Cyber crime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms. The latest threat report from the NCSC highlights the rising cyber security concerns and the UK legal sector’s attractiveness to cyber criminals.
of law firms reported an information security incident in the last year; an increase of 20% YoY
was stolen due to cyber crime in 2016/17, the Solicitors Regulation Authority (SRA) reports
Law firms, as with all modern day working practices, are heavily reliant on technology. We live in a digital economy where flexible working, 24/7 access to information and online transactions are the norm. The sheer amount of expected connectivity makes everyone vulnerable. The Department for Digital, Culture, Media and Sport undertook a cyber security breaches survey earlier this year and found that 98% of all types of UK businesses rely on some form of digital communication or services, which exemplifies the scale of why cyber security should be a high priority.
Recent figures are alarming. Particularly so for legal firms who admit they need a greater awareness of cyber security.
Christina Blacklaws, President of The Law Society, mentioned in the threat report:
“In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”
Although there is a plethora of resources available, the sector struggles to understand the cyber threat landscape. 60% of law firms in 2017 reported an incident, but that’s only those who identified a problem. There has been a 42% increase in reported incidents since 2014. This could mean either businesses are more aware so are reporting cases, or cyber crime is on the rise. It's most likely a combination of both.
Profiling law firms
The legal sector is particularly vulnerable due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at a greater risk, as the financial gain is unprecedented.
As highlighted in the threat report, the main reason law firms are targeted is for financial gain, but there is a growth in cyber adversaries seeking political, economic or ideological goals.
Law firms are perceived to be an easy target – particularly smaller firms as they don’t have the same resources as larger practices, but they still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available.
It is often misconstrued that cyber security is undertaken by the IT department, but the truth is that every department is accountable. Cyber security is part of the bigger information risk management picture, and it requires emphasis from business leaders.
Impact of falling foul
The implications of a cyber attack for any business are detrimental, even more so when your business mentality and core service is built on trust and discretion. Not only do law firms and their clients have to consider the financial impact, but reputational damage for the practice can be irreversible.
Therefore, to ensure law firms are protected and keep their data and intellectual property (IP) secure, they need to be aware of the following cyber threats. These three were identified in the NCSC's report as being the most significant to the legal sector.
Cyber threats to be aware of
Email is the main route in for social engineering attacks. Phishing scams, can include impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for the attack is to provoke users to make a mistake, such as disclosing sensitive information, providing users credentials or downloading malware. Business email compromise (BEC) is a new strand of social engineering attacks, where an adversary commits email fraud by imitating an owner's identity for financial gain.
“The most common security incidents continue to be phishing attacks. 12% of firms claim to be recipients of such attacks on a daily basis, with a further 30% identifying attacks on either a weekly or monthly basis.” PWC Law Firms’ Survey Report 2017
This type of attack locks users out of systems and prevents them from accessing data, with adversaries demanding payment for decryption, though there is no guarantee that paying the ransom will resume normality. Financial gain is the predominant motive behind these cyber attacks, however, with the rise in organised crime, threat actors are also looking to cause disruption to earn respect within the hacktivist network.
DLA Piper, one of the world’s biggest law firms, suffered a Petya cyber attack on 27 June 2017. It is a prime example which exemplifies the consequences of falling foul to a ransomware attack. “For two days after the attack, all telephones and emails at DLA Piper, which has about 3,600 lawyers in 40 countries, including in Kiev, the Ukrainian Capital, were knocked out… nine days on from the attack, it [had] not managed to regain complete access to emails sent or received before the ransomware struck… On July 2, it issued a statement to say it [had] ‘brought our email safely back online, and continue to bring other systems online in a secure manner’.”
DLA Piper is a practice that provides cyber security advice and manages thousands of client accounts. As a result of the compromise, repairing the reputational damage would be an enormous undertaking, but to also suffer such a long period of downtime, the financial losses would be extortionate. The financial impact to DLA Piper was estimated to be in the millions.
3. Supply chain compromise
Cyber criminals are attracted to easy targets. They will always go for the weakest link in the chain, often a third party supplier, which results in supply chain compromise. Cyber adversaries look to harvest information, intercept business transactions and exploit vulnerabilities.
Law firms can be targeted by these cyber attacks in two ways:
- Their supply chain can be targeted, such as a data centre to extract client information
- They are the link in the supply chain; e.g. cyber criminals could impersonate their domain to redirect financial transactions to their own accounts
Take action and be prepared. As we touched on earlier, there is an abundance of resources available to help law firms adopt a cyber security mindset – notably, the recent legal sector threat report from the NCSC raises awareness and highlights safeguards that can be put in place.
