed a global security officer who will be in charge of travel security and physical security. We’re investing in background checks which we hadn’t done previously – are we hiring the right people? Are we hiring someone with a criminal record?”
“It’s still common to not perform a check?” asked Bissell. “It is becoming more common,” said Thompson.
Ash added: “It’s appearing on client audits too. Clients have asked about lawyers and staff all round the world. You can’t do full background checks in some countries, but lawyers have to have passed the bar.”
Insider threat
Even when staff are thoroughly vetted, that is no guarantee that behaviour won’t slip.
Ash said: “The awareness is far better than it used to be but the partner and associate on the line just want to get the deal done and that’s where the risks can arise if eg they send an email to their Gmail; it’s not necessarily malicious.”
The pressures of life also mean normal people do misbehave and Bissell said: “One of the main drivers of people doing bad things is the stress of marriage and financial troubles – they do things that they wouldn’t normally do.”
Insider trading cases have proliferated: one of the best-known occurred at Foley & Lardner, where former partner Walter “Chet” Little received a 27-month sentence for insider trading, after profiting from trading on corporate announcements that were yet to become public.
Hemsley said: “There are some great stats around insider risk versus external threat and one of those that was presented at a conference I was at is that 56% of breaches are caused by insiders either maliciously or accidentally. People don’t typically join an organisation with malicious intent but then there are stresses that drive behaviour and it’s incumbent on us to have the right cultural behaviours in an organisation to recognise where we see those risks happening to then intervene because if you intervene at that point, you minimise the chance of it becoming an unfortunate incident. Understand how your insiders are behaving. Train your people, patch what you’re doing and watch what your people are doing.”
There has been a real shift from building your castle walls to watching how your people behave on the inside and Ash said: “The emphasis has turned to insider threat products as someone could get in or already be in and it falls to us to be able to detect those things quickly and we’re certainly looking at more investment in this space.
“The difference is that in other sectors you can mandate a lot of things and lock them down which is a challenge in a professional services firm as over 50% of the firm are lawyers and they need to be able to transact with clients.”
Pessimistic security
Law firms are still deeply divided when it comes to whether they have to lock down their document management system internally, including a certain amount of division within our roundtable.
Henri, who began the process of restricting access to the DMS in 2016 said: “I’m not sure we have any choice. There’s a metaphor I’ve used over the past few months, which is that it’s difficult to get into the castle but once you’re in it’s a hotel and you can wander around the lobby but you once you get in, you can only get into the rooms for which you have a key. There was an article in your publication pessimistic security and I think all firms will have to go down that route.”
Legal IT Insider in 2016 first floated the idea that all law firms will have to move to a pessimistic security model, thanks in large part to conversations with Henri and (separately) iManage.
At the time, the idea was met with huge resistance from UK CIOs, but since then UK top 20 law firm Bird & Bird is among those to opt for a restricted DMS approach, as we first revealed in September 2017.
Technology is evolving so that you can extract and share knowledge and experience on an anonymised basis and here Bissell shed some light on best practice outside of the legal sector, particularly among the Big Four, commenting: “The audit firms have succeeded in not breaching client confidentially but deriving value from that data: the Big Four have done particularly well at that.
“Using data analytic skills to say ‘do we see data trends across our clients across a sector or geography’ they get data scientist to look at that not auditors. So, this is where the professional services and the technology come together to bring a different value than they ever could before independently.”
Henri commented: “We’re doing it in two different areas and it’s not a panacea but we’re doing it in the credentials space so when you’re pitching what’s the expertise we can find for a pitch and the expertise space – when you’re very big people don’t necessarily know each other and you can’t just go crawling through a public file you have to look at the narrative and matter descriptions and use machine learning.”
However, many firms are unnerved by the impact this will have on global collaboration efforts Pellicci said: “You’ve got to look at how lawyers work. We’re trying to create synergy between global teams and we do have information barriers if needed but how much do you really need to lock things down?”
