The Ascertus Security Thought Leadership Series
Information Security Management System Adoption a Must for Law Firms
For cyber criminals, law firms have proven to be a lucrative hunting ground due to the personal identifiable data and the extremely valuable intellectual property they hold. Additionally, they handle significant funds and are a key enabler in high value commercial and business transactions. A 2017 survey by PwC revealed that 60% of law firms reported an information security incident, up from 42% in 2014. This trend likely continues.
The value of the legal sector to cyber criminals is similar to the importance they place on the medical sector, where the high level of sensitivity and confidentiality of data, makes the information extremely prized to them.
Having worked with several law firms, to help them establish security measures, the following are the prime ways in which these organisations are falling victim to cyber criminals:
Insider threat – These tend to be mostly accidental, but according to the Industry Security Forum, over half of all data breaches are caused by insiders. These instances are growing. Also, insiders, in addition to employees, can be anyone who has access to the firm including the physical premises and the network (e.g. a visitor with an infected device accessing the firm’s Wi-Fi).
Law firms must take a holistic
approach to security.
Phishing – This is by far the most common way in which law firms tend to fall prey to attacks.
Via a mere email, the criminals can access key data. Only recently, I was working with an organisation where a phishing email to an individual who was part of the IP team, resulted in criminals gaining access to people’s details. It was three days before the firm realised, which means for this time period the attackers had open access to the system. Often, it is much longer before firms become aware of the breach.
Ransomware – More sophisticated than malware, this malicious software can encrypt users’ devices, sometimes even locking them out of the system. Rule of thumb for firms – it’s not worth succumbing to ransom demands, there’s no guarantee you’ll get your data back. Protecting devices, updating software, taking regular back-ups and adopting ‘defence-in-depth’ strategies is a better approach.
Supply chain compromise – This is fast becoming one of the biggest security issues due to the increasing use of digital technologies to deliver legal services. Firms need to ensure oversight of the security measures of their third-party suppliers.
Cyber criminals, whose ‘day job’ is to breach, are continuously adopting more and more advanced and sophisticated technologies and techniques. Law firms must take a holistic approach to security. There are two key elements to this:
1. Security training and awareness – This must be a continuous and evolving programme, not a one-off tick box exercise.
2. Adoption of Information Security Management System (ISMS) – ISO 27001 certified, the ISMS is a framework of security policies and processes pertaining to technology and processes to help systematically and proactively manage an organisation’s data.
This link is worth visiting:
https://www.iso.org/isoiec-27001-information-security.html
In the upcoming blogs, I’ll address each of the above-mentioned threats, offering actionable measures that law firm can take to mitigate the vulnerabilities.
About Shelton Newsham
Shelton Newsham is a manager and lead at the Yorkshire and Humber Regional Cyber Crime Team, advising public and private sector and individuals (including at Board level) on threat mitigation. He is a Certified ISO 27001 ISMS Lead Implementer, ISMS 27001 Auditor, Certified in information Security Management Principles (CISMP), ISO 22301 BCMS Lead implementer and Certificate of the Business continuity institute (CBCI). With over 17 Years’ experience in law enforcement, Shelton has extensive experience in incident response, critical incident management, intelligence assessments, threats to life, incident investigation, safeguarding the vulnerable, public order, and large-scale operations, working at a strategic level.