Comment: Spotlight turns on law firms’ cyber-security preparedness
Here’s another excellent piece by Seth Berman* on cyber-security issues…
The move by Bank of America Merrill Lynch to audit the cyber resilience of its external law firms marks a turning point in the fight against cybercrime. More institutions, not just in the US, are likely to follow in its footsteps, as they look beyond their own IT infrastructures and suppliers’ ability to withstand and deal with attacks. Signalling that organisations are facing increasing challenges in tackling cybercrime, the UK’s security services recently called for company boards and audit committees to take part in a cyber governance ‘health check’ to provide “a sense of how cyber-aware companies are, and what sort of risk assessment they have put in place”.
But at a time where four-in-five of the UK’s largest quoted companies report they are not prepared for cyber attacks and “almost all” boards believe their exposure to cyber risks has increased, how can law firms boost their own resilience? As custodians of confidential client information, firms should assess and test their own cyber security controls, reporting and compliance procedures annually, to ensure adequate protection remains in place. The threat landscape is constantly evolving and it is important to understand the nature of such risks, whether politically or financially motivated, or seemingly random.
The process of carrying out a cyber security audit does not need to be painful: yes, it will require the time and input of some key people from the organisation but it does not have to be as all-encompassing as a full financial audit, for example. However, in common with a financial audit, the health check should be supported by external experts with the appropriate level of knowledge and insight, which can further enhance the organisation’s cyber resilience.
Once ownership of the cyber resilience plan is agreed, the first step should be to take stock of controls and procedures already in place. Most firms will already have firewalls, password policies, encrypted data protocols and restricted access controls to counter potential cyber threats, alongside policies governing mobile devices, cloud storage and data sharing. However, when were these last reviewed, let alone tested?
The audit will allow the effectiveness of information systems to be reviewed and appropriate remedial steps to be taken, where required. The review would be incomplete without assessing the effectiveness of staff in combating cyber threats. For example, are partners and staff aware of the dangers of phishing emails, how do they react to them and what are the processes in place for incident reporting?
While the vast majority would hit the Delete button, only one unwitting member of staff needs to fall for a scam before security has been breached. When the email appears to come from the managing partner, alongside a plausible explanation (“I’ve sent this email from my private email address as I have not been able to access the office network”), the number of individuals clicking on the offending link could be even greater.
This predicament was faced by several dozen associates at a London law firm. The email, sent after-hours from the ‘private’ email address of the ‘managing partner’, asked each recipient to review an attached document, the content of which would be discussed at a meeting the next morning.
The document contained a virus. Once opened, the virus was deposited on the laptop of the unfortunate associate and from there onto the law firm’s network.
Such examples of ‘spear phishing’, or highly targeted fraudulent emails that may introduce a virus, activate malware to log keystrokes, copy emails, or even record phone conversations, are all too common.
Firms must, therefore, ensure they have appropriate processes in place to report all cyber security incidents to a designated team, with staff training and education a key aspect of any cyber security policy. Swift reporting allows threats to be dealt with immediately, which may also save the firm a lot of time and money in the long run. The 2013 Information Security Breaches Survey report, commissioned by the Department for Business, Innovation and Skills, found that the average direct cost of the most severe breach suffered by large corporates was between £450,000 and £850,000, and between £35,000-to-£65,000 for SMEs. In some cases individual security breaches cost firms more than £1m in direct costs, it said. The total costs of breaches can be far higher, when the cost of remediation, IP theft, and reputational damage is included.
However, IT security is only part of the solution. A mistake that many organisations continue to make is to treat cyber risk as purely an IT issue. Cyber security is not only dependent on sound IT and technology controls, but also physical security, such as the use of security cameras and keyless door locks to restrict access. Any competent cyber security policy will, therefore, require a fully joined-up approach between IT and corporate security.
There are no guarantees against cyber attacks but IT directors and senior partners need to be aware that the level of protection is not necessarily dependent on technology investment: it is more about organisations using the resources already available in a more effective way and testing these regularly. In reality, the cost of finding out the firm’s potential exposure to cyber security breaches through an audit is a lot smaller than the financial and reputational damage caused by an actual attack.
* Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company. Prior to joining the firm, Seth was an Assistant U.S. Attorney and served as a member of the New England Electronic Crimes Task Force. Stroz Friedberg counts 73 of the AmLaw 100 law firms among its clients, as well as 16 of the top 20 UK law firms. www.strozfriedberg.com