White added: “Law firms are based on sharing knowledge and the challenge as you grow and globalise is how does the lawyer in London know what the lawyer in Sydney is doing so we’re not reinventing the wheel the whole time. We’ve invested so much money in sharing that knowledge to then lock it all down.”
Bissell said: “This also has been solved. McKinsey is superb at knowledge management but protecting client confidentiality. I do believe that knowledge management and communities of practice, whether specialist in an industry or whatever the industry is this can be solved.”
Best practice
With law firms anxious to gauge best practice outside of the industry, we asked Bissell for guidance on some of the minimum cyber practices and solutions that law firms should have in place.
“Yes, we can open up that Pandora’s Box,” Bissell said. “Because best practice for law firm A may not be the same as best practice for law firm B and it does depend on what you have, like cloud or not cloud and those sorts of things. But I would suggest that there are some very basic, elementary things that all leading practices should have and that is:
multi-factor authentication, not just user IDs and passwords but multi-factor even out of bands, so text, cell phone or some other sort of function.
A controlled matter management function, document management, so that you know who has access and who doesn’t have access and then all that logging. I can’t tell you how many times I have seen clients that no logging is turned on. So even when something occurs, you don’t even know.
I wouldn’t waste a whole a lot of time in more firewalls or more castles. It’s really the detection that we have to do and I suggest that you come up with ten and only ten scenarios. Meaning, we want to prevent X from occurring. Like, we want to prevent everyone from downloading all matters. And I’m just making up stuff, right? And then create the protective and the detective controls to prevent those ten things. Don’t do 100, just 10, okay? There are probably 10 off the top of my head I could probably come up with.
Being aware of who the adversary are is key and to understanding the risks and Bissell said: “There are four attacker types:
There is the insider. That is the lawyer trying to do stupid things even if that person is trying to leave the law firm and take a bunch of clients with them.
There is the nation state that you are not going to defend against no matter what. And maybe that your target, your client is the pharmaceutical company that is producing new clinical trial results and China wants to know exactly what that result is or that new research, that new intellectual property that you’re filing, whatever that issue is.
There is the person who is trying to do what we call front running. For a company to go public, maybe their financials or M&A activity or joint venture or all these things that you do as a law firm, they want to know so that they can trade on that information publicly before it’s released. So again, that’s front-running.
And then there is still that hacker in his mum’s basement. It still happens.
He adds: “And I think that we need to think like a bad hacker, these four types and create those scenarios.”
10 Scenarios
Distilling your scenarios down from 10 can help to clarify minds and Hemsley added: “I was with the CISO for one of the large critical government departments last week and he very much kind of said the same thing. We’ve got our ten scenarios and that’s what every project, cloud or whatever kind of comes against, but then he said we distil it down to five, and then we distil it down to three. So, they have a fixed Post-it note that goes at the side of every whiteboard when they start talking about projects and it’s very much: these are the top three scenarios that will put us in the front of whatever newspaper that we don’t want to be in the front of. Does what we are about to do are fit within these? Great. Then it’s the five, then it’s the ten. So, they take very much that same approach of that government department.”
Patching
Patching has traditionally been something that law firms don’t do immediately for fear it will break something, but Bissell said organisations no longer have that luxury: At his dinner with GCHQ, NCSC and the former head of MI5 and MI6 he says: “We all agreed that most of the attacks we see are still elementary such as systems that are not patched. We better move our mentality from patch when you can to ‘you better patch now’ even at the risk of breaking things I think we have to do that.”
Logging
Firms also need to ensure that they keep secure logs and Hemsley said: “A number of times I’ve seen where there’s been a data breach and we’ve been involved in trying to help organisations deal with that problem and if it’s cloud or if it’s within on premise. Logging, having secure logs, having them in a way that you can actually interrogate is quite key. If you have logs that are sitting on the box that’s been attacked the first thing I’m going to do as a hacker is clear that log. So, have the right infrastructure in place to understand the breach.”
