This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Perimeter breach: Protect your law firm from hackers

Feature
Share:
Perimeter breach: Protect your law firm from hackers

By

Seth Berman explores the governance and operational challenges of managing cybercrime risks in law firms

There is growing evidence that UK lawyers are being targeted by cyber criminals, who view law firms as veritable treasure troves of clients' intellectual property and commercially-sensitive information.

But, with limited internal digital security expertise and an obligation to safeguard confidential and sensitive data, the failure of firms to tackle online security could be leaving clients increasingly vulnerable to attack.

As hackers become more sophisticated, firms must develop a strategy of ongoing review, testing and training to avoid significant risk to business continuity and reputational damage.

The ingenuity displayed by hackers looking to gain access to one UK law firm's data serves as a stark reminder of the threats facing the sector. Adopting ?a spear phishing strategy (a highly targeted form of phishing), the hackers created an email address in a name that looked very similar to the name of the firm's managing partner.

The email, purportedly from the managing partner, was sent to all associates after hours, asking them to review a document so that it could be discussed the following morning. The email explained that the managing partner had to use his home address, as he could not access the firm's network at that time. The attached document contained a virus; all associates who opened the attachment consequently downloaded the virus onto their computers, and from there onto the law firm's network.

It is becoming increasingly evident that cybercrime knows no boundaries and no organisation is immune. A recent report commissioned by The Department for Business, Innovation and Skills suggested that some 78 per cent of organisations with more than 250 staff had been attacked by an unauthorised outsider in the past year. The total cost of security breaches is also on the rise and has tripled during the same period.

Addressing these concerns requires equal measures of prevention and preparation for a response - to use a real-world analogy, organisations need to take steps to prevent a fire, as well as to prepare to deal with a conflagration.

IT security audit

As with any security system, there is no foolproof way to prevent a cyber attack. However, there are several steps that your firm can take to significantly mitigate risk.

First among these is one that sounds simple but can be quite complicated: conducting an audit of your IT and physical security system. A security assessment, like a financial audit, should be carried out by an outside team without a stake in the existing IT infrastructure.

The team will determine the firm's threat profile and any vulnerabilities. In addition to ensuring that IT security practices are up to industry standard, a thorough security assessment will also identify where sensitive data is stored and whether it can be segmented or further removed from the rest of the IT system.

Segmenting data is a key part of ?good data security. It helps to ensure ?that a breach of one layer of security does not grant access to everything, and can make it extremely difficult for a successful hacker to reassemble stolen data into a useable form.

As the earlier law firm spear phishing case starkly illustrates, the security assessment must also review the weakest link in your security system: your users. Are passwords up to date or can ?they be easily guessed or broken? Do users know not to click on attachments ?to suspicious emails? Are they tested ?to see if they in fact do not click on ?such attachments? Do users know who to call if they accidentally do click on such attachments?

Each of these steps may sound obvious, but it is surprising how few organisations actually take the time to regularly step back and ask such questions. Most hacks occur or are made worse by vulnerabilities that should already have been identified and secured. However, few firms are doing enough to uncover these possible attack vectors in advance of malicious activity. A security audit can help to identify and rectify these vulnerabilities, thereby reducing the likelihood or severity of an attack.

Response strategy

As with physical security, the best preparation cannot prevent all attacks. ?For this reason, preparing a response strategy in case of an attack is an essential part of risk and contingency planning strategies. This must include a specific plan to ensure that valuable time is not lost as the firm decides who is in charge of response efforts.

For this reason, you should determine in advance of an incident what the chain of command will be for the incident response team. You should designate a specific executive to lead your internal response team and designate, where appropriate, your external legal advisers and IT consultants. This will ensure that your firm is ready to respond at the first sign of an incident.

In an increasingly complex regulatory and legal environment, the question of whether and when to report a data breach is a key decision facing the response team. The biggest challenge when contemplating reporting an incident is making sure you really understand what has happened. This needs to be addressed in advance of a breach so that the key questions can be answered as quickly as possible. Without such insight, a firm may be forced to make an announcement without knowing the details of what has actually happened, which can greatly exacerbate the public relations problem caused by the breach.

The incident response strategy must, therefore, address the question of what will be reported. A disclosure will ?often include: ?

  • details of what has happened;
    an explanation of the steps that have been taken to ensure it is not happening anymore; and

  • that it will not recur at a later stage.

