Cyber security: the risks and consequences

BAE Systems’ Tom Burton sets out the position facing the world’s top firms

Like most industries, individual law firms – and the legal sector as a whole – have been keen to embrace the opportunities presented by advances in technology in order to retain a competitive edge. Companies have become ever more digitally enabled and smartphones and tablets, as well as professional networking sites such as Linked-In, are now essential accoutrements to an efficient lawyer’s life.

However, this increased connectivity has also made the industry vulnerable to digital criminality. Intelligent, well-resourced cyber criminals are deploying sophisticated techniques to evade IT defences to achieve their objectives: extortion, theft and business disruption.

Perfect protection does not exist and the most determined attackers will always find a way through or around the defences, so law firms need to take a risk based approach based on their knowledge of the threats to their business, the consequences of those threats impacting and their attitude to risk, balancing their investments accordingly.

The threats

We see four key threat categories arising within the law sector:

Internationalisation sees law firms’ core work increasingly affect the interests of nation states and large pseudo-private sector or nationalised enterprises, making them a target for some of the most resourced and advanced attackers.

Elsewhere, law firms are also feeling the pressure from clients, particularly those in the financial services sector, who are imposing onerous security requirements on law firms and other key suppliers in response to growing regulatory pressure. The problem is that each client requires different assurances and it’s difficult for law firms to meet all of their needs.

The threat of data leakage by insiders, either accidentally or deliberately, is also a concern. As firms improve their security measures it is inevitable that the risk of insider threat will increase as it becomes easier to compromise an employee than to break in from the outside. This is exacerbated by the adoption of secure mobile technologies and policies. Bring Your Own Device schemes and attacks on mobile devices are increasingly prevalent, and both present an increasing number of security challenges of their own.

Lastly, attackers are evolving their methods making the threat asymmetric in favour of the attacker as they respond to changing defences. As an example we are seeing the dominant method of gaining entry becoming the “Watering Hole” attack where a website likely to be visited by the target is compromised; this is in direct response to improvements in the users’ abilities to spot the previous weapon of choice, which was the spear-phishing email. No amount of user awareness training can prevent this form of attack, when the Watering Hole may be the target’s corporate website or that of one of their key suppliers. As an example, we have seen the website of a major London-based barristers’ chamber repeatedly being victim of such attacks in 2014 – placing visitors to the site at risk, and causing significant reputational risk to the chambers in question.

The consequences

The consequences of an attack are multiple and far-reaching: regulatory censure, reputational damage and loss of clients, as well as more direct monetary implications.  Law Firms “licence to trade” is founded on the confidence and trust that their clients have in them, and a significant breach can destroy that trust. This was evidenced in July 2012 by the attack on three US law firms (Wiley Rein, Covington & Burling and Locke Lord), who were exposed in a Bloomberg report as being the victims of an attack after a tip off by a third party.

Mitigating the risk

On a more positive note, our own research found that UK businesses are increasingly aware of the threat, with the majority polled viewing the cyber threat as a top 3 business risk. 90% of international businesses surveyed expect the number of cyber attacks to increase, and 70% possess crisis plans in response to this risk.

Our research has also found that companies are starting to understand the need to balance protective technology with rich security monitoring. This is encouraging because, if law firms fully embrace this approach, then the intelligence and situational awareness delivered by the monitoring allows them to fine tune their defences, maximising operational efficiencies and minimising the threat of a successful attack. Above all though, the first step towards appropriate security is to conduct a thorough cyber risk assessment in order to then develop a strategy that defines what that balance would be.

Information sharing and partnership initiatives such as CREST (Cyber Incident Response Initiative) are also essential as they provide vital advanced notice of how the threat is evolving over time. Law firms should take part in these initiatives where possible in order to ensure resource and expertise is shared amongst those attempting to mitigate threats.

As the number of avenues open to criminals in the hyper-connected world increases it is more essential than ever that law firms protect themselves, and therefore by extension their clients, from increasingly sophisticated cyber attacks. In the longer term it also important that the security community supports these efforts by sharing information about new threats as they emerge to try and understand how they can be detected in the future.

Tom Burton, cyber security expert, BAE Systems Applied Intelligence