Law firms can also choose to work with a managed security service provider (MSSP). The benefit of working with an expert is they will help reduce the chance of cyber attacks, manage your attack surface, limiting vulnerabilities and providing complete peace of mind for your IT security. They implement the right cyber protection for your business, to achieve and maintain low risk. Law firms that handle extremely sensitive material, and are therefore considered highly vulnerable, should choose to partner with a MSSP. Our recent post on the subject of understanding the value of a MSSP provides useful further reading.
In addition, speak to peers. The Law Society offers a good support network and is a worthy first port of call.
Speak to an expert, let's start a conversation
This is where CORVID can help. The team lives and breathes cyber. They understand that one size doesn’t fit all when it comes to cyber security. They take the time to understand your business objectives, concerns and risks, before providing the right cyber security solution to solve the problem.
Find out more about how CORVID can benefit the legal sector.
- 'The cyber threat to UK legal sector' 2018 report
- New NCSC report highlights threats to the UK legal sector
- ‘Cyber Security Breaches Survey 2018: Statistical Release; Department for Digital, Culture, Media & Sport, Ipsos MORI and University of Plymouth, April 2018
- ‘The cyber threat to UK legal sector’ threat report; NCSC, The Law Society and NCSC Industry 100, July 2018
- Time for change PwC Law Firms’ Survey 2017
- DLA Piper hack could cost 'millions', brokers say
It is not unusual for an organisation to have a cybersecurity incident. It may be discovered through internal security controls (such as Anti-Virus, or a Security Operations Centre) , or it may be that a third-party notifies the organisation of an event.
When an organisation becomes aware of an incident it creates a chain of events that benefit from good decision-making. Most Boards are advised that they need to rehearse and prepare for a cyber incident. This can help. However, the majority of incidents do not need, or benefit from, Board-level oversight.
Whilst the decision-maker of an organisation is rarely a cyber-expert: they can play a critical role in achieving an optimum outcome. The following five-points are provided as a guide to the decision-maker.
1. Appoint the right leadership for the incident.
Incident response is a specialised field within the specialised subject of cybersecurity. The majority of people that work in IT or IT security (cybersecurity) have no experience overseeing a security incident. They may have a policy or strategy background and, whilst they may know the theory of how to respond to an incident, have very little hands-on experience.
The first decision that needs to be made is regarding the incident leadership. It may be that an in-house IT or InfoSec lead is exactly the right person to take-charge. If there is uncertainty that a suitable internal person can carry the responsibility the options are to bring in:
- a suitably experienced person to act as a mentor and guide to the in-house lead,
- an external specialist company to support the in-house lead,
- an external specialist company to take-over incident management.
It can be difficult for non-expert decision-makers to gauge whether an internal person is the suitable leader for the incident. Watch-out for the following warning signs that someone may be out of their depth:
- They are trying to apportion blame before the incident is remediated.
- They are using more jargon than usual and it’s hard to understand all the points they are making.
- Terms like “best practice” are used to justify an activity as opposed to an explanation.
The organisation must have confidence that the right expert is leading the response activity. But scared people rarely make the best-decisions. So even if the right person is on-point: they will probably benefit from some reassurance.
2. Set the communication tempo that is needed and try to stick to it.
Whilst it is tempting to want to know everything, every step of the way, this is rarely the most productive way of dealing with the matter. Minimising the communication burden can help maintain the focus on remediating the issue rather than communicating the issue. It is helpful to explain the tempo of communication updates or triggers that necessitate an additional briefing and then encourage the incident responders to get on with the job in-hand.
3. Agree the desired outcomes at the start.
Unfocussed incident response can quickly spiral into a mess. Set realistic outcomes such as:
- Contain the incident to as few hosts and users as possible: this helps recovery and reduces impact,
- Minimise downtime for the organisation and users: this helps maintain business as usual,
- Reduce the likelihood of this impacting other organisations: this helps protect reputation,
- Identify how the attack occurred: this helps prevent future incidents,
- Identify which files have been compromised (exfiltrated, changed, deleted): this helps comply with legal requirements of reporting and assess the longer-term business impact. This is critical.
Setting the priorities at the start helps direct the response. As more information is discovered the priorities may change. But when an incident takes on a life of its own it can be more damaging than necessary.
