The boss of US retailer Target has stepped down after a data breach affected millions of customers. Could law firms be next in the firing line?
Cyber security is about stopping people from breaking into things. Like a virtual world of cops and robbers, the aim of the game is to convince the curious burglar that if they want the 32” screen TV, they’ll have to fight a loud dog and a home security system first.
“It’s the same with hackers,” Hogan Lovells’ technology and outsourcing partner Mark Taylor explains. “There’s no such thing as absolute security, it just has to be harder for hackers to get in, compared to what they can get once they are inside.”
Bruce Schneider, chief technology officer of Co3 Systems, agrees with this theory in his essay The Psychology of Security.
“Security is a trade-off,” he writes. “We make those trade-offs on a daily basis. We make them when we decide to lock our doors in the morning, when we choose our driving route and when we decide whether we’re going to pay for something with a cheque, credit card, or cash.”
But things are not so simple when perched on a goldmine of confidential client data.
“Law firms are still seen as a weak link,” says Taylor, explaining that they can be viewed as behind the cyber security curve, despite holding huge quantities of confidential information. “Ten years ago individuals might have been out for information for personal gain, but now there’s a sophisticated level of organised crime.”
The new type of bad guy is the corporate crook, the besuited gangster aiming to get the upper hand on the next big bid.
“Increasingly, there’s a risk that corporates – and people used in corporate transactions – are being tempted to use cyber espionage to try to understand the other side,” Taylor continues. “For example, in a competitive M&A transaction where there are multiple bidders, they may want to know what those competing bidders are doing.”
Other categories of attack include so-called ‘hacktivists’ – politically or ideologically motivated hackers aiming to embarrass or damage corporate reputations – and state-sponsored espionage.
“That has been a growing risk in the past few years,” says Taylor of the latter. “However, it’s often hard to demonstrate state involvement as most attacks are undertaken by an apparently separate group which is, in fact, supported by the state. Indeed, the risk of espionage issues in relation to M&A tends to be higher in transactions involving state-owned or supported corporates.”
That explains why a law firm could be the apple of a hacker’s eye, just as likely a target as a global financial institution.
“Law firms need to change their mindset around cyber security,” warns Taylor Wessing IT partner Vin Bange. “The sheer volume of sensitive client data they hold inevitably means they are at high risk of being targeted by data thieves. They need to be more sophisticated about how they protect their data, and this requires much more than just another staff policy.”
But it is not just the legal profession paying lip service to the subject. According to a recent survey by BT, just 17 per cent of UK business leaders see cyber security as a high priority, with less than half of directors – 37 per cent – given IT security training. In the US these figures rise to 41 per cent and 86 per cent respectively.
In the year ahead, more than half the global IT decision-makers questioned believe hacktivism (54 per cent) and malicious insider threats (53 per cent) will pose a greater risk (see table below).
“The massive expansion of employee-owned devices, cloud computing and extranets, has multiplied the risk of abuse and attack, leaving organisations exposed to a myriad of internal and external threats – malicious and accidental,” stated BT Security CEO Mark Hughes. “The risks to business are moving too fast for a purely reactive security approach to be successful. Nor should cyber security be seen as an issue for the IT department alone.”
Don’t become IT consultants
Baker & McKenzie’s head of technology Harry Small warns that lawyers should not try to be all things to all people.
“We, as lawyers, need to be careful not to become IT consultants,” he says. “The last person you want to speak to when your computer breaks is your lawyer. The same is true for security breaches. Let’s not pretend to be what we’re not.”
So the message is to pull in the experts and not to scrimp on the kit – easier to afford for the global behemoths. According to Ed Butler, executive director at the Salamanca Group, half of last year’s cyber attacks in the UK were directed at businesses employing fewer than 2,500 people.
“As cost pressures increase, especially on smaller legal aid firms, the temptation to use cheaper means of securing data needs to be resisted,” Small warns.
But cyber security is not all about hacktivists and Chinese spies. The rapid rise in mobile technology and the ‘bring your own device’ culture is bringing new threats to the table. According to a cyber security report by Hewlett-Packard (HP), mobile phone vulnerability rose by 68 per cent between 2011 and 2012, with 48 per cent of the mobile applications tested by HP found to be vulnerable to unauthorised access.
“It’s a mix of personal and business – on my iPhone and my iPad I can get my work emails and work information,” Small continues. “So there are now issues with losing sensitive data, but also new employment issues. You’re asking employees to adopt certain types of behaviour outside the office, such as not using WiFi in a public place.”
Indeed, trying to offer clients a 24/7 service can backfire if proper security checks are not in place. A report published in April 2013 by the Insurance Information Institute found that employee negligence was responsible for 39 per cent of data breaches compared with malicious or criminal attacks, which account for 37 per cent.
Audits in panel reviews
The sheer range of security risks means a rising number of general counsel are now insisting on law firm security audits as part of routine panel reviews. According to Lloyd’s Risk Index 2013, cyber security is now the third-biggest concern among worldwide business leaders.
“General counsel are now asking what the level of threat is, what measures an organisation has in place and where the firm has outsourced to,” observes one insider. “When security goes wrong it can go badly wrong.”
Businesses outside the legal sector offer plenty of examples. One of the latest casualties of cyber crime is US retailer Target, whose CEO Gregg Steinhafel resigned earlier this month following a data breach that affected millions of customers.
“Establishing a clear path forward for Target following the data breach has been my top priority,” Steinhafel said in April, a month before he resigned.
Indeed, the damage to a business’s reputation – often seen as a company’s most valuable asset – can be severe. According to the Lloyd’s Risk Index 2013, cyber security started being taken more seriously after some major data breaches in 2012. It lists “the takedown of the Interpol, CIA and Boeing websites, the suspension of alternative currency Bitcoin’s trading floor, the mass theft of passwords from professional networking site LinkedIn, the outage of the websites of six major US banks” and many more.
Quite literally, law firms do not want to be the next Target.
“A desire to have everything available 24/7 from anywhere simply because a client might ask for it will come under scrutiny if the corresponding cyber security risks can’t be managed,” says Bange.
But none of this means that law firms are notably less diligent than other businesses, specialist partners insist.
“I don’t think law firms are any less diligent than other businesses – the issue is that they are a focus point,” says Osborne Clarke’s head of European privacy and data James Mullock. “People realise there is confidential information that might be of interest and could cause embarrassment.”