Cyber security: Lawyers are the weakest link
28 October 2013 | By Jonathan Ames
28 October 2013
27 January 2014
31 October 2013
28 May 2013
28 October 2013
With threats ranging from hacktivists to Chinese spies, it’s time for law firms to get their data security act together
In space, no one can hear you scream, but cyberspace will soon be alive with the shrieks of lawyer pain as client confidentiality disappears out a gapingly wide-open digital window.
Law firms are in the front line of cyber security threats, with hackers increasingly targeting the legal profession for the goldmine of sensitive and confidential client data firms hold. And that threat is becoming so prevalent that cyber specialist practitioners envisage a time soon when bank and corporate general counsel – as well as those in charge of family offices – will insist on law firm security audits as part of routine panel reviews.
Hack to front
This is not the stuff of science fiction or scaremongering, according to the experts. One cyber security specialist relates that a top 10 City firm chief information officer is convinced of the inevitability of a prominent legal practice going down in flames as a result of a cyber attack breaching client confidentiality and rendering the practice’s wider reputation and market position untenable.
Some suggest the financial services sector is starting to see law firms as the ‘soft underbelly’ in the cyber security battle. While they themselves have recognised the threat, upgraded systems and implemented state-of-the-art layers of defence, their lawyers, argue some senior bankers, are a weak link. Firms holding vast quantities of confidential information regarding financial services sector clients are a target for hackers because they are behind the cyber security curve.
But while not complacent about the threat, some specialist lawyers are cynical, sensing a whiff of hyperbole behind the jargon.
“The technology industry has a fantastic ability to create new terminology for old concepts,” comments one City firm data privacy specialist. “You could argue that cyber security is just another aspect of general data protection, and privacy and information management.”
Quips another: “Everybody talks about cyber security because it’s a sexy phrase.”
IT – pluses and minuses
Nonetheless, the security gurus stand by their language.
“I recognise the suggestion that some see the term cyber security as a bit of a marketing fad,” responds BAE Systems Detica business director Tom Burton. “I’m sure that in the early part of the 20th century people said air travel was a bit of a fad.”
Burton goes on to acknowledge that at one level cyber security is an extension of general information security, but he points out that the difference comes “due to the interconnectedness of businesses that has come about because of advances in technology. That means a far more complex and multi-dimensional problem to solve”.
Fifteen or 20 years ago a business could get away with erecting a basic firewall around its networks and ensuring servers were updated on a reasonably regular basis. Today, that would not even count as security as the complexity and multiplicity of routes available to attackers – combined with the rewards on offer for successful attacks – make data and information security a far more complex procedure.
“Cyber security is no longer a task that can be delegated to a couple of people in the back-office,” advises Burton. “It’s a board-level corporate risk that needs to be treated in the same way as physical security.”
The numbers – at least those quoted by the technology risk specialists – should be enough to get boardroom executives sitting ramrod straight.
According to Ed Butler, executive director at the Salamanca Group, which has been researching cyberspace risk issues, in the past 18 months there has been a 40 per cent rise in cyber attacks on UK businesses. In 2012 those attacks cost the economy some £28bn.
Globally, the numbers are even more eye-watering. Researchers claim there were 2.7 million attacks a week on the oil and gas sector alone. And, according to Butler, a multinational US bank claims it fends off around a million attacks every day around the world.
That figure sounds so astounding as to be almost incomprehensible. The majority of those attacks are automated and easily batted away by the bank’s modernised firewalls. Another high proportion are simply opportunist attacks that again are relatively easily defended against. However, enough are sophisticated and targeted to cause concern.
Comments Butler: “There is a scale of magnitude that people are just waking up to.”
They’re out to get you
There has also been a misconception in business that hackers are exclusively targeting global behemoths – worldwide financial institutions, energy and pharmaceutical companies. Research exposes that as wishful thinking.
Butler says half of last year’s cyber attacks in the UK were directed at businesses employing fewer than 2,500 people.
“The reality is that if you are smaller you are more vulnerable,” he says, “because the bad guys will think you haven’t got the protection kit in place. They reckon the bigger, companies have all that kit, and by and large they do.”
Just who are the bad guys? Broadly, there are three types of attacker. The first are traditional criminals who are simply using modern methods for financial gain. They aim to secure data that will allow them to steal funds or divert payments by manipulating account information.
Second comes state-sponsored espionage. Lawyers and cyber security specialists point the finger at Russia and China in this category, with allegations that the authorities in those jurisdictions not only sanction the hacking of Western businesses, but conduct the hacking themselves. City lawyers maintain there are several units operating in China and Russia that focus on gathering confidential, price-sensitive information and the business plans of Western corporations with local competitors.
“They want to understand where and how products are being developed,” explains one City lawyer. “For example, where oil reserves might be exploited.”
