The ‘Perfect Storm’ - How Organisational Culture, Coincidence and Con Artists Create the Perfect Conditions to Breach Your Firm

Thursday, February 9, 2017

The ‘Perfect Storm’ - How Organisational Culture, Coincidence and Con Artists Create the Perfect Conditions to Breach Your Firm

Guest Blog By Jenny Radcliffe, Social Engineering Expert

Recently, I was commissioned by an organisation of significant size and in a high-risk industry to demonstrate to the Board the vulnerability of its employees to criminal hackers using non-technical means. Using Open Source Intelligence to gather information on a selection of the most senior individuals in the organisation, I was able to reveal how easily and legitimately, I was able to engage with them, physically access their office building; and if had I intended to do so, use the insight to hack into the business. It was an ‘eye-opener’ for the Board!

This is what malicious social engineers do – they leverage the ‘Perfect Storm’ – created by the organisation’s culture, the employees’ frame of mind and lack of security awareness and the ready availability of detailed personal information, to use social engineering and the “human factor” to gain business sensitive information for their own financial gains.

As the technology becomes more complex, many hackers see employees of organisations as “the weakest link”, but to what extent this is the case relies on many factors other than the mere fact of human beings working for an organisation. Several factors in organisations make firms more or less vulnerable to hackers, and it is possible to defend, mitigate and ‘patch’ your own human vulnerabilities.

I’m talking about this issue at the upcoming Cyber Threat Landscape for Law Firms on 23 February 2017:

  • How an organisation can be “profiled” by a malicious criminal, who then uses the information to design a hack that is suited to the culture of the target company

  • Explain why “culture” is an important element in the shape and nature of an attack, communicating the threat to employees and ultimately in the defence against attacks

  • Highlight my own “experiences” as an ethical Social Engineer and share some tricks, tactics and methods that I use to attack organisations via their people.

  • Offer tips and guidance on how to “wake up the workforce” to the threat of Social Engineering, and how to maintain engagement of staff to prevent cyber threats

My presentation will be fast paced, humorous and revealing! Hope to see you there!

About Jenny Radcliffe

Jenny Radcliffe is an ethical expert in Social Engineering, negotiation, persuasion and influence, non-verbal communication and deception. She uses her skills to help clients – from global corporations and law enforcement to poker players, politicians and the security industry – to protect themselves from cyber criminals.

Monday, February 6, 2017

Adoption of E-billing Tools – US versus Europe

Adoption of E-billing Tools – US versus Europe

Guest Blog by Bryan King, Independent E-Billing Consultant

Although e-billing is playing a role in the commercial relationship between a growing number of UK/European in-house legal departments and their law firms, there are still many organisations that aren’t yet reaping the benefits of e-billing. It’s often said that numerous non-US organisations don’t “get” the value of e-billing. I believe, it’s not that they don’t “get it”, rather the e-billing solutions, until recently, didn’t necessarily deliver against the needs of European organisations.

E-billing is a norm in the US

It is estimated that 90% of all litigation work is now e-billed in the US; and a recent study shows that in many mid-sized US firms, around 70% of annual revenue is collected via e-bills.

One of the key reasons why e-billing has been a success in the US is its single currency, the US Dollar. The e-bill format (LEDES 1998) is based on a single currency; and law firms and in-house legal departments don’t have to comply with a complex tax and regulatory environment, like in Europe. This facilitated standardisation of e-billing, and established it as a norm, becoming acceptable to lawyers and clients alike.

Europe sees the business value of e-billing

On the other hand, law firms and corporate legal departments in Europe faced significant barriers to the adoption of traditional e-billing solutions from financial, cultural and regulatory perspectives – and so, US market driven solutions proved inadequate to business requirements.

Are e-bills compliant with the various tax rules, regulatory bodies and legislations in Europe? Is the e-bill a VAT invoice as well as a note of legal costs? Does the e-bill comply with the requirements of the Solicitors Accounts Rules, HM Revenue & Customs, Data Protection laws, the Business Names Act and EU billing regulations? Law firms have to ensure that the e-billing intermediary system handles these issues correctly and that the e-bill as seen by the client complies with all the appropriate regulations. Therefore, on a technical level, organisations needed to accommodate several LEDES file formats, VAT and compliance issues, as well as a multi-currency, multi-jurisdictional billing environment.

Interest in e-billing started in earnest in 2003, when UK branches of US insurance and finance organisations started demanding such functionality from their regional law firms, which led to US e-billing solution vendors setting up offices in the UK. Over the past decade, many e-billing projects have been undertaken, with a number of law firms successfully e-billing their largest clients to the value of many millions of pounds per year.

