The NHS breach last week has – once again – highlighted the importance of cybersecurity in large organisations. Where are law firms at right now, and what more can they do to protect themselves? The Lawyer gathered a panel of experts to discuss the issues.
- Peter Armstrong, managing director, Cyber Risk Insights
- Tom Burton, cyber security director, KPMG
- David Imison, partner, Schillings
- Andrew McManus, IT Director, Eversheds Sutherland
- Oscar O’Connor, non-exec director, Perspective Risk
- Philip Tansley, Legal Director, RPC
When we wrote about this topic in 2013, some experts felt the legal profession was behind the times on cyber-security. Has there been any progress?
Imison: Progress has certainly been made in the last four years. Prominent cyber-attacks against the likes of Mossack Fonseca have brought the issue of cyber security to the fore, and in instances where we’ve been brought in to assist law firms with their cyber security arrangements, we’re seeing a significant increase in their understanding of the threats they face.
That said, given the magnitude of cyber-attacks we’ve witnessed in recent years across all sectors and industries, there is a risk that complacency is creeping back in; as people become increasingly desensitised to the issue. There is no room for complacency in the legal sector when it comes to cyber-attacks and data loss. If cyber-criminals are looking to target an individual or business, often it is their advisors who provide the easiest access. This is because they sit on a wealth of information that in many instances will be easier for a cyber-criminal to gain access to than if they targeted the client directly.
At the moment it is hard to know precisely how many law firms have been affected by cyber-attacks and data loss incidents. When mandatory reporting comes into effect in May 2018, with the new General Data Protection Regulation (GDPR), this will change things.
Burton: Awareness of the problem is far more widespread. Most of the Tier One and Tier Two firms have established permanent functions with the responsibility and the budget to counter the threats. There is some evidence of informal networks being established by security leads to share experiences, good practice, and information of new threats.
However, I would characterise this as early progress in a few areas, as opposed to evidence that the risks are under control. Awareness is a good first step, but true understanding is vital and still elusive in most cases. Understanding requires the business (not just the technical staff) to recognise what the specific risks are to their enterprise, and what part leadership, governance and behaviour can play in mitigating them.
Armstrong: There is still a sense that ‘it won’t happen to us’ which in turn leads to the treatment of cybersecurity spend as a discretionary spend. This is also partly because it’s difficult for the technical community to articulate the risk in business speak, and senior partners find it difficult to reconcile spend without understanding exposure. This is made worse by the recognition by the criminal community that the legal sector is an easy and lucrative target.
What has the Mossack Fonseca leak taught law firms about security, if anything?
O’Connor: The three biggest lessons that should have been learned from this leak are that:
(a) patching operating systems and applications is a critical component of any security strategy – all of the applications that were compromised had been unpatched for long periods with long lists of known vulnerabilities;
(b) network segregation should be at the heart of your security architecture and strong barriers should be in place to prevent anyone, legitimate user or otherwise, being able to move at will into areas of the network containing sensitive data; and
(c) be aware of the wellbeing of your staff – if this was, as some have suggested, an insider leak, there will have been signs that astute and caring managers and colleagues should have noticed.
What are law firms’ weak spots – and how can they be strengthened?
O’Connor: It is hard to generalise as all firms are different. Under-appreciation of the risks leads to underinvestment in defences and in our experience, the value of the information held by law forms to potential adversaries is underestimated. If nothing else, the publicity surrounding some of the clients of MF should have taught everyone that.
Imison: Building higher technical defences will only result in cyber-criminals building taller ladders. The basic principles of any cyber security plan requires law firms to not only identify the threat they’re faced with, but to develop a plan to counter it that focuses on the weakest link; people.
Building a culture of cyber security is the best way to strengthen your cyber defences and yet, it continues to be the weak spot in many law firms. No amount of technology can put a stop to the malicious tactics being deployed by the cyber-criminal fraternity. Cyber security requires all employees to play their part when it comes to minimising risk. Those who have been put through their paces when it comes to cyber security can add incredible value to a law firm’s defence strategy, courtesy of the establishment of a Human Firewall.
Conversely, those who haven’t been trained could unknowingly expose the firm to a cyber-attack and data loss incident. You can spend hundreds of thousands of pounds putting in place technical defences, but this investment can be quickly undermined in the time it takes to drink a flat white.
Tansley: Remote working is now virtually ubiquitous. This can, however, create vulnerabilities if inadequate security precautions have been taken however robust the firms’ main systems are. Introducing simple additional security measures like two factor authentication, end to end encryption and proper firewall and external facing server configuration, can significantly help minimise the risks at a modest cost.
What about the challenges for smaller firms with smaller budgets?
Burton: With the smaller firms the challenges can often be greatest. The natural approach to these challenges is to turn to suppliers who can take on outsourced responsibility. This definitely has its place, but it needs to be planned carefully to ensure the problem is delegated, and not abrogated. When you outsource a conventional service, such as office cleaning, it is obvious when it is not meeting the required quality standards; with cyber security you need to avoid only finding out about service issues when the crisis strikes.
Armstrong: In smaller firms the size and expertise of the IT department is almost never sufficiently able to defend against the sophistication of the threat.
This is a combination of missing skills, but more because they are usually overburdened just delivering the operational IT the firm needs day-to-day where there is simply not the bandwidth to address the cyber security domain.
Is a major breach of a law firm’s defences inevitable at some point?