Burton says: “There is strong evidence to suggest that Russia and China are heavily involved in state-sponsored hacking. But actually there’s also evidence suggesting that there aren’t many developed nations that don’t get involved in some way in cyberspace. Last year, the most prevalent espionage and information theft attacks had the hallmarks of groups believed to originate in China. But it would be wrong to suggest that China is the only region involved.”
The ‘Red October’ attack unearthed at the beginning of this year is widely believed to have originated in Russia, although it was not necessarily state-sponsored. Cyber security experts maintain that an interesting phenomenon emerged when that attack was reverse-engineered and moved to a Russian time zone.
“You could see that all the activity – whether compiling the malware or standing up infrastructure – happened from Monday to Friday, never on a Saturday or Sunday; and all between 8am and 5pm, Russian time,” reveals Burton. “There would be a spike in activity around 10am – people would get into work, get things set up and hit ‘compile’ at around 10.30am, in time to go off and have a cup of coffee.
“That indicates that this is an awful lot of people’s full-time job – they’re doing it as a career. There’s clearly a large amount of investment in people and technology. That means there must be big rewards to be achieved.”
So concerned about hacking are Western energy and natural minerals businesses that when their staff travel to high-risk jurisdictions they leave their laptops and equipment behind and simply buy new gear at the destination airport. That kit is used during their time away in, say, Russia and, before leaving, they download the information that they want to retain onto memory sticks, wipe the hard drives and leave the laptops at the airport on departure.
The third category of attacker are the ‘hacktivists’ – politically or ideologically motivated hackers aiming to embarrass or damage corporate reputations, or reveal information they consider to be in the public interest. Hacktivists may simply attempt to knock over a business’s system or go further by engineering denial of service attacks so the target is unable to function effectively.
Banks are prime targets for all three types of hackers, which is why Jane Jenkins, a partner and the co-head of the cyber security team at Freshfields Bruckhaus Deringer, says it is not surprising that financial services clients “are most alive to these issues”.
According to Jenkins the banking sector is “taking the most sophisticated precautions” and the Bank of England wants all institutions to have board-level plans for securing continuity and the resilience of systems.
“There’s a concern that swift payment systems and the mechanisms needed to allow our banking, financial services and trading operations to continue may be vulnerable to attack,” says Jenkins.
While banks are tuning into cyber security, some corporations, adds Jenkins, are “struggling to understand how these risks apply to their own businesses and get a sense of where their vulnerabilities are, and what their economic exposure is”.
She points to PwC research released earlier this month revealing that more than half of the finance directors at the UK’s top companies say they do not have enough information to stave off cyber attacks effectively. Despite the fact that 58 per cent of the companies surveyed indicated that they faced “substantial or critical” cyber security risks, 53 per cent of the chief financial officers or financial controllers said they had “very little or insufficient data to manage cyber risk well”. And only 12 per cent of respondents had in place a “formal process for assessing technology-related risks to their company, such as hacking”.
Those responses, comments Jenkins, suggest that “all businesses should do a risk evaluation to decide what measures are needed and the amount of investment required”.
All good advice for clients, but what about law firms? Are they taking their cyber security medicine?
Ashley Hurst, an internet-related dispute partner at Olswang, says the biggest risk for the legal profession is modern working practices.
“Mobiles, memory sticks, laptops, working from home, bring your own device and the increasing use of social media – there are more and more avenues for confidential personal data to be disclosed outside organisations or left somewhere,” insists Hurst.
And major clients are becoming increasingly itchy about law firm exposure.
“Clients and industry are concerned to know that law firms are putting security measures in place,” says Jenkins. “Some see law firms as presenting the soft underbelly, while they themselves have put in place appropriate protection. Law firms hold a vast amount of confidential, price-sensitive information – information that wouldn’t even be shared with competitors through a Competition Commission investigation.”
Banks are at the forefront of demanding rigorous audits of law firm systems.
“This is undoubtedly going to be one of the criteria they will measure suppliers against in panel reviews or in the selection of law firms generally,” says Jenkins. “If firms can’t show they’re taking the issue seriously they will have a real business risk.”
Mark Watts, a technology specialist partner at Bristows, agrees.
“Law firms are being asked about cyber and information security much more often,” he confirms. “Clients have asked us to fill in various security audits, pointing out that as we’re handling their information, their overall security as an organisation depends to a large extent on ours.”
Bristows has not yet had a client send in a crack team of security experts to perform a ‘penetration’ exercise, but Watts envisages that it could happen.
“Whether the client makes a site visit depends on whether the firm is in a high-risk category,” Watts says. “A lot of organisations instruct too many law firms to be able to visit them all, and there will be some that are not handling sensitive information. But for those that are, it’s possible to get a physical audit request.”