On the corporate side, legal departments have used e-billing to make cost and fee cuts of course, but also tapped into it to develop a wider strategic relationship with their external law firms. The legal operations manager at a major retail bank that recently completed a high-profile e-billing project outside of the US, has been quoted as saying: “We believe it (e-billing) will make our in-house lawyers think more commercially. Are we putting the right resources on matters? What’s the selection process? We hope over time it will have a positive behavioural change.”

Similarly, a major transport insurance specialist has been motivated to adopt e-billing with an objective to reduce its law firm panel down from around 60 to between 5 and 12 firms.

Legal spend management – the most current incarnation of e-billing

Today, in-house legal departments and law firms are looking for legal spend management solutions that go beyond traditional e-billing in their functionality – such as ability to track billing information before the invoice is sent, monitoring compliance with client-agreed billing rules, ability to query disputed charges before billing, and so on. These latest requirements have led to the rise of new solution providers in not just the European markets, but in the US too.

In addition to e-billing, these web-based solutions incorporate a legal procurement module, which automates the issuance and evaluation of requests for proposals, demands for cost estimates and legal matter staffing plans. They offer sophisticated reporting and management information with easy to understand metrics and KPIs for corporate legal departments and the law firms. As these solutions integrate with other applications such as document, knowledge and legal project management and calendaring and such, often via standard e-mail interfaces, corporate lawyers and law firms have a connected business environment that also facilitates collaboration.

It is a matter of time before legal spend management solutions become a norm in the legal sector across regions and markets. The e-billing concept has evolved.

About Bryan King

Bryan King is an independent consultant, advising law firms and in-house legal departments on e-billing issues; and assisting with the successful implementation of legal spend management projects. Prior to this, he has senior IT management positions at Linklaters, Lovells and Clifford Chance. At Clifford Chance, he also held global responsibility for the firm’s electronic invoicing (e-billing) projects.

Thursday, February 16, 2017

What does the cyber threat landscape for law firms look like?

What does the cyber threat landscape for law firms look like?

Guest Blog by Rob Dartnall, Cyber Intelligence Director, Security Alliance

Towards the end of last year, Security Alliance published a report entitled: The Cyber Threat Landscape for Law Firms. The overall assessment of the report is that the current cyber resilience of the legal sector does not match the severity of the threat, and further incidents similar to the magnitude of Mossack Fonseca breach will continue to occur if proactive cyber-defence strategies are not implemented.

Looking at the lay of the land, this isn’t surprising, given the tenacity with which cyber criminals are targeting the legal sector. The report highlights the following:

  • The type of threat actors seeking to exploit law firms range from state-sponsored Advanced Persistent Threat (APT) groups to organised criminal gangs and cyber-criminals

  • APT groups are seeking to extract market-information such as strategic trading and M&A information and are choosing to target law firms as the best route to access this information

  • Cyber criminals are more commonly seeking to extort law firms, with the rising trend of ransomware attacks being of particular concern

  • Law firms frequently find themselves implicated in geopolitical conflicts between two or more countries trying to assert their power over a region

  • There is a lack of sharing of cyber threat intelligence between firms in the UK

I’m delivering the keynote address on this subject at the upcoming Ascertus Seminar, Cyber Threat Landscape for Law Firms on 23 February 2017. My presentation will:

  • Provide insight into the multitude of cyber threats faced by the legal sector, and how threat intelligence can be used to identify, understand and mitigate some of these threats

  • Outline the key tenets of threat intelligence, how it should be defined, and how it should be practically applied in an organisation

  • Clarify some broad categories of threat actors, from the nation states to insiders, and explain why each category may want to target a law firm

  • Highlight case studies where law firms have been targeted by cyber threat actors

  • Explain how future events and trends may impact the severity of the cyber threat to law firms

  • Offer next steps that explain how intelligence sharing, threat assessments and targeted security can help law firms mitigate the cyber threat

    The seminar is free to attend, do come along. You’ll leave with a good understanding of the issues involved and actionable next steps for your law firm.

    About Rob Dartnall

    Rob is a CREST Certified Threat Intelligence Manager (CCTIM) and Cyber Intelligence Director of Security Alliance - a Bank of England certified Cyber Threat Intelligence provider under the CBEST framework. With specialist interest areas of Insider Threat and Nation State Fusion Warfare, Mr Dartnall has unique experience and insight into the threat landscape.