Hunting and beaconing
Vast quantities of leaked data is available on the web and organisations invest in paying the likes of Accenture to find it. “We call it hunting,” says Bissell. “We hunt inside and out of the dark web for information.”
However, an emerging practice is ‘beaconing’, and Bissell says: “There is something we should look at, particularly for law firms, which is beaconing. There is capability that you can enter documents, knowing that document has left your enterprise, that you can ‘call home’ so to speak. That’s an advanced and emerging practice that’s going on right now.”
Cyber as a service
With so much to think about and potentially limitless costs to obtain the best cyber systems and coverage, it is unsurprising that the market is moving towards a cyber as a service model.
Bissell said: “That’s where the market is going because no one firm no matter how big you are, not JPMC or Goldman Sachs or HSBC or Barclays no one firm can solve the problem alone. In my 28 years in security – much of which was before it was ‘cool’ – the market in security is moving towards this as a shared service model, not outsourced.”
Ashurst last year signed a security operating service and Pellicci said: “The idea is that they will help us put the different layers on top because while we have information security staff it’s not our area – it’s not a law firm’s area – and we don’t have the capacity to keep the tools up to date.”
Cloud
The arguments for cyber as a service also apply to cloud, where organisations such as Microsoft and Amazon are ploughing billions into their security arrangements and hiring the brightest minds. What was once seen as risky is increasingly regarded as a more secure option than on premises.
Asked to advise on a framework for moving to the cloud and whether it’s more or less secure, Bissell said: “At Accenture we’re 80% in the cloud. It depends on what you want to put in the cloud and what you want to keep on premises. There isn’t one recipe. I do believe the cloud is more secure but there is a major problem among cloud providers: Microsoft; AWS; Google even, that they are not part of your security team and they need to be more engaging. They take no risk, and no responsibility and the CIOs and CISOs need more information from them and that’s a real shift going on in the marketplace right now.
“As a giant cloud user and SI [systems integrator] our methodology for securing the cloud is pretty immense. There is a checklist we go through to ensure the security of our data. We have 536 AWS buckets, just AWS. We’re the largest cloud user in Microsoft. And going through a checklist is critical. You may do that for one app and then you skip stuff and then you have holes. So, having a method and a checklist is critical.”
Data privacy, however, continues to be a thorny issue and Tyler said: “The perception or view that these big players are technically more secure, I don’t think there is an argument against that. It just comes back to the fact that some clients or types of clients have very clear jurisdictional requirements. They have statements as to where their data has to be. We often have discussions and debates with them and to your earlier point Chris, some of them will move but there is a hardcore that won’t.”
Culture
Ultimately, much of the success or failure of cyber initiatives doesn’t come down to the technology but the people and culture of an organisation.
The partner culture may be tough to rally against, but the CIO needs to be, as White describes it: “top of our game and in charge of our destiny.” He says: “If you can’t make the business case for investment you’re in the wrong job.”
Henri said: “Things are going in the right direction aided by the likes of the Paradise Papers and now really is our time and lawyers are listening hard. I’ll give you two examples. Some of our regions were doing table top exercises in business continuity and we did one with global management committee, which took two hours, in a room, that wouldn’t have happened a while ago.
“The other example is that we have invested in security wellness training SANS. We were struggling to past the 85% compliance and now the COO has said we can block compensation. If they aren’t doing it they aren’t going to get paid.”
Imposing financial penalties is the clearest indication that cyber is no longer optional in terms of engagement.
Accenture applies both carrot and stick. Everyone has to do security training and Paul Dillon, managing director at Accenture Consulting, said: “If you don’t do it your rating is impacted, which goes straight to the bottom line.”
Hemsley says: “In addition to the stick we use the carrot in our training – we offer shields or badges that people can add to their profiles to show different levels of commitment to information security.”
Cyberattacks are without doubt one of the biggest risks facing organisations today but if anything the tech is the easy bit: at the end of the day it’s the people you have to master.
For details of our brand new CyLok cyber readiness index email [email protected]