Guest Post: A criminal with a file – the threat to their data that law firms are overlooking
Data protection is inevitably a big issue for the UK’s law firms, which are guardians of some of the country’s most sensitive and sought-after commercial information.
Last year the legal profession was warned by the Information Commissioner’s Office (ICO) about the need to improve security, after the ICO investigated 173 UK law firms for breaches of the Data Protection Act 1998. This follows a similar warning in 2014.
Although these breaches for the most part involved personal information, the consequences of failing to protect the data with which firms are entrusted are immeasurably serious for lawyers. The potential for a £500,000 penalty from the ICO is dwarfed by the far greater damage likely to be inflicted on their balance sheets as a result of losing their reputation for competence and regulatory compliance.
The advent of tightened legislation in the form of the European General Data Protection Regulation makes the question of data security all the more pressing. Set to come into force in 2017, the new law will impose increased penalties and fines on companies which fail to protect data adequately, or are subject to a breach.
There is no lack of incentive for criminals to breach a law firm’s security when it is likely to hold data about wealthy individuals, patents, trademarks, mergers and acquisitions or corporate tax affairs.
Of course, being professional and ethical the firms are fully aware of the high value of the information of which they are custodians. To protect it, most have invested in expensive perimeter security such as firewalls, web controls and email scanning.
But the threat doesn’t stop there. Commonly deployed perimeter technologies of this type can only deal with recognised threats and are unable to screen out the new forms of cyber-attacks that criminals are devising every day.
“Across the legal landscape there is little information about the huge growth in security threats carried in email attachments,” says Janet Day, the former IT director at Berwin Leighton Paisner. “Open and free exchange of documents is the lifeblood of the legal profession, but there needs to be a recognition that email attachments are the most dangerous point of vulnerability.”
Day’s point is backed up by the facts. Across all businesses, some 94% of successful cyber-attacks resulting in a data breach are now perpetrated in this way and the figure is growing every year.
The complex documents that lawyers and their colleagues routinely email back and forth hundreds of times each day are now one of the chief entry points for criminals seeking access to the treasure trove of sensitive information held by any law firm.
To counter this new scale and complexity of cyber-crime, everyone in the legal sector now needs a solution that is 100% effective in stopping all such file-based threats from accessing a firm’s system.
At present these threats mostly take the form of highly-targeted and sophisticated malicious exploits cleverly hidden inside PDFs, Word documents, Excel or PowerPoint files. They are not picked up by conventional perimeter security solutions, nor by sandboxes. In the majority of cases, sandboxes, which are designed as quarantine areas for testing of files, often only operate for a matter of minutes before passing a file as safe. Destructive or malicious exploits by contrast, are often designed to activate weeks or months after they have become embedded in a system.
Detecting files that hide malicious code is not easy, given that law firms routinely email thousands of complex documents in different formats to clients and third-parties using all kinds of systems and devices. Nonetheless, it is time the profession turned its focus towards a best practice solution that offers absolute security and that fully counters the threat from macros and all other malicious agents.
Leaving the bad outside
There is technology available that is capable of performing deep file analysis and real-time regeneration to produce a clean, sanitised and perfect copy of the legitimate document, free of any malicious content.
This technology gives protection against the most persistent and complex file-based threats by looking only for what is known to be “good” in the file type after it has been broken down to byte-level, regenerating it in precise compliance with the manufacturer’s standards. Not only will it keep all the malicious elements on the other side of the virtual wall, it will also restore files corrupted by excessive use by different parties.
Organisations must utilise such technology in order to defeat the growing threat of file-based attacks, which have overcome conventional approaches such as sandboxes, which routinely generate more than 60% of false positives.
Taking back control
Importantly, security solutions need to put high-level decisions about security protocols back in the hands of those at corporate level, rather than at the discretion of staff members. It means an organisation like a large law firm is back in control, adjusting cyber security policy according to who needs to use which file-type.
At the same time, law firms need to be constantly acquiring actionable intelligence about the evolving nature and size of threats from the comparison of unknown and unstructured files against established standards. This is a major advantage when the volume of unstructured data being encountered daily in this industry is commonly far higher than any other.
Not least among the many benefits of this technology is its transparency. Law firms are increasingly required to demonstrate that they are compliant with best practice – not only to regulators, but to third parties. Banks in particular are already insisting on demonstrable compliance with cyber security standards in their dealings with their legal counterparts and this a trend that can only gather strength as the European regulation looms closer.
It is worth noting that in October, UK banks suffered £20m in losses to a series of cyber-generated breaches, while the cost to the country as a whole is annually put at £36bn.
When the risks are so great and the threats so imminent, it does not require the greatest minds in the land to work out that a technology that provides active and absolute protection from file-based cyber threats should be installed as an urgent necessity when lawyers are sitting on vaults of incredibly sensitive and valuable information.
Greg Sim is Chief Executive Officer of Glasswall Solutions