4. Forensic images are almost never necessary.
The main benefit of a forensic image is if there is a likelihood that there will be a court case at some point and evidence needs to be presented in such a way that it can withstand challenge.
The percentage of court-cases that result from a cybersecurity incident is very close to zero. The cost of capturing, recording and processing computers to a forensic-level is non-trivial. It will cause significant downtime, delay the determination of the impact to the organisation and potentially cost a lot of money.
If there is reasonable suspicion that the incident was triggered by an insider: then using computer forensics may be the right route to take. If this is the case consider the use of a specialist dedicated computer forensics team that are experienced at providing expert-witness.
Taking forensic images is no longer the standard approach taken for cyber incident response and it is rarely beneficial.
5. Make sure the response is less damaging than the incident
Rebuilds are often undertaken “to be safe”, even though the technical need for this is rare. This causes downtime and increases cost. If a rebuild takes place before the incident is analysed, it could result in critical evidence of attacker-activity being destroyed.
It is difficult to respond to a situation that is not understood unless an organisation is lucky. Relying on luck is rarely a good strategy.
There are cases of organisations switching off Internet connectivity, powering down server racks and shutting down critical systems. Whilst there may be a few catastrophic scenarios where this is the right thing to do: this is incredibly disruptive to an organisation and more often than not a panic-response. Make sure that the post incident assessment considers the disruption versus the risk to determine whether the response was reasonable and proportionate. Every incident is a learning opportunity.
There is no such thing as “perfect-defence”. Many organisations will deal with cybersecurity incidents at some point and the costs associated with data-breaches is reported as averaging millions of pounds. As an incident may involve PR and legal experts as well as the cyber incident specialists: costs can mount quickly. The decision-maker can play a key role in ensuring the right business outcomes are achieved.
Cybersecurity is an industry, a field of academia, a buzz-word, a science, an art and a bogeyman. And whilst cybersecurity cannot be avoided within any organisation that relies upon computers and data: there needs to be a way by which senior decision-makers can be involved in, and make decisions on, cybersecurity matters.
Cybersecurity is a highly specialised subject. It is complex and requires significant of knowledge and experience that is different from normal IT-knowledge. Knowing jargon and buzzwords does not mean that someone is an expert so always check the credentials of your “trusted advisors”.
Despite its overuse as a term, cybersecurity is fundamentally about protecting computer systems and data.
There are rules
Most territories now have laws around Data Privacy and many industries have regulations around information security. These must always be complied with and, irrespective of whether they are useful, they are necessary to operate in specific sectors.
Whilst the regulatory requirements may originate from the best of intentions: it is likely that organisations will need to do additional things to have the right type of cybersecurity for their specific profile and operations.
Why does anyone need cybersecurity?
Questioning why cybersecurity is needed is a good starting-point as it helps anchor solutions and initiatives to the fundamental driver behind activity in this space.
- The more you rely on (take advantage of) IT, therefore
- The bigger an impact to the organisation if something goes wrong, therefore
- The more you need cybersecurity
Cybersecurity needs to be seen as an enabler to using IT. Without cybersecurity, reliance upon IT is an incredibly risky thing to do. In-fact, one of the oldest risk equations in InfoSec (Information Security) works as follows:
In mathematics if anything is multiplied by zero then the answer is zero. If there were no Threats there would be no Risk. If there was no Impact there would be no Risk and if there was no Opportunity to compromise a system there would be no Risk.
There are formal methodologies to measure the level of risk to an organisation as a result of a computer security breach. Sometimes formal assessments are useful to help shine a light on the scale of the issue. But if you are not required to undertake them then, in most cases, there is little benefit in going down this route.
Cybersecurity is a cost and, like other costs, it should be managed. For many organisations this means that the goal is to spend as little as possible on cybersecurity whilst having a proportionate level of protection considering the risk. Getting that proportionality right can be a challenge. Cybersecurity is routinely both a victim to underspending, where there is a lack of appreciation of the subject, and a cause of overspending, where the expenditure has not been objective focussed and consequently failed to achieve a useful outcome.
