Originally published on Legal Insights UK & Ireland
By Joseph Raczynski
Law firms stand in a very precarious position in the cybersecurity world. Next to financial institutions, private legal institutions are a virtual honey pot for cybercriminals. Any breach, no matter the size, impacts the client, and certainly could destroy a firm’s reputation.
Four years ago, I toured over 50 law firms discussing cybersecurity with chief information officers (CIO), managing partners, lawyers and support staff. Each year since, it remains one of the hottest legal technology topics with my clients. The unfortunate situation is that, while law firms have dramatically shored up the barriers of defence, criminals have new methods to circumnavigate the ramparts.
Why law firms now?
Recently, I was at a CIO conference with 350 medium and large law firm CIOs in attendance. The keynote speaker stunned the crowd with a singular statement: “do you realise you [CIOs] are the gatekeepers to 71 percent of the non-public intellectual property (IP)?” The first reason law firms are attacked is because of IP. Criminals of all sorts see law firms rife with IP that can be pilfered.
One Asian country has allegedly lifted massive amounts of IP from technology companies, not from the companies themselves, but rather their law firms. Once obtained, they pass the IP to their nation’s internal network of state owned companies for development. Apple could have trade secrets stolen and then developed and sold in China before Apple could get it to market in London. To this end, Joe Patrice, Editor of Above the Law, once called law firms “the soft underbelly of the cybersecurity world”. The good news is that law firms have fortified their gates more recently to stymie the IP raiders.
The second reason why law firms are attacked is business information. Last year a known hacker in Russia targeted the top 25 law firms in the world to pull out any merger and acquisition (M&A) information. The criminals silently slip past firewalls, identify M&A documentation of companies set to merge, then can use that information to purchase stock—all before it is publicly announced.
Methods of attack
There is a myriad of tried and true means to crack networks and computers. Having been a white hat hacker script kiddie, years ago, I recently dipped my toe back into the space to see what has changed. My conclusion: it is easier to hack now than it was 10 years ago.
I bought a £4 specialised USB the other day, which will load any sort of script onto a computer in under four seconds. Simply choose the script from 100’s publicly available on the web, convert the code through a free compiler, load it onto the USB stick—and voila! In my testing, I could scrape the user names and passwords entered on my computer, and have it automatically sent to a test email account, simply by placing the ’bad USB’ or ’Rubber Ducky’ into my drive for a few seconds. Does your firm lock down USB ports? Perhaps it is worth considering as an attack of this nature can be executed with relative ease.
There are countless other ways to hack a computer or IoT (Internet of Things) device, but no greater risk is higher than email. Allen Paller, of the US-based SANS Institute, cites 95 percent of all malware and breaches start with email. Phishing attacks, discussed in a new government report published by the National Cyber Security Centre: ‘The cyber threat to UK legal sector’, states that 80 percent of law firms in the UK have had attempted phishing attacks in the last year. These sorts of attacks can be prevented in several ways:
- Have processes in place when dealing with accounting so emails are not approval for funds transfer—use an internal application for requests and verification
- Use software to distinguish ‘external’ emails from ‘internal’
- Link protection—use real-time analysis of URLs and domains so that the user is safely redirected to valid domains when clicking ‘unknown’ links in emails
- Assuring that all applications are running their most up to date versions
One of the largest law firms in the world, DLA Piper, was hit by ransomware last year. Fortunately, DLA Piper survived, though weeks of recovery at a tremendous cost. Still, these types of attacks can be devastating. They encrypt all files on your computer or network—leaving you two options: pay the ransom to get the password, or delete everything off the computer and rebuild with your backup files. Either option can leave a law firm, for a short or long period of time, with limited ability to address client needs.
The future of cybersecurity will be a multi-pronged approach. No longer is antivirus software the ultimate defence. Instead, law firms will need tools that detect intruders using artificial intelligence infused algorithms to figure out abnormal activity on the network. Blockchain will help securitise information and identities with a distributed network—compared to a central repository of sensitive information. Lastly, the General Data Protection Regulation has already, and will continue to, force all parties to take security more seriously or risk significant fines.