News that Chinese hackers had breached law firm security to secure highly sensitive data shows that law firms remain highly exposed to such attacks.
Many major UK and US law firms have increased their cyber security vigilance, but many also remain highly vulnerable as recent reports on cyber security have shown.
A survey last year from BitSight, a company that provides a security rating system for varius businesses and showed that the legal profession was second-best in security ratings, but lagged behind the financial industry security ranking.
Ranking on a 250 (lowest) to 900 (highest) security rating scale, the BitSight rankings showed that finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year’s rating of 690.
The Law Firm Problem
But the major law firm problem was that over half the law firms surveyed in the survey were susceptible to an attack known as DROWN which served to break encryption and exposes gaps in communication and information in Web and email servers and VPNs.
“The story here is not that legal is performing well. The story is there is risk there and if people [in the sector] don’t manage that, it could be catastrophic.” said BitSight CTO Stephen Boyer.
The major issues for law firms was last year’s Panama Papers scandal which showed the data breach of Panamanian tax law firm Mossack Fonseca, which saw the loss of almost 12 million records, creating major embarrassment for all parties.
The Panama Papers scandal shook awake lawyers who were less than aware of the issues and they could see the need for good cyber security measures for their law firms to be implemented.
So too does the Democratic National Committee emails breach. The legal sector long has been considered an obvious and lucrative target for cybercriminals and cyber espionage, given the confidential and highly sensitive information they hold about their corporate, government, and individual clients.
Not all law firms, however, took the hint. For many, time is running out.
Key Cyber Security Steps
1. Use Fire Drills
Around 70 per cent of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular “fire drills” for cyber security incident response.
“Many firms’ confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat,” said Daniella Isaacson,a co-author of the ALM report.
“For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan.”
Have a defense plan in place and undertake your fire drills to ensure that when a data breach occurs you’re not caught flat-footed. You need to ensure there are those with clear responsibility who neatly mesh between the IT department and the firm management. Make sure nothing falls between the cracks.
2. Don’t Go Phishing
When targetted emails reach your inbox you need to avoid them like the plague.
This involves training staff to avoid taking the phishing bait. The use of phising tactics via socially engineered email create the vast majority of cyber attacks.
For instance hacks of law firms like Cravath Swaine & Moore and Weil Gotshal & Manges were related to ‘spear phishing’ attacks, as was the Democratic National Committee attack.
The 2016 Verizon Data Breach Investigations Report (DBIR) showed that phishing remains a major problem, particularly from often sophisticated ‘phishers’ who may be used as part of more sophisticated and multilayered attacks and are often just the tip of the iceberg.
For example, phishing attacks are a common way that cybercriminals gain access to a system to download ransomware or steal credentials. As a possible effect of cyberfatigue discussed below the DBIR reported that the success rate for phishing actually increased over the previous year’s report.
3. Develop Staff Awareness
Developing an awareness of cyber security issues is one of the best ways to avoid issues like phishing.
For instance, develop a competition for those who can spot phishing emails the fastest, providing prizes and creating a fun element.
With regular training you can boost your compliance with the security protocols like password security and ensuring compliance with regulatory issues as well.
Training is not a the total answer to cyber security awareness by any means and it needs to be adopted in conjunction with technology (firewalls, spam filters, encryption, etc.), monitoring system activity, and other cyber security methods that can help keep your firm safe.
4. Regulatory Compliance Requirements
5. Avoid Cyber Fatigue
Crying Wolf can cause a cyber fatigue situation that leads to potential disaster.
The high intensity interest in cyber security has often means that the alerts and ongoing warnings simply leads to this “security fatigue” in the security of those using computers, as reported by the National Institute of Standards and Technology issued a warning in early October based on a study reporting findings of “security fatigue” in computer users’ online behavior in both their work and personal lives.
The warning from the NIST focused on username and password issues that are often the first area affected by fatigue and which can lead to disastrous results.
This only underscores the importance of constant vigilance, monitoring, training and testing that are so vital to cybersecurity.
Firms need to ensure they don’t fall into the fatigue syndrome and develop lax cyber security protocols or – much worse – none at all.