One firm attempting to ride the wave of concern about cyber security is London media specialist practice Schillings. Having built a reputation as the bête noire of Fleet Street for its attack-dog approach to alleged defamation on behalf of celebrity clients, the firm has bagged an alternative business structure licence and rebranded itself as a risk consulting and technology security practice. Indeed, it is promoting itself to law firms and businesses alike for ‘penetration’ or ‘ethical hacking’ exercises – drills that expose weaknesses in the target’s defences to cyber attack.
“Law firms are behind the times when it comes to cyber security and, indeed, technology,” argues senior partner Keith Schilling bluntly. “However, with the ever-increasing awareness of cyber security, the devastating reputational harm to a business caused by data loss and the significant regulatory drivers mandating adequate data protection, law firms are beginning to improve their defences.”
Schilling maintains there is a checklist of defences firms can implement, starting with understanding what IT security really means for professional service firms.
“Building a technical defence strategy is, of course, critical for protecting information,” says Schilling, “but understanding what needs protecting requires a little more thought and business leadership. Often overlooked is the stark fact that human weaknesses can be a cause of greater vulnerability than the IT system itself, so training and awareness are key.”
According to Schilling and technology security gurus, ethical hacking is a valuable and effective method of evaluating risk.
“Law firms should exploit this commodity to better understand where their security weaknesses exist, technologically and sociologically,” argues Schilling. “A small, seemingly inconsequential vulnerability in your website could rapidly escalate into a reputational crisis.”
However, there is effective unanimity among cyber security specialists that it is almost impossible for a law firm or any other business to implement perfect, impervious defences. In other words, hackers can be so clever that the most determined are bound to break into any system.
What should firms do if they find their defences have been breached? Somewhat surprisingly, the experts recommend not whipping up the drawbridge immediately. Often, a cyber intruder will have been in the system for months or even a year before being discovered.
“That situation,” advises Burton, “requires a strategic plan to react. Instinctively, a firm will want to take immediate action. But often that’s the wrong move because these attackers will often have more than one mechanism in their victims’ networks. If you take action that the attacker can spot – for example, if you find he has compromised one of your computers and you immediately take that machine off the network – you will alert him that you’re onto him. He will then accelerate his activities before you can take action to stop him completely.”
It is also crucial that firms implement constant monitoring of systems to identify attacks, along with up-to-date incident response plans so when an alert is sounded the firm has staff in place who know what to do and have the authority to do it.
Specialists flag up that hacking techniques – most of which involve injecting a Trojan Horse into a victim’s network – have evolved over the past year or so. Historically, ‘spear phishing’ was the method of choice – and it is still popular. The technique involves a hacker nosing around the social life of a senior business executive or law firm partner via online networks such as LinkedIn and Facebook.
Hackers will look for information about tennis or golf clubs, for example. As one security expert points out, “people often post some social information even on LinkedIn in a bid to make themselves appear more human”.
The hacker then constructs a plausible email purporting to come from that golf or tennis club, which has an attachment. When opened, that attachment will install a piece of malicious software.
But people and businesses have gradually got wise to this, and the latest generation of firewalls are designed to spot malicious payloads in emails. That beefed-up defence has spawned an increase in more sophisticated ‘watering hole’ or ‘drive-by’ attacks. With these, hackers assess what websites a specific victim accesses and then partially compromise that site so when the target individual browses an infection is injected from a trusted and authoritative site.
Amazingly, hackers have been able to devise methods that result in only one person being infected.
“That’s the clever thing,” says Burton. “Every piece of malware is crafted. The hackers don’t want mass-infection because anti-virus manufacturers would pick it up.”
Burton points to a recent incident in which a legal affairs news website (not www.thelawyer.com) was compromised, with a specific top-10 law firm targeted. Another example in the past month involved the compromising of the website of a specific barristers’ chambers.
“We haven’t been able to determine whether that was aimed at a particular firm or at law firms generally,” says Burton, “but it indicates how these attacks – which are hard to defend against – are on the increase in the legal profession.”
So, are law firms as soft an underbelly as some clients fear? Kenneth Mullen, IP and technology specialist partner at Withers, maintains that top corporate and private client practices are taking the problem seriously and implementing taught procedures.
“Leading firms are very much aware of the issues,” he says, “especially private client firms acting for high-net-worth individuals who are sensitive not only about how well-protected their information is, but also where it is located.
“It would not be advisable to hold your data in a jurisdiction where you may be vulnerable to being forced to disclose it to a regulator or to investigation by an unfriendly government.”
On that point, Mullen cites increasing concern over cloud computing – the irony being that the information is not stored in a jurisdiction-free zone in the sky, but rather in large banks of servers very much on terra firma, often in unspecified jurisdictions.
