By Paul Colwell, chief technical officer at CyberGuard Technologies
Paul Colwell looks at the cost to the legal sector of cyber breaches; what law firms’ obligations are; and what steps they must take in order to respond to an ever-growing threat.
Why is the threat so significant?
Law firms are increasingly targeted by a range of cybercriminals: financially motivated gangs, surveillance-motivated nation states, and ideologically motivated hacktivists. According to the NCSC, the primary reasons are, “they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions.” [i]
NCSC adds that the most significant threats that law firms need to counter are phishing, data breaches, ransomware and supply chain compromise (for example, a UK software firm exposed personal information belonging to more than 190 law firms in 2020). [ii] To that we can add business email compromise (BEC) attacks where fraudulent emails purporting to come from the CEO can ask for urgent money transfers (to the fraudster’s account)[iii] – and simple human error where personal information is emailed to the wrong person.
A leading London law firm revealed in mid-June that it had been breached from a “now known external source”, but all stolen data “was traced quickly and deleted from the location to which it had been downloaded.” Despite these assurances the firm lost 8% of its share value within hours of its announcement.
The cost of a successful cyber breach could include downtime, possible ransom payment, potential GDPR sanctions, and above all, loss of brand reputation, clients, and share value.
What obligations do law firms have towards cyber security and data protection?
Law firms have both a moral and legal – and sometimes even existential – obligation to protect the personal and sensitive information of their clients. In 2016, the Panama-based law firm Mossack Fonseca was breached, and troves of highly sensitive data was stolen. The stolen and leaked data had global implications, even embroiling UK prime minister David Cameron in accusations of tax evasion. It was too much for the law firm to survive, and in 2018 it announced, “Reputational deterioration, the media campaign, the financial consequences and irregular actions by some Panamanian authorities have caused irreparable damage, resulting in the total ceasing of public operations.” [iv]
In the UK, law firms are required by law to conform to the requirements of the UK’s Data Protection Act (the UK version of GDPR), to GDPR proper if they have EU citizens among their clients, and to other jurisdictional legislation as relevant (for example, CCPA if they have clients in California).
A report produced in September 2019, based on data gained from a freedom of information request to the ICO, showed a surprising number of GDPR breaches in its first year of operation. Forty-eight percent of the top UK 150 firms reported a data breach from a total of 212 breaches. Forty-one percent of the breaches were simply due to emailing the wrong recipient – but this is still classified as a GDPR data breach. So far, there has been no significant fine levied by the ICO, “but,” notes the report, “it is surely only a matter of time”. [v]
What do the SRA and Law Society say about cyber security?
The Solicitors Regulation Authority (SRA) has been warning law firms about the dangers of cyber criminals for many years. “Whether by use of spyware, identity theft, viruses or simply tricking people to reveal sensitive data, cybercriminals are always attempting to find new victims and weaknesses in defences they can exploit,” it reported in a cyber security review (September 2020). [vi]
For this review, the SRA talked to 40 firms that had been targeted. Twenty-three lost more than £4 million in client funds. While much of this (not all) was covered by insurance, “These figures do not take account of the wider cost of such incidents to firms, for example higher insurance premiums, lost time and damage to client relationships.”
The Law Society says, “The legal sector is at significant and growing risk of cybercrime, cyber attacks and scams.” It provides a special section on cyber security, where it comments, “You may want to consider cloud computing. This is where your data is stored on remote servers and accessed through the internet instead of your computer’s hard drive. These servers are managed by a third-party supplier, who’s also responsible for the security of the data it holds.” [vii]
This is a little misleading. If you store data on a private cloud under contract with a managed services provider (MSP) it will be true. But if you store data on public clouds (such as AWS, Azure and Google Cloud) it will almost certainly be under the ‘shared responsibility’ doctrine. This means that the provider is responsible for the cloud infrastructure, but the customer is responsible for the security of any stored data.
How do law firms typically manage cyber security?
Law firms are generally responding to the growing cyber threat in the same way as other sectors. “For all firms, says PwC, “Improving use of technology” remains a priority, as does “standardising and centralising business processes and ways of working”. [viii]
But law firms have a unique complexity: they have multiple customised systems, bespoke applications and several case management systems, often doing a similar job to other systems in the same firm. The threat surface increases, the cost and complexity of basic cyber hygiene such as patching grows, and the number of required security controls escalates.
The result is a complex and costly cyber security posture. Complexity is the enemy of cyber security, and it may be time for a rethink.
Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a simple government-backed security scheme to help protect firms from most cyber attacks. It concentrates on the basic security hygiene that keeps out most attacks from the unskilled hacker (thought to be more than 80% of all cyber attacks). “They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks,” says the NCSC. [ix]
Cyber Essentials will not stop advanced attackers and nation states, but it is a good and important starting point. In fact, there is no excuse for a law firm not to be Cyber Essentials accredited since it is now a requirement for gaining the Law Society’s Lexcel quality mark.
Cyber Essentials comes in two flavours: basic and Cyber Essentials Plus. There is no practical difference between the two, other than the former being self-certified and the latter requiring independent verification.
Law firms should seek to be Cyber Essentials Plus certified, even if this needs guidance from an experienced consultant. Everybody puts more effort into meeting a third-party audit over what amounts to a paper-based checklist; and clients are more confident in an external audit.
“We found that firms with Cyber Essentials Plus accreditation were more likely to have good policies and procedures in place and have taken effective steps to protect themselves from future cyber security incidents,” says the SRA. [x]
Paul Colwell has been with CyberGuard Technologies, which is an independent company within the OGL Group. CyberGuard Technologies is a UK-headquartered company that guides firms through the steps necessary to achieve Cyber Essentials accreditation. [xi]