- Roy Russell, CEO, Ascertus Limited
Six industry experts presented at our Cyber Threat Landscape for Law Firms seminar last week, with all broadly agreeing on the key cyber security issues facing law firms and the measures they must take to mitigate the impact on their organisations. The highlights are as follows:
Several threat actor categories are targeting law firms including Nation State, Organised Crime Gangs (OCGs), Hacktivists and Insiders – each motivated slightly differently. For example, Nation States want to gather intelligence on mergers and takeovers, pinch intellectual property or gain intelligence that offers them a favourable position in trade negotiations. OCGs see great scope in monetising data from law firms – be it by selling insider intelligence to rogue traders or stealing money. Furthermore, different threat actors operate differently in different sectors. As firms develop their cyber defences, it’s wise to incorporate future requirements, looking at the business and threat scenario three to five years ahead.
Ransomware holds the number two spot for malware popularity among criminals. It’s easily delivered via email, the most ubiquitous application in business today; and isn’t too complex to put together. For the same reason, phishing attacks are increasing too. A friendly, legitimate-looking email from the boss explaining via an attached spreadsheet why the individual wasn’t given the desired salary raise is all it takes to infect the employee’s PC. Similarly, criminals are able to easily breach people’s PC and wider organisational infrastructure such as network shares via attachments such as PDFs, which end-users perceive as ‘being safe’ to send and receive.
A ‘herd alertness is critical’ organisation-wide to ensure security. It’s imperative that firms develop cyber-resilience via a combined approach to prevention, continuity and recovery.
A vast number of hackers are social engineers, exploiting the vulnerabilities of people and the culture of organisations to breach for financial gain. Social engineering isn’t rocket science, it requires little technical knowledge, a great deal of patience, people skills and good research. A disgruntled employee could easily be exploited (unbeknown to the individual) by a hacker to gain information that helps breach the organisation, physically or online.
A major blind spot that hackers often manipulate is people’s view that they aren’t important in the firm and hence not a hacker target. A hacker could potentially take advantage of a pre-occupied receptionist to gain important information on the physical security procedures of the organisation to then exploit. Firms must ‘know’ their employees, but also ‘grow’ their own social engineers, educating them in the ways and the mindset of hackers so that they can spot potential breaches.
Behavioural analytics can help firms ‘know’ their employees. Data is a law firm’s crown jewels, how and when they are accessed can serve as strong indicators of security. With behavioural analytics, every employee has a ‘finger print’, which can be a tell-tale sign for a potential breach. For instance, a hacker using a litigation lawyers ID to access sensitive M&A files on a matter would be instantly flagged up to the IT department as an anomaly, for appropriate action to be taken.
There are three principles of information security including confidentiality, integrity and availability. Based on these tenets, security, legal, privacy and compliance professionals in law firms must all work together to influence how data is accessed and managed, today and in the future. This approach will grow in importance with trends such as Big Data and regulations such as the upcoming EU General Data Protection Regulation (GDPR).
Cyber criminals are continuously adopting new tactics to breach security. Law firms need to adopt a Security Operations-led approach that goes beyond traditional IT security. This approach delivers Adaptive Threat Processing that facilitates a big picture of the threat landscape encompassing everything from assessing new threats, adaptive controls, detecting manifesting threats, mitigating the impact as well as monitoring threats and their evolution.
Over 50 people attended the seminar and the feedback has been excellent with comments including “very interesting”, “very informative”, “excellent seminar” and “good range of presenters and materials”. Watch out for future Ascertus seminars being planned for locations across the UK and Europe.
This blog is based on the presentations by The Security Alliance, iManage, Mimecast, DocuSign, Jenny Radcliffe and QuoScient at the Ascertus Cyber Threat Landscape for Law Firms seminar on 23rd February 2017 at the Bird and Bird LLP auditorium.