In our latest guest column, Seth Berman of Stroz Friedberg* looks at law firm security…
For a long time, lawyers worked under the implicit assumption that they were not targets of hackers. Law firms thought of themselves as above the rough and tumble world of spying and IP theft. Lawyers are trained to believe that disputes should be settled according to strict legal rules, not through outright theft and cheating. Lawyers expect that their competitors – other lawyers – will follow these same principles and the rules of legal ethics, which preclude hacking. This complacency has now been shattered. Law enforcement agencies throughout the world have warned of an increasing threat of hacking to law firms. Across the Atlantic, these concerns have escalated to such an extent that the FBI is publicly warning law firms to tackle the escalating risk of cyber attacks. It comes as reports suggest that as many as 80 law firms may have been hacked in the US alone last year.
The cybercrime landscape is changing. While financial and government institutions remain prime targets, having been in the sights of hackers for a considerable period of time, such organisations now have more advanced systems and strategies in place to withstand actual attacks. Hackers are, therefore, turning their attention to targets that can offer easier access or, sometimes, even a wide-open backdoor.
The profile of hackers has also changed. From the early days of opportunistic individuals looking for peer-recognition, nowadays, hackers are more likely to have links to organised crime, political causes or state-sponsored espionage. This is a cause for concern, with Jonathan Evans, the director general of MI5, recently suggesting there is threat to “the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations”, from “industrial scale processes” involving “state-sponsored cyber espionage and organised cybercrime”.
So why are lawyers being targeted? There are two primary reasons: They hold valuable client data and tend to operate with relatively lax IT security. There is evidence lawyers have been hacked to uncover the details of mergers and acquisitions before they happen (to facilitate insider trading), to understand the details of competitive auctions (to improve a bidder’s likelihood of success), and to gain advantage in litigation.
The aborted $40bn take-over by Australian natural resources giant BHP Billiton of Potash Corporation of Saskatchewan is one high-profile case, where seven law firms reportedly came under attack. While the actual facts may never be known, experts believe this action bears the hallmark of state-sponsored espionage, perhaps as an attempt to derail the acquisition, in favour of a local competitor.
There is little doubt most law firms recognise the importance of safeguarding data, from a legal, commercial and reputational perspective. However, in a world where multiplatform technologies and mobile devices have become commonplace, the potential risk of suffering a data breach has increased exponentially. The question is no longer if, but when, an organisation will suffer a data breach.
What causes the lax security at many law firms? First and foremost, law firms have not been prioritising IT security. Partnerships often are not interested in spending the money on security and partners do not want the reduced convenience that good security requires. Lawyers expect to be able to be reachable and connected, whenever and wherever they are. But this constant connectivity comes with risks – the easier it is for a lawyer to access data remotely, the more opportunities there are for a hacker to also obtain such data.
However, lawyers are starting to realise that this is untenable and may soon have no choice. Some bar associations have told their members that keeping up with technology and taking reasonable steps to protect client information from being stolen is part of lawyers’ ethical obligations. Others will surely follow. Even if this does not soon become an explicit ethical obligation, as a practical matter, it already ought to be a priority. After all, almost nothing can do more harm to a law firm’s reputation than the failure to safeguard a client’s secrets.
While each law firm has unique cybersecurity challenges, there are some common themes. As a starting point, some very basic steps must be addressed to reduce the risk of an attack and mitigate the impact of any successful compromise.
Prioritise IT security. Law firms must view cyber security as an urgent and business critical issue. Unless senior partners believe that preventive security measures are crucial, they will not be implemented. To ensure that law firms implement security with a clear focus and strategy, they must designate of a Chief Security Officer, who would be responsible for coordinating security steps and the response to any breach.
Segregate and limit access to sensitive data. Across firms, many more people have access to sensitive data than actually require such rights. Data should be segregated and permissions set so that sensitive information is available on a need-to-know basis. This reduces the risk that rogue employees steal the data, which will also make an external hacker’s job harder.
