Law Firms Must Evolve Their Cyber Strategy to Survive
Cyber attacks have become a serious concern for all types of businesses today, but the legal sector has more to fear than most.
Their business model is based around trust and confidentiality, which means a breach can deal a fatal blow to their reputation; trust is hard earned but easily lost.
Although law firms understand the importance of client confidentiality perhaps more than any other industry, they can also be target for sophisticated attacks from criminals looking to infiltrate the network and gain access to the highly confidential client data in their care. In many instances it will be easier for a cyber-criminal to target the law firm than the client directly.
Adequately preparing for cyber threats has proven to be a difficult challenge for many companies, and even the most secure organisations know it is a matter of when, not if, their defences will be breached. Law firms must approach this in the same way that they would advise their own clients; through robust risk assessment and mitigation strategies which not only strengthen their defences but also ensure they can recover quickly in the event of an incident.
What are the biggest cyber threats facing law firms?
Most companies that suffer a security breach are hit by attacks that go out to tens or even hundreds of thousands of different companies. The criminals behind these untargeted attacks will follow the path of least resistance, so if a company has stronger defences, they will ignore in favour of easier pickings elsewhere.
Law firms, however, will be more likely to be targeted specifically by cybercriminals because of their clients and the high value data they hold. Targeted attacks are far more difficult to defend against, and tenacious criminals chasing a big payday will invariably be able to find a way to breach the network eventually.
One of the most common tactics used in these targeted attacks is to go after a firm’s third-party connections, such as suppliers. Even if a firm has a decent amount of security in place, it can quickly be undermined if it is connected to a third party with weaker security.
The holy grail for cybercriminals would be to obtain access to a valuable client’s financial information, or other confidential information that can be sold on to other criminals or used to conduct other attacks such as social engineering or blackmail. As demonstrated by the infamous Panama Papers incident in 2015, firms may also be targeted as part of “hacktivism” campaigns to expose believed wrongdoing among their clients.
M&A activity is another area of business that is both attractive to cybercriminals and highly vulnerable to interference. Any level of data breach can easily scupper a deal, and I’m aware of one instance where a major M&A agreement collapsed because a third party connected to one of the two companies was breached.
While serious breaches are always costly, law firms have more to lose than most because they trade on their ability to protect their clients’ confidentiality. Mossack Fonseca, the firm at the heart of the Panama Papers scandal, closed its operations earlier in 2018, citing the reputational damage as the main reason.
What should a firm’s cyber priorities be?
We often find firms have attempted to address security issues at an individual level, buying in individual tools and widgets such as VPNs and password managers. Investing in separate solutions will only provide a false sense of security if the firm has not taken a much broader, root and branch, approach to security. In the digital age, firms must evolve to put cyber security at the heart of their operations.
The first step to better cyber security is to conduct a thorough risk assessment of the entire firm, the data it holds, and the third parties it connects with. Firms need to develop a strong understanding of what their risk profile looks like, starting with what assets pose the biggest risk and what the impact would be if they were breached. The assessment should also look at how attractive they are as a target to cybercriminals; a small family practice would have a significantly lower risk profile than a multi-national firm that routinely deals with powerful and influential people.
Finally, the firm should assess what its potential security weaknesses are. It’s important that this assessment includes the firm’s people, processes and technology, and also that of any third-party connections. Once the risk level has been determined, the firm will need to decide if it can live with the risk or will take action to manage it.
The outcomes will depend on the specific firm and its risk profile, but may include budgeting for additional staff awareness and training, implementing new controls and processes or taking on a CISO or other security head to build a more comprehensive strategy.
Firms should aim to develop ‘strength-in-depth’ with a multi-layered approach to security. It should be accepted that defences are very likely to be penetrated at some point, and there must be controls and processes in place to mitigate the damage of a breach. Relying on a hardened perimeter based around a firewall will leave the firm extremely vulnerable if an attacker gets into the network.
With the volume and sophistication of cyber threats increasing and the legal sector sitting exposed as one of the prime targets, law firms must act swiftly to improve their security. Those firms that can evolve their approach to technology and security will continue to thrive, while those that lag behind risk going the way of Mossack Fonseca and many others.
Malcolm Taylor, Director Cyber Advisory
Malcolm is Director of Cyber Advisory at ITC Secure. He provides strategic cyber security and communications security advice to senior corporate and private clients. Prior to joining ITC, Malcolm had a distinguished career with the UK intelligence services, including tours in Iraq, Pakistan and more recently in Afghanistan leading counter terrorism cyber security teams. Malcolm is a recognised expert in cyber security, communications security and intelligence. He leads ITC’s Cyber Thought Leadership and is a regular commentator on the BBC and in the mainstream and specialist media.