Comment: Identifying the cybersecurity problems and solutions for law firms
by Dr Jamie Graves, CEO & Founder, ZoneFox https://www.zonefox.co.uk
It’s no secret that, these days, cyber security attacks are so pervasive that they frequently hit front-page headlines. What’s more, these types of attacks seldom discriminate; nefarious hackers target companies of all sizes across countless sectors. To make matters worse, these criminal acts show no signs of slowing down. Currently, the Breach Level Index – which records the quantity of data lost or stolen – shows that a staggering nine billion records (and counting) have been compromised since 2013.
Legal firms remain a particular favourite for cyber criminals, thanks to the colossal amounts of data they store. Recently, security researchers discovered a trove of files on the dark web containing nearly 1.2 million email addresses and credentials from 500 of the UK’s top law firms. Last year, PWC’s 25th Annual Law Firms Survey also revealed that 73% of respondents suffered a security breach in 2016.
These included all forms of cyber attacks, ranging from malicious insider threats – those within your organisation looking to cause hard – through to email phishing scams and ransomware designed to capture and use the details of an employee inside the network.
The challenges of cybersecurity
For a long time, law firms have been slow to adopt appropriate protective technology. Internal teams were often aware of the dangers faced, but all too often there wasn’t sufficient budget allocated to fighting these cyber threats, which should be spent on a combination of new technologies and educational initiatives.
However, with cyber security continuing to dominate the news, this is finally beginning to change. Law firms are beginning to invest both time and money into fighting cyber attacks, due to a combination of high-profile hacks and the imminent need to adhere to strict compliance regulations, thanks to the upcoming General Data Protection Act (GDPR). Alongside risk management, these were the leading issues identified in the International Legal Technology Association’s (ILTA) 2016 Tech Survey.
For law firms, the challenges typically revolve around the sensitive nature of the data held on file, iron-clad legal issues relating to client confidentiality and the determination of cyber crooks to get their hands on this exceedingly valuable data.
As such, in order to understand the best measures for preventing these attacks, it’s vital to have a working knowledge of how cyber criminals operate and where the weak spots of an organisation lie.
Problem Area #1: the cost of insider threats
The recent landmark verdict from the Morrisons supermarket trial – whereby former employees sued the chain for mishandling their payroll information, after it was purposefully leaked online by a disgruntled vengeful worker – brought this type of threat into the mainstream media. Representing a sea change in how these cases are dealt with, this was the first class-action lawsuit of its kind.
Morrisons now faces a sizeable bill to compensate affected staff affected, after the judge in the case deemed the business “vicariously liable” for the actions of its malicious employee. Along with the Panama Papers incident, this is a prime example of how important it can be to stop an insider who wants to take sensitive information with them when leaving.
Problem Area #2: the cost of insider threats
Contemporary compliance is a minefield. In a survey by RedCentric of over 150 decision makers within UK law firms, one of the biggest challenges highlighted was adhering to regulatory compliance.
Data protection regulation exists in most developed countries. At the moment, the UK’s Data Protection Act (DPA) regulates how organisations use personal data; law firms must comply with the DPA or face imprisonment and fines of up to £500,000 (around $630,000).
But the aforementioned GDPR will come into force in May and covers the security, privacy, and control of European personal data. Notably, and worryingly, PWC’s aforementioned law firm survey found only 13% of practices were ready for GDPR – which comes with far higher fines than that from the DPA.
Across the pond in the USA, data protection laws are less rudimentary in nature and vary state-by-state, but each dictates strict rules around data security and privacy with relevant punishment for non-compliance.
Problem Area #3: the value of a data breach is more than money
In March 2016, two large New York based law firms suffered data breaches. Both firms specialised in patent and intellectual property law, leading to suspicions that the perpetrators were hackers using the breached data for insider trading on the stock market. During that same month, 48 US law firms were targeted specifically by Russian cyber criminals looking for M&A activity to harness for insider trading.
As with Morrisons, there are big repercussions for law firms. The 2017 Insider Threat Report found that 53% of businesses paid remediation costs of around $100,000 after an internal attack. Reputation damage, however, is far harder to calculate (just look at the fallout Mossack Fonesca faced); regardless, it’s clear that, once a law firm is breached, it’s a steep uphill climb to win back client trust.
Addressing cybersecurity in the legal industry
When looking at the figures linked with the costs of cyber crime, it’s understandable to believe that the problem is insurmountable. Nonetheless, despite the expanding and increasingly lucrative cyber crime market, the security industry has been working tirelessly to destabilise these criminals by developing new and innovative technologies to combat them.
As such, here are some guidelines that should be followed in order to stay ahead of the curve when it comes to protecting against potential cyber threats:
Solution #1: dealing with insider threats through UEBA
Not all insider threats are malicious; many innocent victims often open a gateway to a breach by clicking on something they shouldn’t, which can be solved with ongoing security training and a culture of security being developed.
When it comes to picking up on those that have fallen foul of this social engineering or malicious insiders, it’s a much more complex game. Both parties as insiders will use genuine login information, meaning that their behaviour and infiltration is far more difficult to uncover than a less sophisticated style of attack.
However, using user and entity behaviour analytics (UEBA) technology gives firms far more insight into the network behaviour of users. This technology uses machine learning, gradually conjuring a profile of ‘ordinary’ user behaviour – when and where they access data from, what files and systems they use, and if they download and remove information from the network.
This means that deviations from the norm such as late-night file access, the downloading of sensitive information and logging in from completely new devices can be flagged up, alerting the firm to anomalous behaviour before a human can spot it. This kind of technology allows law firms to install a soft-touch, intelligent security offering without compromising any of the confidentiality that their reputations are build upon.
Solution #2: training and security awareness
The other core step in ensuring that cyber security incidents are addressed properly is ensuring that all employees have basic security hygiene. It might sound straightforward, but creating a genuine security culture and providing security awareness training is encompassed by several regulations, including the global cyber security standard, ISO 27001.
Additionally, it’s remarkable just how many businesses merely assume their staff won’t slip up when faced with a social engineering attack through a dodgy email or phone call. Being aware of weaknesses can go a long way to preventing seemingly innocuous activities turning into a devastating breach that will cost a firm’s reputation and bottom line.
As cyber attacks on all sides continue to increase, law firms must take positive action to contain the onslaught. Humans will always push boundaries, but boundaries need not be broken using a combination of knowledge, education, training and state-of-the-art technology. If these methods are avoided and cyber security isn’t prioritised at board level, then attacks on law firms will only continue to increase.