“Any information that may be subject to investigation by tax authorities should probably not go into the cloud,” advises Mullen. “You could be putting information that may be protected in one jurisdiction into a jurisdiction where it isn’t.”
And what if, despite all best efforts, hackers manage to breach a law firm’s cyber security? Is there any way of placating clients?
“When the inevitable security-breach strikes nothing appeases clients more than immediate communication of the facts and complete transparency,” advises Schilling. “Those who are prepared can limit the damage to reputation and financial penalties by demonstrating their diligence and providing an
accurate picture of the facts.
Cyber security is the term of the moment but other more mundane security risks can be just as threatening to law firms.
“A lot of vulnerability is down to the people in a business or firm,” explains Ed Butler of risk specialist the Salamanca Group. “Do you have a clear desk policy? Who polices it? Who monitors visitors that come in and out of the business premises? How easy is it for someone to wander in, have a look round, go to the staff canteen and listen to chat or see what’s on screens and desks? Ultimately, how difficult is it to pinch something?”
Penetration exercises use old-fashioned gumshoe techniques to gauge a business’s vulnerability to human frailty. Consultants observe a business from the outside, loitering with smokers on the pavement, earwigging in local coffee shops or in the pub opposite.
Explains one specialist: “We’ll find out what deals you’re doing, what the excitement is.”
Back online, social media has become an information sieve for firms and clients.
Looming on Europe’s legislative horizon is the Network and Information Security Directive, which controversially will force certain businesses to report cyber attacks to the authorities. Ostensibly, the proposed law is designed to cover areas of critical national infrastructure such as telecoms and financial services.
But lawyers point out that Brussels has extended that umbrella to include transport and health among others. The British Government doesn’t like it, supporting industry claims that it will be little more than a boon for EU red tape merchants and have a deleterious commercial impact.
“If there’s a breach of your cyber security,” says Heyrick Bond Gunning, managing director of Salamanca Group, “ the directive demands that you inform the European Commission. From a reputation point of view it would be a disaster. There’s also the possibility of a fine of up to 2 per cent of global turnover. As we saw with the UK Bribery Act and the US Foreign Corrupt Practices Act, there will be a lot of clients and law firms wondering how they are going to get their heads round this.”
But they may not have to. Doubts hang over whether the directive will be passed before next spring’s European elections. If it is not, it is anyone’s guess where the legislation could go with new MEPs in place.
Bristows partner Mark Watts describes the general regulatory response to cyber crime as “multi-faceted” – so much so that even the EU Home Affairs Directorate says the jigsaw of protection is so complicated few can understand it.
The European Convention on Cyber Crime has 40-plus signatories and, because it is a Council of Europe measure, countries such as the US, South Africa and Japan are on board. The problem, points out Watts, is that Russia and China are not.
If a law firm suffers a cyber security attack and confidentiality is breached, the senior partner is going to have some uncomfortable phone calls with clients. But that discomfort could rapidly evolve into another call to professional indemnity insurers if a client sues.
But, as Bristows partner Mark Watts points out, for a suit to be successful for the loss of crown jewels data, the client would have show negligence.
“There is an acceptance in the tech industry that no system is perfect,” he says. “So the fact that you might get hacked doesn’t mean you’ve got poor security. It may do but a hack is not synonymous. If it’s a hack that would overcome Fort Knox you’re unlikely to be negligent. The client will be pretty grumpy but unlikely to be able to sue successfully.”
Watts points out that portable media is highly vulnerable.
“If you’re carrying confidential information, you’ve got to encrypt it. It’s a bit of a mantra.”
Clients themselves are also open to negligence suits. Freshfields Bruckhaus Deringer partner Jane Jenkins points to the example of loyalty cards in the retail sector.
“The business will hold personal details on their systems – names, addresses, bank account information, credit card information – and all that could
Jenkins also flags up issues around cloud computing.
“Providers are not willing to accept liability in relation to these risks. The small print in outsourcing agreements can show the host of your data is not offering protection. That’s unlikely to be challengeable after the event as it’s a matter of contract.”
Linked to that, Freshfields is advising clients to insist on audit rights of supply chain systems.
Says Jenkins: “If you’re entering a joint venture or buying a company and have a technical services agreement in place involving sharing of systems, have you thought what you’re letting yourself in for? Have back doors been left open that will expose you to greater risk?”
“They simply don’t want to agree to certain types of activity being illegal,” he says. “There’s a problem persuading their authorities that hacking is not a legitimate means of competing. As long as they think it’s fair game, they won’t sign anything.”
“If we want to find out about someone we go through social media,” says Butler. “Most people have some sort of profile and it’s easy to get onto someone’s site with scams. Even on the public record you can get a lot of information to put a jigsaw puzzle together.”