In some cases, where highly sensitive information may be involved, one option available is the physical separation of certain data. The strategy to place such content in a secure location could be further reinforced by a strict policy that would ban the use of e-mail or the digital transfer of sensitive documents. By using a dedicated terminal to review such data, the client can rest assured that it has never left the building.
Encrypt data. Encryption essentially scrambles data, so that it is unreadable by anyone without a special key. This makes it much harder for even a successful hacker to obtain the underlying data and prevents data loss if a laptop or other mobile device goes astray.
Train employees on preventing and responding to a hacking. The first line of any IT security system is the individual user. But how do you stop a user from clicking on an innocent-looking link in a spear phishing email, which may activate malware to log keystrokes, copy emails, or even record phone conversations? How do you stop a partner from using the same easy-to-guess password for all devices and online accounts?
Education, ongoing training and regular tests to check employees’ response to a fictitious phishing attack will help address this issue. Users must understand the importance of embracing best practices to avoid inadvertently assisting a breach (by, for example, clicking on documents in suspicious e-mails and thereby infecting their computers with a virus). As part of developing a culture of awareness, firms should also focus on creating an understanding among staff of how and when a suspected breach should be reported. From a practical perspective, this will also be the trigger for the incident response team to spring into action.
With education comes also a deeper understanding of the potential implications. It may make a lawyer think twice before firing off a reply to that corporate client who is travelling in a country where internet communications are routinely monitored.
Require the use of strong passwords. Many people use very weak passwords, opting for ‘password’, ‘123456’, or common names or words that appear in a dictionary. By using a dictionary attack, cycling through all the possibilities that are most likely to succeed, such passwords can quickly be broken by hackers. This is confounded by the fact that these weak passwords are often re-used across multiple accounts, both professional and personal, and that the compromise of one account can provide an attacker enough information to compromise all of the accounts using that password. The use of strong passwords will, therefore, dramatically reduce the risk of this type of attack and can also limit the problem associated with the re-use of passwords across multiple services.
Prepare an incident response plan (IRP) and team. Part of any security system is creating an IRP to mitigate any damage after a breach occurs. If the roles and responsibilities of the team responding to an incident are unclear in advance, opportunities to mitigate the attack will be lost during the time it takes to organise the team.
Test and revise the IRP frequently. Computer networks and cyber risks are constantly evolving and the security plan must be kept up-to-date. Failure to keep the IRP current will quickly render this ineffective and periodic audits should be carried out to identify and secure weaknesses. However, the process does not end there. Partners and employees must also be reminded and re-educated about the constantly evolving threats.
Against the backdrop of overlapping factors and priorities, lawyers have become so focused on the convenient use of technology that many have overlooked the risk that come with this convenience and fail to recognise the complexity of the online security challenge. Simply put, there is no silver bullet, tool or solution that can eliminate cybersecurity risks. Instead, firms must instil in their partners and employees a culture focused on cybersecurity to prepare for the inevitable cyber attacks. This will both reduce the likelihood of a successful attack and mitigate the damage done in the event that hackers nevertheless defeat the firm’s security.
* Seth Berman is executive managing director and UK head of Stroz Friedberg, a global digital risk management and investigations company. Prior to joining the firm, Seth was an Assistant US Attorney and served as a member of the New England Electronic Crimes Task Force. Stroz Friedberg counts 73 of the AmLaw 100 law firms among its clients, as well as 16 of the top 20 UK law firms.
In July, Stroz Friedberg LLC, the New York-headquartered global digital risk management and investigations firm, announced plans to expand its London operation, with a move to Capital House, 85 King William Street, London. The growing demand for its specialist services is set to boost Stroz Friedberg’s 41-strong UK team, as organisations look to tackle cybercrime, fraud and security.
Seth Berman added “Since our move into London three years ago, we have experienced significant growth. The relocation to Capital House will enable us to build on this success, while delivering a high quality, client-focused service, from a prime location. This will also allow the further development of our cutting-edge digital forensics laboratory.”