According to the 2017 PwC Law Firms’ Survey, the majority of UK law firms have been the victim of a cyber-attack in the past year – with almost 40% of firms reporting disruption to their business as a result. 30% of firms claim that security incidents are detected on either a weekly or monthly basis, while as many as 12% of firms detect threats every day. Law firms are a prime target for cyber-criminals as they store large amounts of sensitive personal/business/financial data about their clients, and this data is very valuable. Phishing attacks – a type of social engineering attack where the attacker masquerades as a trusted entity to steal data – were the most common type of security incident.
16% of firms do not have an incident response plan in place, and of those that do, only 75% periodically test their plans to confirm their effectiveness. The forthcoming GDPR, will no doubt incentivise companies to develop an incident response plan and establish a clear, co-ordinated programme for pro-actively dealing with security threats. 70% of firms have already completed a GDPR risk assessment this year – up from 13% in 2016. The remaining 30% of firms have stated that they plan to carry out a GDPR risk assessment within the next six months.
“the majority of UK law firms have been the victim of a cyber-attack in the past year.”
Given that law firms often advise their clients on issues relating to data protection, the stakes are very high. Should a law firm fall victim to a serious cyber-attack, resulting in a loss of confidential client data, it could have a very damaging impact on the company’s reputation. And let’s not forget about the potential cost. According to a report by Kaspersky Lab, “In 2017, the average cost of a data breach in North America is $1.3 million for enterprises and $117,000 for small and medium-sized businesses (SMBs)”. As it stands, law firms are required to comply with both the Data Protection Act (DPA), and the Solicitors Regulation Authority (SRA) – which is designed to protect the confidentiality of client data.
Creating a security culture
Technology alone will not be sufficient in protecting a company’s sensitive data. The first step to tackling this problem is to understand that human error is the biggest cyber-security threat that organisations are faced with. According to a report by Lloyd’s of London, 49% of IT managers and 14% of organisations believe that insiders are the biggest threat to the security of their network. Despite this, only 60% of organisations have a compulsory training program in place to educate staff members about IT security.
Below are some tips on how law firms can create a security culture:
Talk to employees about cybersecurity on a regular basis
It is important to keep security fresh in the minds of your staff members. You must explain the potential impact caused by a security breach, and make sure that staff what their security responsibilties are – especially with regards to the use of mobile devices. Arrange meetings and discussions about the different types of cyber-attacks, and reference news articles/case studies. If you can, try to make it fun and rewarding. For example, test the knowledge of your staff regularly and reward them should they perform well.
Ensure that executives/managers are trained too
As you might expect, executives and managers are a prime target for cyber-criminals as they have greater access to large amounts of sensitive data. They have the power to make critical changes to the network, and the potential financial gain associated with targeting an executive will likely be greater.
Explain to your employees that a system is only as secure as the weakest link
It is important to understand that humans make mistakes. You will, therefore, need to encourage employees to co-operate in keeping the system secure and create a policy to cover all possible attack vectors. Employees should be well informed about how to manage their passwords and keep them secure.
Why is it important to identify social engineering?
Staff members need to be made aware of the dangers associated with unsolicited emails, social media, and links to unknown blogs/websites. Many attacks start with a phone call from an attacker posing as a member of staff attempting to collect information about the company, staff and operations.
Train employees to recognise and respond to attacks
You will need an incident response plan in place which provides a clear, step-by-step guide for staff members to following in the event of a suspected breach. Many insider attacks can’t be easily identified by your average employee. Without having access to the server logs, they will not be able to spot privilege misuse, suspicious file and folder activity, failed logon attempts, account modification/deletion, and others.
However, training staff to spot social engineering would be a crucial step towards securing your system. For example, to spot phishing emails, staff will need to be able to spot a fake display name, check unknown links by hovering over them first, look out for spelling mistakes, and check email signatures. They should also look out for words like “urgent”, or impersonal salutations such as “Dear Customer”. They must avoid giving away personal details and downloading attachments, and generally be very skeptical about everything!
The training should inform employees about specific rules relating to email, web browsing, social media and others. Should an employee spot something suspicious, or lose a mobile device that has access to sensitive data, they must notify the administrator immediately. Details about whom incidents are reported too must be readily available. Staff members may need to physically disconnect their machine from the network if they feel that they might be under attack. Do not mock or discourage an employee from being too cautious when raising a red flag. After all, it is always better to be safe than sorry.
Have a PR strategy in place
Should an incident occur, you don’t want your staff to communicate with the public or press until they are fully informed about the details of the incident. Of course, you don’t want to cover-up incidents, but you don’t want false information circulating either, as this could seriously damage the reputation of your organisation. You will need to train your staff accordingly. Additionally, you should also have some form of cyber-insurance.
Know your data!
Law firms will need to invest money in a sophisticated auditing solution such as LepideAuditor to monitor insider threats effectively. This particular solution allows organizations to detect, alert and respond to suspicious events in real-time automatically. It is crucial to maintain “least privilege” access by displaying current permissions on the shared files and folders and security group membership at the selected point of time, and show permission changes. Organizations will need to be alerted when users are added to privileged security groups, and be able to deliver a comprehensive set of reports as and when required.
Additionally, they will need to be able to detect, alert and respond to suspicious file and folder activity – either based on a single event or threshold condition. They must be able to detect user account modification/deletion to ensure that user accounts are not being created without reason or being granted excessive privileges. It may also help to display user account permission history.
Manage Inactive Accounts
Should an employee leave the firm, or just move to a different department, the ability to automatically detect and manage inactive user accounts will be very important. It will allow firms to automate actions, such as removal, movement or modification.
Alerts and Response
As mentioned previously, phishing attacks were the most common type of security incident. It is therefore important to track privileged mailbox access, and use threshold alerting to detect any activity that may represent a ransomware attack. For example, if a predefined number of Y changes are made during a selected interval, you can trigger an alert and execute your custom script. You can use a custom script to disable a user account, stop a specific process, change the firewall settings, or shut down the system entirely. It will not prevent the ransomware from being initiated, but it will at least minimise the damage it can cause. Likewise, threshold alerting can be used to identify anomalous user logon failure. Finally, it is a good idea to automate the process of reminding users to reset passwords when they are due to expire. If passwords are not changed regularly, this will inevitably increase the attack surface.
Naturally, a law firm that has its house in order will be in a better position to advise their clients on cyber-security matters. You must start by explaining to your clients their key duties, and offer practical advice on how to implement security solutions. You should request that your clients perform a comprehensive audit of their current system under both the DPO and GDPR rules. Inform them about the importance of training on data protection issues, and ensure that they have a sophisticated suite of auditing tools which enables them to determine “who, what, where and when”, changes are made to their critical data.