There are three fundamentals that an organisation needs to do regarding cybersecurity:
- Prevent an incident from occurring – not all incidents can be prevented
- Detect an incident that has occurred – anti-virus cannot detect all incidents
- Respond well to an incident that has occurred – a good response can negate the impact of an incident
There may be exceptions to the above; but in-general all cybersecurity expenditure should be aligned to at least one of those three. Therefore, mapping initiatives against them can be a useful activity. Combining this with an articulation of effectiveness (a metric is best) is useful as it helps focus the initiative on the right outcomes for the organisation. At the risk of repetition: remember that cybersecurity is highly specialised. It requires specialist tools in the hands of specialist practitioners. Whilst an organisation could build their own Security Operations Centre (SOC), the question of “why?” should be raised. A company could generate its own electricity: but why would it do so?
Cyber expenditure almost always consists of both:
- Anticipated expenditure – the cost of the tool, service or technology
- Additional impact – specialist and (or) additional people, extra-training, recruitment, facilities and a distraction from core business
The following matrix (with a made-up example) is provided to help characterise cybersecurity initiatives. It is intended to be completed quickly, on the back of a post-it note, to help rapidly focus attention on the nature of the investment and whether the benefit, costs and approach have been considered. It is not intended to replace a full-investment case.
No matter how much is spent on cybersecurity, and no matter what you are told, no company or product can guarantee safety. All anyone can do is make it less likely that an organisation will be compromised or reduce the impact of compromise. The inverse, i.e. not spending any money on cybersecurity, does not guarantee that an organisation will suffer a security breach. Not every organisation gets hit and some organisations are lucky. However, a strategy requiring luck is not recommended.
Whilst cybersecurity should be on the agenda: it should not monopolise it. Cybersecurity should be frictionless and, ideally, left to the professionals who should take the pain of it away. If cybersecurity is routinely causing you pain it is worth asking whether it is being managed as well as it could be.
 “Threat” refers to the groups or persons who do the attacking: Hackers, Nation States, Hacktivists. The entities that undertake the attack.
 Impact is not just the confidentiality breach of information. Depending on the circumstances, availability or integrity compromises can be highly impactful.
“Impact” is the impact to your organisation if they succeed in stealing, destroying, changing or making your systems and data unavailable.
 “Opportunity (Vulnerability)” is a measure of how accessible the systems and data are to attackers. Very secure government systems are not directly connected to the Internet and this reduces the Opportunity of attack considerably.
 Attackers have access to all the same technology that the defenders have and despite the prevalence of firewalls and anti-virus (both of which are much needed by the way), they are still able to breach organisations security and gain access to systems and data. Prevention is better than cure, but it’s just not practical to rely solely on this element.
Keeping people alive is unquestionably more important than patching software, but unpatched software is vulnerable to exploitation, and won’t keep anyone alive if it leads to a breach of your IT systems, rendering them unavailable.
After WannaCry exploited unpatched Windows XP vulnerabilities and cost the NHS £92m, healthcare providers across the country carried out a mass upgrade to Windows 10. Making the move to the newer OS is synonymous with increased security (you’d be worried if it wasn’t…), but there is growing concern that it was seen as a tick box, one-off exercise. Now the OS that was exploited is no longer in use, healthcare providers feel safer. This is a dangerously complacent assumption – new vulnerabilities are identified almost daily, creating an ‘arms race’ between attackers and vendors; one looking to exploit the other looking to get patches out.
The issue is further compounded as not all systems made it to Windows 10 – legacy IT systems remain where the service they provide can only run on the legacy OS. This particular stumbling block can make the health sector an easier target. Cyber attackers aren’t renowned for being a particularly moral bunch, so if they can shut down a hospital’s life support system and demand a hefty a ransom to get it back up and running again, they’ll take that payday without a second thought as to the consequences.
Let’s not forget that despite its wealth of valuable confidential data, the healthcare sector isn’t always necessarily the prime target for cyber criminals.
In the midst of the novel coronavirus pandemic, certain threat actor groups have claimed they won’t be targeting healthcare providers, but can’t rule out accidentally compromising systems if they’re not patched properly. Without a robust patch management programme in place, the sector can easily become an unintentional casualty of cyber attackers looking to exploit any vulnerabilities in any business. Just look at WannaCry.
The NHS is the nation’s beating heart, and healthcare providers know better than anyone that a beating heart stopping is a very bad thing. You can’t fix vulnerabilities you don’t know about, but you can guarantee threat actors will find them. You need full visibility of where your IT estate’s weaknesses are, and clear guidance on how to fix them. Even if you’re not a target, an unpatched infrastructure leaves you open to exploitation by opportunistic cyber attackers and widespread malware campaigns.