Cyber security is a buzz word that creates both fear and opportunity, depending upon what side of the fence you may sit. With the likes of Edward Snowden and other security issues abounding, law firms are more than ever placed in the front line when it comes to security threats.
The Lawyer reports that hackers are increasingly targeting the legal profession for the goldmine of sensitive and confidential client data firms hold. And that threat is becoming so prevalent that cyber specialist practitioners envisage a time soon when bank and corporate general counsel – as well as those in charge of family offices – will insist on law firm security audits as part of routine panel reviews.
This is not the stuff of science fiction or scaremongering, according to the experts. One cyber security specialist relates that a top 10 City firm chief information officer is convinced of the inevitability of a prominent legal practice going down in flames as a result of a cyber attack breaching client confidentiality and rendering the practice’s wider reputation and market position untenable.
Some suggest the financial services sector is starting to see law firms as the ‘soft underbelly’ in the cyber security battle. While they themselves have recognised the threat, upgraded systems and implemented state-of-the-art layers of defence, their lawyers, argue some senior bankers, are a weak link. Firms holding vast quantities of confidential information regarding financial services sector clients are a target for hackers because they are behind the cyber security curve.
But while not complacent about the threat, some specialist lawyers are cynical, sensing a whiff of hyperbole behind the jargon.
“The technology industry has a fantastic ability to create new terminology for old concepts,” comments one City firm data privacy specialist. “You could argue that cyber security is just another aspect of general data protection, and privacy and information management.”
Quips another: “Everybody talks about cyber security because it’s a sexy phrase.”
IT – pluses and minuses
Nonetheless, the security gurus stand by their language.
“I recognise the suggestion that some see the term cyber security as a bit of a marketing fad,” responds BAE Systems Detica business director Tom Burton. “I’m sure that in the early part of the 20th century people said air travel was a bit of a fad.”
Burton goes on to acknowledge that at one level cyber security is an extension of general information security, but he points out that the difference comes “due to the interconnectedness of businesses that has come about because of advances in technology. That means a far more complex and multi-dimensional problem to solve”.
Fifteen or 20 years ago a business could get away with erecting a basic firewall around its networks and ensuring servers were updated on a reasonably regular basis. Today, that would not even count as security as the complexity and multiplicity of routes available to attackers – combined with the rewards on offer for successful attacks – make data and information security a far more complex procedure.
“Cyber security is no longer a task that can be delegated to a couple of people in the back-office,” advises Burton. “It’s a board-level corporate risk that needs to be treated in the same way as physical security.”
The numbers – at least those quoted by the technology risk specialists – should be enough to get boardroom executives sitting ramrod straight.
According to Ed Butler, executive director at the Salamanca Group, which has been researching cyberspace risk issues, in the past 18 months there has been a 40 per cent rise in cyber attacks on UK businesses. In 2012 those attacks cost the economy some £28bn.
Globally, the numbers are even more eye-watering. Researchers claim there were 2.7 million attacks a week on the oil and gas sector alone. And, according to Butler, a multinational US bank claims it fends off around a million attacks every day around the world.
That figure sounds so astounding as to be almost incomprehensible. The majority of those attacks are automated and easily batted away by the bank’s modernised firewalls. Another high proportion are simply opportunist attacks that again are relatively easily defended against. However, enough are sophisticated and targeted to cause concern.
Comments Butler: “There is a scale of magnitude that people are just waking up to.”
They’re out to get you
There has also been a misconception in business that hackers are exclusively targeting global behemoths – worldwide financial institutions, energy and pharmaceutical companies. Research exposes that as wishful thinking.
Butler says half of last year’s cyber attacks in the UK were directed at businesses employing fewer than 2,500 people.
“The reality is that if you are smaller you are more vulnerable,” he says, “because the bad guys will think you haven’t got the protection kit in place. They reckon the bigger, companies have all that kit, and by and large they do.”