Additionally, the briefing is likely to set out the scope of the loss, i.e., who it affects and how the problem will be remediated.

Of course, this type of disclosure is impossible unless you can first establish what really happened. Similarly, unless the scope of the data breach is clearly established, it is not possible to determine your firm's legal options or obligations.

Ideally, stakeholders should be informed first, but this will depend on the number of individual parties involved. For example, if the breach involved client data, there may not be a need to inform all clients but only those affected. However, this may only be clear once the data analysis has been completed.

A key challenge is finding the right balance between establishing who has been affected against the need to report as swiftly as possible. In reality, this requires the incident team to decide when the investigation is over and sufficiently complete. This will be case-specific and depend on the background circumstances and legal obligations.

Data breach response

The reality of a data breach is that ?there are many types of data breaches ?and the incident strategy must have sufficient flexibility to accommodate a range of scenarios.

Senior management have a duty to clients, fellow partners, staff and other stakeholders to respond rapidly and appropriately to an incident, keeping in mind that hacking often requires a very different type of response from other ?sorts of crimes.

However, you cannot assume that a cybercrime incident should be treated in the same way as any other theft or embezzlement. For example, if a firm finds itself a victim to most types of crimes, it will go to law enforcement to identify and prosecute the perpetrators. For cybercrimes, while law enforcement has a role to play, firms must direct the investigation themselves and determine whether they have a duty to notify clients, regulators or other stakeholders.

Whether law enforcement can play a meaningful role in the aftermath of a hacking incident is often dictated by the type of incident involved. For example, many hacking incidents are carried out by employees or former employees with a grudge. Using sophisticated computer forensics, it is relatively easy to track and locate this type of perpetrator, arming corporations with a range of civil enforcement options, including dismissing or suing the individual. From a law enforcement perspective, a wide range of possible criminal actions may be pursued, including charges related to theft, fraud, embezzlement and computer hacking.

By contrast, hackings coordinated by outsiders present a much steeper challenge. Unlike most crimes, there is typically no physical link between an outside hacker and his victim. The hacker could be thousands of miles away and completely unknown to the victim.

Even if law enforcement could determine the scope of the incident, there are serious downsides to this approach for most organisations. To conduct a thorough investigation, forensic experts must secure and review copies of network traffic logs and configurations, and make forensic images of infected computers. This is a very intrusive process that requires scanning the entire firm's network for virus signatures, copying key computers and servers in full and monitoring network traffic. If the investigation is led by law enforcement, they will essentially have unlimited access to client and firm data, including restricted networks. This makes many firms uneasy, especially as the scope of the investigation is virtually impossible to define at the outset.

Most firms faced with this situation conduct a private investigation before notifying law enforcement, with three factors often driving this decision.

  1. Sophisticated computer hackers rarely advertise their presence. As initial evidence may be difficult to interpret, it is not always immediately clear whether any laws have been broken.?

  2. Hackers do not leave detailed lists of what they stole. Only painstaking reconstruction of a hacker's activities through sophisticated computer forensics can determine the scope of the offence. This forensic examination requires nearly unlimited access to secret data and restricted networks, which most firms do not want to grant to law enforcement unless legally required.?

  3. It is much easier to control the firm's public relations and communications strategy if the extent of the problem is known before going public. By handing the investigation over to the authorities, the firm would lose control over the timing and content of any public notification. This could prove to be a public relations disaster, especially since clients may blame the firm for failing to prevent the incident, regardless of the facts.

Beyond the practical and legal considerations, there is always at least one good reason to involve law enforcement at some stage of a breach investigation: it is in the public interest. Criminal investigations of cybercrime often uncover evidence of additional victims. For this reason, you should probably err on the side of notifying law enforcement if your firm is a victim, but typically only after your own investigation has revealed the incident's nature and scope.

Hacking is one of the greatest business and technology threats of the digital age and clients will increasingly be looking to their legal advisers for leadership and reassurance. We are well past the point where any firm can responsibly ignore this risk - failure to prepare is simply no longer an option.

 

Protecting your firm ?from hacking attempts

Do

  • Carry out a security audit and act on the findings

  • Train staff and reinforce their training regularly??

Don’t?

  • Assume your firm is immune ?to hackers

  • Wait until a data breach to set up an incident response team

 

Seth Berman is UK head at Stroz Friedberg (www.strozfriedberg.com) ?and was formerly a US Department ?of Justice prosecutor