Are law firms doing enough to avoid becoming victims of cybercrime?

Professional services have been identified as the number one target of cybercrime as a potential one-stop shop for client data. Anti-money laundering compliance requires law firms to obtain verified client information, and they regularly handle sensitive data relating to M&A deals and patents, as well as personal and financial information.

Hackers perceive their systems as easier to infiltrate than the big corporates they advise. However, the key reason law firms are focusing on cybersecurity is to protect client confidentiality, legal privilege and their position as trusted advisers.

Cybercrime ranges from spam, phishing and malware to sophisticated advanced persistent threats linked to ransomware. There are few public examples involving law firms, but times are changing. In February, Techworld reported that US law firm Goodson’s in North Carolina admitted losing all its documents to CryptoLocker – a custom-written Trojan that entered the firm’s systems via a malicious email attachment.

CryptoLocker encrypted all documents on the firm’s main server so they could not be opened. Techworld suggests that Goodson’s and other CryptoLocker victims’ willingness to speak to the press may indicate that taboos around cybercrime are diminishing.

However, most US state law includes security breach notification. Alex Hamer, a partner at RPC, explains that although this is not a requirement under UK law, it will be when new EU regulations come into force in 2015. Consequently, firms are acutely aware of the cybercrime threat and are tightening policies and systems. Some have introduced senior roles with specific responsibility for information security.

‘Because of the work we handle, RPC is targeted by cybercriminals, so we have outsourced our information security,’ RPC’s IT director Julie Berry told me. ‘Our systems are monitored 24/7 and we have invested in tools to track unusual user activity.’

Cyberinsurance covers potential losses from cybercrime, including brand damage. For firms such as RPC, which has invested in comprehensive IT security, it is what Hamer describes as a ‘sleep-easy’ purchase. Hamer envisages that it will eventually become a standard business purchase.

What are firms doing to avoid becoming victims of cybercrime? Most law firm IT systems are protected by firewalls, anti-spam, phishing and malware software, email encryption, mobile device management and more. Security measures are driven by corporate and public sector clients that require assurances that the firms they instruct have robust data security.

At Weightmans, partner and IT director Stuart Whittle is working toward ISO27001 certification, an information security management system standard.

More firms are deploying cloud services, so any weakness in the vendor’s system represents a potential vulnerability. Barrie Hadfield, founder and CTO of Workshare, which provides secure file-sharing and collaboration applications, advises firms to check vendors’ systems and only work with systems they know and trust. This applies equally to clients and outsourced services.

Ruth Daniels, general counsel of CPA Global, which supplies outsourced legal support services, says: ‘It is important to engage regularly with clients and suppliers to make sure their security is up to speed. Where any system integration is involved, it is critical that this doesn’t compromise your own internal levels and standards of security’.

Most successful cybercrime involves user complicity. How do you stop people clicking on dubious email links or opening attachments? The answer is a combination of technology and communication.

Email management services such as Mimecast include effective anti-spam and malware filters, but these will not work on specifically targeted zero-day attacks such as CryptoLocker. At Weightmans, encryption software disables all executable files entering the firm’s systems until they have been checked by IT. But this takes time.

Taylor Wessing’s IT director Stuart Walters is trialling Bromium software, which operates in real time, creating a hardware-isolated micro-VM on the desktop for each incoming message. ‘It treats all attachments as potential threats, without slowing down the business,’ he says.

‘Users can open attachments and work with documents as usual, but if an attachment tries to write a script or access files or other systems, it will stop it and alert the central server to a new threat.’

It is critical to instil the right culture into the firm. Walters has introduced a poster campaign to reinforce the firm’s password policy. Popular posters available online include memorable fun themes, such as ‘Passwords are like pants – change them regularly, don’t show them to other people and never share them!’.

EJ Hilbert, MD and head of cyber investigations at Kroll EMEA and former FBI agent, says variety is also important. He advises against passwords that follow a pattern – upper case, lower case and a number. Make it a phrase rather than a word – longer and harder to crack.

An effective approach is to employ a third party to identify weaknesses. Osborne Clarke’s IT director Nathan Hayes has introduced mock penetration attacks followed by targeted training delivered by companies such as PhishMe.

At Schillings, delivery director for IT security David Prince has introduced in-house penetration testing, which includes phishing ‘to identify and measure technological and sociological vulnerabilities’, and people masquerading as IT support visiting people’s offices and asking for information. However, ‘penetration testing is a snapshot of the organisation’s security posture’ and needs to be repeated at regular intervals.

He adds: ‘Law firms need to uphold their legal professional privilege by securing the business and its people.’

Protecting a firm’s reputation means having a plan encompassing damage limitation and crisis communication. Without one, the reputational impact can be far-reaching.

Joanna Goodman MBA is a freelance journalist and editor of Legal IT Today