This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Data threats: Prevent reputational damage with cyber security

Feature
Share:
Data threats: Prevent reputational damage with cyber security

By

With cyber threats on the rise, how can law firms ensure that confidential client information is held securely? Stephen Brown provides some pointers

Bots, malware, spear phishing, zero-day attacks, spam, ransomware, denial of service, viruses, hackers, GCHQ, the NSA and the Snowden leaks. The above could be the marketing piece for the next US movie blockbuster. Or, it could just be some of the threats that your law firm faces on a day-to-day basis.

Whenever the term cyber security comes up, there are always some very large and scary numbers close by. You will not be disappointed on this occasion. The Internet Security Threat Report 2014 indicates that:

  • there has been a 91 per cent increase in targeted attacks from 2013;

  • the number of security breaches increased by 62 per cent in 2013;

  • over 552 million identities were exposed by breaches in 2013;

  • 38 per cent of mobile users have experienced some form of mobile crime in the past 12 months; and

  • one in every 392 emails contains phishing attacks.

Cyber security is a very real threat to law firms. Rather than get into the details of all of the different threats and how they can be used against your firm, or perhaps discuss the very large and sometimes incomprehensible numbers that go along with cyber security, it is best to try and encapsulate where the real risks are,
what guidance we can follow to protect our firms and what we could do in future.

So, what is the biggest risk to your firm? Is it the £500,000 fine that the UK Information Commissioner’s Office could impose if someone accidentally leaks sensitive data? Or, perhaps, is it the risk that one of your competitors might gain intellectual property on a new product or service line that you are developing?

There is one thing that law firms treasure and protect more than anything else: their reputation. The relationship between a client and a law firm is built on trust. Therefore, the risk of cyber attacks
to your firm’s reputation is a very real
threat and one that should be dealt with
in the most comprehensive way possible.

Risks and challenges

From outside of your firm, there are five key types of cyber security threats:

  1. hacktivists (e.g. Anonymous Group);
  2. criminal;
  3. espionage;
  4. terrorism; and
  5. state sponsored.

Each one of the above has been well publicised, but what do these type of threats and risks really mean when it comes to protecting your law firm? What this ultimately comes down to is the data that your firm holds on its systems and how to protect that data from unauthorised access. The key question here is: is there any way for law firms to ensure confidential client information is held securely?

The data that your firm holds will probably have many access points. We do this so that staff can be efficient and mobile and therefore deliver the services that clients require on a timely basis. As a result, the access points to the firm’s data could probably be grouped into five areas:

  1. staff;
  2. systems;
  3. mobility;
  4. cloud; and
  5. social.

Each of these areas can be affected by cyber security. Let’s look at each one in detail and identify some of the challenges.

1. Staff

My staff are trustworthy and know what they are doing. Is this how you feel about your workforce? Unfortunately, no matter how good your cyber security governance is or the security of your systems, the weak point of any well-designed system is the point at which systems and humans interact. So, what are the challenges?

The key one is staff awareness. Do they understand and appreciate cyber threats? Or do they just think that these are the sort of things that happen in films and would never affect them, their firm or their clients?

Are they aware of the data that they
are dealing with and how their ability to
act in a client’s best interests could be severely compromised if they accidentally do the wrong thing?

We may have to contend with
a malicious member of staff. However, the malicious internal attack is very rare. Generally, staff try to do the right thing, work in the right way and protect
their clients, including their clients’ confidential data.

Unfortunately, possibly due to a lack of knowledge in this area, they could open themselves up to threats by just trying
to be kind or helpful. Cyber criminals exploit human nature to gain access
to law firms’ data.

2. Systems

One of the reasons why law firms are seen as a weak link may be the perceived lack of investment that law firms provide to the IT department. Lack of attention to core systems can have a detrimental effect on the options and features available to protect your data. This is key when considering end-of-life software, ageing hardware and ageing systems.

There is also the added complication that cyber security is a relatively new threat to law firms. The exponential growth of the internet over the past five years has meant that the systems in
use were perhaps not designed with security in mind at the outset. This is not only visible in the design of systems within law firms but is also a fundamental issue with the protocols that are used. For example, the simple mail transfer protocol (SMTP) was never designed with security in mind. Therefore, it can be easily exploited.

The level of data security awareness within IT departments can also be a limiting factor and a challenge that firms have to face. Does your IT department appreciate and understand the data that the firm holds? Does it have the knowledge to protect and train itself and make the firm aware of cyber threats?

