When it comes to cybercrime, raising awareness among staff is a key priority.
The call made earlier this year by the Information Commissioner (ICO) for barristers and lawyers to ensure personal information is kept secure, should serve as a wake-up call for the profession. In an era where some, according to the commissioner, have yet to get to grips even with the safe handling of paper files, a much more complex threat is emerging in the guise of cybercrime.
Posing a direct risk to law firms, hackers are targeting both firms and their clients, many of whom have been forced to deal with the reputational, regulatory and financial fallout from such incidents.
If further evidence of the severity was needed, the National Crime Agency (NCA) has called on firms to review IT security, with the Solicitors Regulation Authority (SRA) describing information security and cybercrime as a ‘priority risk’, highlighting the ‘wider risk to public confidence in the legal sector’.
Indeed, the regulator has found itself at the centre of attempts by hackers to obtain valuable information, with spear-phishing emails claiming to be from the SRA sent to lawyers earlier this year.
Against this backdrop, what steps should firms take? Senior partners, risk management and IT teams should take steps to review existing preparedness and incident-response strategies. Such reviews must identify key assets and potential weaknesses in physical and computer security, with the goal of developing a plan to reduce these vulnerabilities. The assessments are far more all-encompassing than traditional IT audits.
Compliance with a particular security standard is a useful starting point, but is not enough. Traditional IT audits alone create a real danger that the firm will fall victim to ‘security-standard checklist syndrome’, where the demands of the standard are met, but the overall security fails to address the actual risk landscape. A comprehensive security assessment will ensure that focus of the security effort is in the right place – protecting the firm’s most valuable assets.
It is important to recognise that the problem of cybersecurity is not one that the IT team alone can solve. Good security requires not only sufficiently robust and correctly targeted IT budgets, but users who are aware of the threat and their role in preventing it. Phishing attacks, such as those targeting lawyers and purporting to be from the SRA, can only succeed if users click on the link they are sent in a rogue email and will only be prevented where users recognise the damage they can do by such actions.
A culture change is needed, where partners and other users understand that they are as much responsible for security as the IT department itself. There needs to be better dialogue between the IT department and users at all levels – starting with educating users about not only the specifics of the relevant IT policies, but the reason for having these in the first place.
Only if users understand why certain restrictions have been introduced will they avoid bypassing them and creating new attack vectors. Individual users also need to have a clear understanding that they are expected to report any concerns immediately and that they do not risk getting into trouble if they do so. This type of behaviour is not only - or even primarily - a problem of staff at junior levels.
A recent survey suggested that the problem of careless behaviour as potential source of a cyber-attack is far greater for those at the top of an organisation.
Attacks aimed at law firms are already happening. Firms must assume that, at some point in time, they will be targeted by a cyber-attack, and plan accordingly. To be effective, a response plan requires advance planning. Simply put, it is too late to figure out how to respond to an attack after it has happened. The longer it takes to respond to a breach, the longer the hackers have access to the system.
This is a particular problem for advanced attacks, which may have been going on quietly for months before they are detected. To respond quickly, firms must put in place a detailed response plan, ahead of an attack, that identifies the individuals responsible for taking actions, the external vendors who will respond, and the process for making the decisions that will need to make after an attack occurs.
Law firms represent lucrative targets for hackers out to steal money, identities or details of clients for the purpose of industrial espionage or trade advantage. Lawyers have a duty to manage such risks and must ensure that they fully understand the changing nature of cyber threats and the need to prepare ahead of an incident.
Seth Berman is executive managing director of Stroz Friedberg, an investigations, intelligence and risk management company