How law firms can minimise the risk of being hacked
Hackers recently infiltrated the IT system of a national law firm to harvest staff and client data, before attempting to spread the data through Twitter.
Duncan Lewis Solicitors urged people not to open any links to Twitter accounts that may contain sensitive information, as it worked with external forensics teams to ascertain the source and limit the impact.
Law firms’ sensitive data makes them a prime target for hackers looking for data they can then monetise.
The legal aid specialist, with more than 420 staff, secured a High Court Injunction preventing the use of, publication, communication or disclosure to any other person of any information obtained from its IT systems.
This incident follows a number of other cyber hacks within the UK legal profession. Last December, London practice Anthony Gold Solicitors warned people to delete any emails purporting to be from the firm’s address after some 16,000 were sent under the subject line ‘Action Required – Matter for Attention’.
In July 2017 international law firm DLA Piper fell victim to the global ‘Petya’ ransomware attack. For two days after the attack all telephones and emails at DLA Piper were knocked out. The firm was still grappling with IT problems 10 days on from the attack.
Lines of defence
Law firms’ sensitive data makes them a prime target for hackers looking for data they can then monetise. Worryingly, the Law Firm Cybersecurity Scorecard concluded that 40% of firms had experienced a data breach in 2016 and did not know about it.
Law firms should split their cyber defences against such attacks between:
1) Risk management, and
2) Post-breach damage/crisis management.
To optimise your cyber risk management, it is vital to run the latest versions of software, in particular browsers and operating systems, and keep them up to date. This can be achieved by taking the following simple steps:
1. Identify all the software used on your systems – it’s easy to focus Microsoft, but Adobe, Apache and so on must also be considered.
2. Monitor the release of new patches from vendors (specifically security patches, rather than feature patches) and apply them as soon as feasible. The software vendor will often assign a criticality that will help you identify the severity of the issue.
The more planning your company does before a breach, the better your chances of minimising the business interruption and reputational damage that can ensue.
3. Deploy vulnerability scanning to ensure the patches have actually been installed.
It’s also important to train your staff to recognise the warning signs and avoid becoming victim to social engineering and other common cyber-criminal tactics. The following practices may help you to reduce security breaches that relate to human behaviour:
• Create a security policy that clearly outlines your company’s rules regulating the handling of data access and passwords, use of security and monitoring software and so on.
• Make your employees aware of risks that their actions can pose to your company’s security, and educate them on how to best handle work in a secure manner.
• Apply the principle of least privilege. Deny all data access by default and allow it whenever needed on a case-by-case basis.
Speed and accuracy
If you do incur a cyber breach, the speed and accuracy of your response can make all the difference.
The more planning your company does before a breach, the better your chances of minimising the business interruption and reputational damage that can ensue. Ensure any PR and comms resource you have plays an integral part in the pre-breach planning process.
A company invariably feels a tension between the need to communicate with customers quickly and the need to communicate accurately.
Following a breach, a company invariably feels a tension between the need to communicate with customers quickly and the need to communicate accurately. To optimise the chances of striking the right balance, it’s vital for a company to involve a range of stakeholders in the pre-breach planning stages. (See ‘Cyber breach planning: building your A-team’ for more analysis of this matter.) This should ensure that the timing and extent of your comms to third parties is a business decision that has factored in the various implications, and not just those of one or two divisions.
The Solicitors Regulation Authority – which receives around 40 reports of confidentiality breaches each month – has stressed that if firms lose client money or information, they must report these cases. The SRA said it will take a “constructive and engaged approach”, particularly if firms are taking steps to make good any losses to the client, and are looking to learn from the incident.
Typically you can retain customers’ business if they feel that you have communicated with them the cause and effects of the breach quickly, accurately and openly, and have put them first.
For more information, please contact Brett Warburton-Smith on:
+44 (0)20 7933 2242