This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Safeguarding your firm from a cyber attack

Feature
Share:
Safeguarding your firm from a cyber attack

By

Peter Armstrong advises law firms how to best protect against and respond to electronic data security breaches

The cyber threat is real and pervasive. This is not hype, or reminiscent of the concerns in the run-up to Y2K; instead governments around the world are taking the threat of cyber attack to wealth creation as an existential issue.

In the UK, for example, the National Defence and Security Strategy has defined cyber attack as a ‘tier one’ threat to national security alongside major terrorist attack. Further, right across the world, at a time when many nations’ public finances are in a parlous state, additional funds are being spent to bolster cyber defences of critical national infrastructure.

This seriousness is underlined by the 3 May amendment to the UK’s Computer Misuse Act 1990 that introduces new life sentences for serious computer-related crime.

Industrial scale

Part of the challenge is that cyber threat is as much about the sophistication of the institutionalisation and industrial scale it operates on as the technology that underpins it. Here, we bump into one of the critical issues: the population as a whole has little real understanding or exposure to the institutionalised nature of the criminality.

Practices are becoming increasingly sophisticated. For example, legitimate service level contracts with call centre providers where the operators endeavour to provide a good level of service to their clients, who can be organised criminals. Or criminal co-ordinators (‘botmasters’) who utilise big data analytics to maximise the monetisation of their criminal activities as well as using these tools to report monthly to their institutional investors who, like any other investor, are looking for managed returns on their (criminal) investments.

This criminality is not isolated, individual, or uncoordinated; it is collective, sophisticated, and highly organised.

Law firms are high-value targets for organised criminals, nation states, hacktivists, and lower-level criminality: they are aggregators of high-value market and commercially sensitive information, and provide ready access to cash through client settlement accounts.

Consider the payment system for small law firms.There is usually a straightforward, partner-controlled governance regime for release of payments once the BACS or other payment system is loaded up. The payment is detailed by the cash clerical team and distributed in settlement.

In 2014, there was a systematic scam that saw spoof emails (‘spear phishing’ emails) sent to partners and other relevant staff involved in cash transactions that purported to be from a firm’s bank and informed the firm of a call centre support service to use if they were having problems with their payments. This was then accompanied by a slightly technical exploitation of the Heartbleed vulnerability, which affects the underlying security handshake for the encrypted part of a transaction.

Together, this allows criminals to interfere with the payment, gets the firm to speak with a legitimate call centre seeking to provide a legitimate service, provides alternative payment details, and leads to the misdirection of the settlement payments. This is a systematic campaign of attack and there are variations on
the theme.

Organised criminals have targeted firms who specialise in mergers and acquisitions and other commercially or market-sensitive transactions. Essentially, the criminals become insider traders and then use the insight gained to place trade transactions across the world’s electronic exchanges, manipulating the market in a way that is very difficult to detect. Once detected, of course, there is the possibility of the regulatory community considering the duty of care and compliance of the firm in protecting market sensitive information. SJ

 

Under attack
 
Law firms are under attack, at scale, today: this is not theoretical. There are a number of practical steps that firms can take to protect the most critical assets in their business.
 
1.Do the basics really well. Focus on the simple things first – use the Department for Business Innovation and Skills (BIS) ‘Ten Steps to Cyber Security’ guidance to establish your agenda – this is much more than configured firewalls.
 
2. Start to increase the education and awareness of your staff. Help them to understand why cyber security matters, and the role and responsibilities they have as individuals as well as employees.
 
3. Organisationally, there is a related issue: insider threats embrace the deliberately bad, and the unintentional bad. Striking the balance between monitoring of staff and the trust within an organisation is hard. But a starting point that assumes the best, but plans for the worst, is a sound mantra.
 
4. Really understand the critical digital assets in your business. These are data, applications, infrastructure, and, where used, third-party service providers who supply these services. In order to do this, you need to understand which of these assets impact critically upon your business, viewed through three lenses:
  • Financial stability;
  • Regulatory compliance; and
  • Reputation and existential viability.
This is a critical step because understanding what really matters allows you to place the maximum layered defence around these crown jewels. You won’t want to protect everything to this degree because of cost and the impact on your users. But, to keep the nation state actor’s hands off your key assets, you need to know what these are and where they are.
 
5. Understand who you are trying to keep out. This may sound obvious, but by understanding who you are keeping out, you understand what they are interested in, the sophistication and tools they can deploy, the trends of their attacks, and their determination to get into your networks.
 
6. Synthesise the knowledge from steps four and five to decide which critical controls to focus upon to defend your critical assets and to establish the level of effectiveness of the control outputs.
For example, you probably want to patch your settlement application as soon as one becomes available, whereas you may take longer to patch a less critical network or application.
 
7. A breach is inevitable. You may not find it yourself: the Verizon Data Breach Investigations Report 2014 suggested that almost 60 per cent of successful breaches were discovered by third parties, rather than the organisation that suffered the breach, so consider conducting an external vulnerability assessment.
 
When you do discover a breach, it is critical that you have a cyber incident response plan in place that you can execute immediately. The plan should be rehearsed and, where appropriate, have (often third-party) experts at hand to support regulatory/legal reporting, PR and customer/market engagement, and the technical containment, remediation, and forensic response to the cyber breach. It should form part of your business continuity planning and must be tested.

 

Peter Armstrong is executive director and head of cyber at Willis FINEX Global