Burton: I would consider a major breach of a law firm in the future as inevitable, though it may not play out in the media in the same way as the breach of a company in the consumer or financial services markets. With a law firm it is likely to be more covert, longer term and targeted; and may well not be detected until after the event. Notification may be done quietly if the affected client feels it is not in their interests to publicise the event.
Irrespective of the characteristics of the incident, the impact could be catastrophic. A law firm trades on its trust, and the truism that trust is hard earned but easily lost exists for a reason.
Armstrong: For large firms, one of the biggest threats is partners’ behaviours: the symptom of “Don’t do as I do, do as I say” or in other words, “that rule doesn’t apply to me.” This is particularly true of Dropbox use, for example.
Tansley: These incidents have already occurred but the firms involved have managed to limit the negative publicity. Other firms should regarding the likelihood of a major incident as a question of “when, not if”. In the event of a major breach, it is important to have a robust incident response plan in place which has been tested, and for external resources to have been identified in advance to speed up response time.
An incident will often involve managing stakeholders, internally and externally against a tight timetable, including IT, legal/regulatory, PR. For larger firms, this will involve careful internal planning and preparation, for smaller and midsized firms this can be outsourced to an extent by obtaining access to outsourced services, either directly or via their cyber-insurers.
Clients increasingly accept that even the best managed firms can be the victim of a cyber incident. What they are less forgiving of is a poor response.
Are there any ‘quick wins’ – simple policies that firms can put in place that they may not already have?
McManus: There are simply no quick wins when it comes to any Cyber and Information security. Love them or hate them, there are frameworks and certifications out there that will help an organisation target improved security standards and embed the continuous improvement ethos, which is essential in the ever changing IT field.
Imison: Start by asking yourselves the following two questions: “Are you investing in effective cyber security awareness training for your people so that they are equipped to identify the common symptoms of a cyber-attack, such as Phishing?” and “Is your awareness training programme underpinned by a working culture that values confidential information?“
If you’re unable to confidently answer these two questions – it’s time to rethink your strategy and go back to basics.
McManus: Simplify management and decision making, simplify the process of getting investment approval, give security an appropriate budget, hire a good Information Security team, use external experts to challenge and test your systems and processes on a regular basis. Over time, reduce complexity by simplifying data systems and interfaces as well as business process.
Ensure that you are committed to improved information and Cyber Security and not simply demonstrating compliance. Obtaining Cyber Essentials certification is nothing to celebrate if you have not understood and committed to the principles. If your team are undoing changes and opening firewalls the day after certification then you have missed the point entirely and have a compliance driven team. Sort the ethos and redefine your security objectives and tests.
Burton: It is important to address the risks in a balanced and prioritised way. Too much of a focus in one area, for instance the procurement of the latest market-leading firewall technology, to the exclusion of staff education, governance and monitoring would rapidly arrive at a point of diminishing returns. By understanding the things important to the business, the threats that those assets are under, and the vulnerabilities that they carry, it is possible to develop a coherent plan to focus on the critical things first.
What shouldn’t be overlooked is the importance for the business to respond to and recover from an attack effectively. If the “skills and drills” to be adopted by all parties involved have been rehearsed, refined and exercised in advance, then the response will be far more effective, and the broader reputational impact easier to contain.
This response will involve a broad cross section of business functions, with participants extending up to the executive committee for the most serious incidents. All levels need practice if they are to operate effectively when it counts.
Armstrong: Some simple and effective things come cheap. Education and awareness of staff so that they don’t click the link is easy: reinforce the policies for payment release to obviate the fraudulent payment from a client account; ensure that all software patches are up to date to minimise chance of criminals exploiting a known weakness; establish and rehearse a cyber incident response plan. These are all simple but effective mechanisms that will increase the effectiveness of cyber defence.
Affordability and capability will be constraining factors but understanding what good looks like is a start to defining what is good enough for the firm.
TOOLBOX: reacting to a breach
It’s not inevitable that every law firm will suffer a breach, but if and when it does happen preparedness is key. Get your response wrong and customers, the media and other stakeholders will take a dim view. Conversely, get your response right and in time you can engender trust and enhance a business’ reputation. To achieve this, there are four key stages to managing a cyber-attack and/or data loss incident:
Detection & Containment – Detecting the source and scale of the breach are paramount. Only then can you secure your systems and start to ascertain what data has been lost, in addition to preserving information to be used in subsequent digital forensic investigations to try and unmask who was behind an external cyber-attack.
Recovery & Assessment – Understanding how the breach has affected the business is imperative, as often it will be more complicated and wide-ranging than first imagined. Only by understanding how the lost data can be exploited will you be in a position to take accountability.
Notification – The key principle for protecting reputation at this third stage is consistency. With different requirements in different jurisdictions for notifying regulators and those whose data has been lost it is vital to be consistent in your treatment of individuals irrespective of jurisdiction. There is nothing worse than a customer, whose data has been lost, finding out about it through the media before you’ve had a chance to notify them. Also bear in mind that a client may not initially grasp the implications. The sense of invasion or the anxiety that data loss can cause should never be underestimated.
Remediation & Review – If a breach was caused, even in part, by security weaknesses, then simply containing the breach and continuing ‘business as usual’ will not be acceptable. Demonstrating that there has been ‘learning’ and improvements have been made will be a key factor, not only in the view of a client who’s data has been lost, but also in the eyes of the regulator – who will need to decide whether a fine should be imposed and how much that fine should be. A considered evaluation and review will mitigate the risk of a fine and help focus any necessary improvements in a way that will be both cost effective and appropriate.