by Seth Berman*
In the UK, the Solicitors Regulation Authority’s (SRA) latest Risk Outlook update has for the first time identified cybercrime as a threat to law firms. Describing such risks as “significant”, it follows earlier reports of bogus spear phishing emails, purportedly from the SRA, which could be used to gain unlawful access to computer systems. In parallel, the regulator has published Spiders in the web: The risks of online crime to legal business, which sets out specific guidance on firms’ responsibilities to safeguard their computer systems and take appropriate steps to tackle what it describes as “an emerging risk”.
The shape of cybercrime is changing. Viruses are being created and mutating too rapidly for virus detection software to keep up. Today, malware is significantly more difficult to identify and remove than the viruses and spyware of only a few years ago. Such Advanced Persistent Threats (APTs) present a particular challenge and are a very real and present danger for law firms.
The reality is many law firms are easier targets for hackers than their clients
APT attacks usually target an organisation for specific purposes and if the attackers cannot get direct access to a particular target (and sometimes even if they can) they often gain access to proprietary secrets by penetrating the target’s outside advisers and attorneys. The sad reality is that many law firms are far easier targets for hackers than the law firm’s clients themselves.
Hackers are not only good at finding and exploiting technical vulnerabilities, they also exploit human weaknesses. Using research on a few specific individuals within a firm, an attack is often launched through the use of a sophisticated spear phishing email. Once the hackers find their mark, the phishing attack allows an initial point of entry, through which the hackers deploy even more sophisticated malware. Law firms are particularly vulnerable to spear phishing attacks, as information about the lawyers that can be used to craft a plausible email, is readily available.
Facing the rise of APTs, what is a law firm to do? Firms must start by conducting a full security assessment. This must identify firms’ key assets, find potential weakness in their physical and computer security and develop a plan to reduce these vulnerabilities. This assessment is far more all-encompassing than a security checklist. Compliance with a particular security standard can be a useful starting point, but this approach creates a real danger that a firm will fall victim to security standard checklist syndrome, where the demands of the standard fail to take into account its particular set-up. The security assessment will ensure that focus of the security effort is in the right place – protecting the firm’s most valuable assets.
Firms also need to recognise that the problem of cyber security is not a problem that IT alone can solve. Good security requires not only sufficiently robust and correctly targeted IT budgets, it also requires users who are aware of the threat and their role in preventing it. Phishing attacks can only succeed if users click on the link they are sent in a rogue email and will only be quickly remediated if users recognise the damage they may have done by such actions. Despite what we all may wish, IT alone cannot prevent such attacks.
A culture change is needed, where users understand that they are as much responsible for security as the IT department itself. There needs to be better dialogue between the IT department and users – starting with educating users about not only the specifics of the IT policies, but the purposes behind them. Only if users understand why certain restrictions are in place will they avoid bypassing them and creating new attack vectors. Users also need to have a clear understanding that they are expected to report any concerns immediately and that they do not risk getting into trouble if they do so.
Law firms must also recognise that attacks are not only likely, they are all but certain. Firms must assume that, at some point, they will be subject to an APT attack and plan accordingly. This requires advanced planning. It is too late to figure out how to respond to an attack after it has happened. The longer it takes to respond to a breach, the longer the hackers have access to the system. This is a particular problem for APTs, which have typically been quietly exfiltrating data for several months before they are discovered. Firms need a response plan in place before an attack, identifying the individuals responsible for taking actions, the external vendors who will respond, and the process for making the decisions that will need to make after an attack occurs.
Experience shows that law firms remain prime targets for hacking. Poised against cyber criminals looking to infiltrate computer systems for financial, technical or political gain, firms have a duty to manage such risks. However, no single security solution can offer immunity against rapidly evolving APTs. In response, firms must take steps to understand the nature of such threats and develop an effective security framework that can withstand scrutiny of clients, regulators and partners alike.
* Seth Berman is executive managing director of Stroz Friedberg, an investigations, intelligence and risk management company. www.strozfriedberg.com