Law firms are the weakest cybersecurity link.
In opinion / By Charles Christian / 19 January 2017
A phrase currently doing the rounds is: “Data is the new oil” – as in we now live in the Digital Age where information is the currency that drives the economy. But if this is the case, then 2017 should hopefully be the year law firms realise cybersecurity is the new padlock and chain – or burglar alarm – to protect data and its surrounding infrastructure.
Websites, communications including email and extranet portals, the Cloud, Big Data, enterprise databases, privacy, data protection, and the still nascent Internet of Things. All these things, the whole nine yards, are exposed to failure and unwelcome attention if an organisation fails to implement adequate cybersecurity measures. Yes, you can insure against cyber risk but will the premiums adequately cover the full scope of potential losses – besides which insurance claims are tantamount to closing the stable door after the horse has bolted.
Seems like a statement of not so much the bleeding edge as the bleeding obvious? Well, up to a point and I’m sure most law firms think they have already ticked all the boxes when it comes to cybersecurity. But have they really?
Or are they just addressing yesterday’s risks and haven’t woken up to the fact today’s hackers and the attacks of they deploy are far more complex and sophisticated than they were even five years ago. Check out most firms and you’ll find they have some form of perimeter protection firewall around their networks, along with spam filters for their email communications, as well as, hopefully but probably never tested, a disaster recovery facility. State of the art protection – for 2010.
Unfortunately law firms now need to worry about far more than just “script kiddie” and “LulzSec” hackers, who were primarily motivated by an anarchic desire to spread mayhem. Today, law firms face a two-pronged threat from state-sponsored hackers on one side and organised crime on the other. (Although the boundary between state-sponsored hackers and criminals is distinctly fluid.)
As the Snowden revelations made clear, state-sponsored hackers include not just hostile governments – Russia, China, North Korea, Iran and Syria to name a few obvious examples – but also the security agencies of “friendly” governments, particularly the NSA and GCHQ. Why? Because sometimes it is a form of hostile attack but more often it is a form of commercial intelligence gathering activity – governments like to know what is going on so they can protect their own national interests. For example, China is accused of hacking an Australian law firm in 2009 to gain access to information about merger talks in the mining industry – as a result of the hack, the merger talks were called off.
Just in case you were wondering, hackers go after law firms because they are regarded as the weakest link in the Merger & Acquisitions scene, have poorer security than banks and corporations.
Then there are the criminals who are primarily interested in the financial rewards of hacking. This was highlighted just before the New Year when three Chinese men were charged with hacking a number of Wall Street law firms to gain access to M&A activity data and, in the process, make a $4million profit from insider trading in less than two years.
There are also plenty of other reasons why hackers may want to attack law firms. There are reports of firms having their accounts payment codes data hacked, so bogus invoices for supplies can be raised with and subsequently paid by the firms. Law firm databases also contain the contact information and billing procedures of their clients. And, because law firm partners are typically high-net worth individuals, records of their bank accounts, contact details, and credit cards is another set of details criminals can exploit.
An added complication here is because we are lazy (and now have far too many passwords etc to manage) many people use the same login details and passwords for all their online activities. So, for example, discovering a lawyer’s login to the firm’s document management system may seem pretty harmless but it could well be the same login needed to get into their personal bank account.
More recently, we’ve seen the rise of “ransomware” whereby hackers get behind an organisation’s firewall, encrypt files, and then demand a ransom paid in bitcoin (which is virtually untraceable) to release them. To my knowledge at least 20 law firms of all sizes in the UK alone were hit by ransomware in 2016, including one firm which one morning found its lawyers were locked out of files belonging to a major tech client, namely Microsoft.
Along with the ransom payment (assuming the hackers actually decrypt the files once the ransom is paid) there is a potential risk of reputational damage: a law firm that cannot protect its own clients’ data does not instill confidence. (There may also be regulatory and compliance issues associated with hacks.) However another big issue is the loss of billable fee earning time that needs to be factored into any equation.
For example, if a firm has good backups (which is why disaster recovery is so important) it should be possible to refuse to pay the ransom, sacrifice the encrypted data, and restore everything. But, all this will take time. When one Scandinavian architectural practice I know of was hit with ransomware last year, nobody in any of their offices was able to get onto the network so all 500 staff – except the IT team – were sent home and it was not until the following day that the network was back up, and it took a full week before everything was restored.
Translate that to a law firm setting and 500 fee earners, billing at an average of £250 an hour, unable to work for eight hours equates to £1million in lost revenue.
And if this still isn’t enough to convince you that you need to take cybersecurity seriously, one final thought: the best way to limit the impact of a cyber attack is to detect it quickly so you can take immediate remedial measures. Yet, industry surveys suggest breach detection times (BDT) are still substantial with the median number of days attackers were present on a victims’ network before being discovered only dropping to 146 days in 2015 from 205 days in 2014.
Which sounds bad until you realise the BDT was 416 days in 2012 and that in some organisation breaches can go undetected for years.