Handling activities with large associated financial values such as property sales, or mergers and acquisitions, is making targeting law firms a highly attractive target for cyber criminals. Once hacked, law firms lose their most prestigious asset: their reputation. Clients will switch firms even if they just sense there is the potential risk of having personal data leaked. Data is money, and even power. It has to be protected at all costs.
It’s been suggested that law firms are not taking cybersecurity seriously enough and are not putting appropriate measures in place to avoid attack. Firewalls and antivirus systems may not be enough to ensure protection; clients are sometimes now asking firms to prove their cyber-security capabilities by requesting that periodic security audits and ‘ethical hacking’ exercises be carried out regularly to expose any weaknesses.
Law firms are the new target
Hackers have already breached the security systems of at least one major international law firm, transforming a long-predicted cyber espionage scenario into reality. In the US, two magic circle firms were among the top 48 firms targeted in order to gain sensitive information on mergers and acquisitions, highlighting the sophistication of hackers and their more bespoke approach to targeting firms in specific sectors or following high-profile business deals.
Yet it can be difficult to implement new cyber-security procedures within firms if senior partners do not adhere to them. For example, while firms may have policies barring the use of online storage services such as DropBox, some partners continue to use them (2).
Hacking is a growing threat
In 2014, 173 UK firms were investigated by the Information Commissioner’s Office in reference to a number of incidents that were suspected to have breached the Data Protection Act. A total of 187 incidents were recorded – 29% related to security and 26% related to the incorrect disclosure of data (5).
Victims of this rise in attacks are both big and small corporations; however, small businesses are becoming the easiest and preferred target due to a lack of security measures in place. In fact, half of last year’s cyber-attacks in the UK were directed at businesses employing fewer than 2,500 people (1). With the majority of law firms falling within this bracket, cyber-security measures should be taken very seriously by everyone working in a law firm.
Particularly for law firms, many of the staff are decision makers, compared with other business sectors where only Managers or the Accounts department have access to important company information. Conversely in a law firm, lawyers and partners have access to huge amounts of highly sensitive data about their clients.
The Metropolitan Police offers a variety of information on how to prevent firms from being hacked. The most relevant recommendations for law firms centre around protecting access to data, across: ensuring access control so that staff only have access to the files they need rather than granting company-wide access to shared folders. Additionally, encrypting any information stored on removable media or portable devices and considering the use of systems that eliminate the need for any files to be stored on portable devices is important for controlling how and where data is stored.
In addition to this, firms should be making sure that any device connected to organisational systems, including remote working, is vetted for security. Data transmission within and beyond the firm should be secure at all ends and access rights for staff who have left the firm should be revoked immediately. Predictably, it’s important as we know to conduct background checks on applicants, especially those who will have access to highly sensitive data – thinking about how employees could use or export data. Are you making it too easy to quickly download all of your client information onto a hard drive? Or are you providing adequate controls to employees who are using their own devices to record client information, such as tablets and mobiles?
Price Waterhouse Coopers also recommend to take other specific measures. Firstly, some clients will have specific requirements around how their data is managed by the law firm. IT Directors at law firms need to be mindful of how these requirements are adhered to over the long term so that standards remain high.
Secondly, a global law firm needs to be able to satisfy global clients on a global basis. So, sharing information across a global network in a secure way is critical, as is ensuring that data protection policies in each region are adhered to.
Finally, understanding what data you have, and where it is located is key. With so many easily accessible cloud storage tools and USB products available, it can be a huge task to even figure out where information is stored. Which applications have which data, who has used a USB stick to handle client data in the past year, and is anyone using DropBox or personal Microsoft and Google accounts to share information or send files?
Apart from the previous recommendations, it is also important to consider practices such as ethical hacking exercises, which are carried out from the inside to detect a firm’s weaknesses to uncover potential opportunities for hacking. One firm which is already carrying out this practice is London media specialist practice, Schillings. The firm has recently rebranded itself as a risk consulting and technology security practice, even promoting its services to other law firms to help with penetration testing and ethical hacking exercises to test system vulnerability (1).
C24 is holding a specialist cyber-security and social engineering course that is nationally accredited and delivered by UK specialists who train police forces in cyber security. Each place normally costs upwards of £300 ex VAT per delegate, but C24 is offering ten IT Managers, Directors or CIOs the opportunity to attend the accredited half-day course for free.
Register your interest here.