Cyber criminals want your client's confidential details

Solicitors working on corporate transactions are increasingly becoming the target of cyber attacks. Incidents involving criminals seeking confidential information on deals are so common that the SRA and the Law Society have produced their own high-level guidance.

On any one deal, a wide range of information is shared between various parties – target companies, banks, lawyers and advisers, among others – each with their own governing laws (consider the jurisdiction) policies and procedures.

Lawyers in particular collate large quantities of sensitive details in the process of advising their clients and facilitating
the transaction, and as such
are attractive targets for
cyber criminals.

Take the example of a Canadian law firm, which proposed the acquisition of a Chinese company. Lawyers working on the deal received emails that appeared to be from a partner in the firm who was involved in the transaction.

In fact, this was a targeted phishing operation, known
as ‘spear phishing’, with an attachment that installed a computer program on to the firm’s IT system. This recorded various data, enabling the
third party access.

It was discovered that the attack originated from computers in China, with commercial espionage the presumed motive.

Although it may have been a targeted attack specific to this deal, firms should be aware that such malware can remain on a computer for some time without detection. Therefore, it has the potential to steal information over a long period even before an attack is found out.

Further, once an incident
is discovered, if a thorough investigation of the security breach does not take place, it is possible that the malware will remain dormant on the network to strike the next big deal.

 

Risky business Points to note pre-breach: 1. Know your security systems and identify how they may be exposed to attack. 2. Identify who could be keen to access information on a deal. Points to note post-breach: 1. Implement a robust incident recovery plan. 2. When an attack is discovered, limit the damage by undertaking a thorough investigation so that all malware is removed. 3. Learn from breaches and put systems in place to protect your firm from future attacks.

 

Strong security

The number of parties generally involved in any corporate transaction puts law firms that act on those deals at increased risk of attack. With warnings from regulators and government bodies on cyber attacks, it has never been more important for law firms to ensure that their IT security is
as strong as possible.

Law firms must ensure that preventative measures are implemented and that appropriate cyber security techniques are employed.
Even the most advanced security is not guaranteed to
be effective against the most sophisticated threats. Cyber criminals develop techniques
to overcome security systems
as technology advances to prevent those attacks.

Lawyers must understand and acknowledge that total data security simply does not exist. As such, law firms need
to be ahead of the game by knowing their internal systems and processes and identifying how and where they may be exposed to potential attack.

Firms should also identify
who could be keen to access their information (such as competitors, contractors, employees and criminal networks, among others)
to best prevent it.

Only by undertaking a
proper and rational analysis
of the inherent risks and monitoring these can law firms be best prepared. Having a proper and robust incident recovery plan in place is also important, but prevention is better than cure and identifying the risks at the outset
is paramount.

Every firm is responsible
for its cyber security. Where
the potential reputational consequences and/or financial loss of cyber attack can be very damaging, it is imperative that they address and minimise such
risks as a priority.

Eleanor Kilner is a solicitor at Weightmans