3. Mobility

The rise of the mobile workforce means having systems that are available to staff 24/7 and accessible over the internet.
The rise of mobile devices and smartphones has only increased the pressure on IT departments to make their systems device agnostic and open. What does this actually translate to in connection with cyber security?

Before the rise of the mobile workforce, virtual private networks (VPNs), smartphones, BlackBerrys and other connections into your firm’s systems, the only way a member of staff could access your systems would be to walk into your premises, switch on a machine and access the data. This meant that you
knew that the number of connections into your systems should always be equal to the number of PCs or laptops that you had on your firm’s premises. Due to the mobile workforce, connections to your systems can now come from anywhere
in the world at anytime and from any device. This makes it increasingly
difficult to restrict access.

There is another mobility challenge in relation to tablets and smartphones. This challenge could be described as the ‘cool factor’. People want smartphones and tablets to be ‘cool’; they want to have music, photos and be able to download apps at will. They don’t want to read terms and conditions and access rights, because that’s ‘geeky’ and ‘uncool’.
They want their devices open and they want to be able to do what they want
to do on their machines.

Unfortunately, this is a threat and a challenge to your firm. Locked down and secure does not equal cool mobile devices, but it does protect your firm’s data. Open and available is cool and this can mean insecure. This is an area that cyber criminals are keen to exploit.
If mobile devices are open, cyber criminals can easily install malicious software that can compromise your systems.

4. Cloud

A concept of the cloud is that you have put your firm’s and clients’ data into the hands of a service provider and that it
is accessible over the web. This data might be held in a very secure data
centre, but you need to ask yourself
some searching questions:

  • Where is my data?

  • Who has access to it?

If you have any concerns when answering those questions, then you need to consider whether or not your firm’s data is secure.

5. Social

Social media is proving to be a challenge for firms of all sizes. We now make public all of the data regarding who has what roles and responsibilities within a firm. It is very easy to identify who the IT administrators are, along with the decision makers within the firm’s hierarchy. Or, to translate, who has user security privileges and can gain access to the most sensitive data.

Again, this is something that cyber criminals can exploit. Rather than randomly trying to access your systems by looking
at telephone directories, they now have
a full hierarchical structure of your business because we openly post that information publicly.

Guidance

There is a whole host of guidance and information available to the individual responsible for maintaining cyber security at your firm. Unfortunately, there is one cyber security truth that is sometimes difficult for firms to comprehend: you can never with 100 per cent certainty say that you can prevent a cyber security breach at your firm.

The evidence is clear: if the core infrastructure that you run your systems on can have data harvested from it, then, for any data that uses that core infrastructure as its transportation layer (e.g. the internet), somebody could be stealing that data.

If governmental security agencies cannot have private conversations, then what chance does a privately-owned law firm have of protecting itself? So, with that in mind, should we just give up and open up our systems on the assumption that we cannot protect ourselves?

No. The more pragmatic approach is aligned with trying to protect your car from a car thief. If somebody really wants to steal your car, it will be stolen and there is nothing you can do to stop it. But, does that mean that, when you park your car, you leave the windows open, the keys in the ignition and put a sign on the car saying ‘steal me?’ No, it does not. We all employ standard security measures that are appropriate to our vehicles. We lock the doors, we close the windows, we put our valuables out of sight and we might have alarms, immobilisers and trackers.

All of these things mean that, when criminals are walking through the car park, your car is the least attractive and hardest to steal. You need to design your cyber security policies using a very similar model and make your firm as unattractive and unapproachable as possible to the cyber criminal world.

So, what guidance can we provide? Ask yourself 10 key questions (see Figure 1). Whether or not these questions are directed at you, your IT director or your information security officer, if you do not receive 10 positive responses, then you potentially have a problem.

If you cannot comfortably answer yes to each of the questions, then there is a possibility that there are issues that need to be resolved. If you can confidently answer yes to each one of those questions, then that is a great starting point to build from.

 

Protecting reputations

So, what can we learn in connection with cyber security and law firms? Yes, the internet can be a very scary place. Yes, the internet can provide lots of opportunities for cyber criminals to cause incomprehensible damage and destruction to your systems, your firm, your data and your reputation. But, there are things that you can do to protect your clients’ data, your firm and
your reputation.

It is strongly recommended that you perform regular penetration and social penetration tests on your firm. Obviously, the tests are only as good as the recommendations that are followed through upon and the remedial actions
that are taken. Complacency is something that cyber criminals use to their advantage and the threats are evolving and growing every month.

Stephen Brown is IT director at Higgs & Sons (www.higgsandsons.co.uk) and a member of the Legal IT Innovators Group (www.litig.org)