It was recently revealed that the data leak from Panamanian law firm Mossack Fonseca was caused by an outsider who was able to capitalise on vulnerabilities in old-fashioned technology. This is not unique or a surprise, but actually a common occurrence. Law firms around the world are constantly under attack from hackers, undoubtedly because they not only deal with a huge amount of monetary transfers each day, but also due to the wealth of confidential information contained within their servers.
All law firms, and indeed all businesses, can be hacked in a number of different ways, from stealing an office mobile phone to piecing together a shredded document. However, there are two main ways in which a firm is most likely to be breached: through software vulnerabilities or social engineering of its staff.
Every day, security researchers and hackers find numerous ways to bypass security defences in a piece of software. The vendor of that software will then fix the weakness with an update, and the cycle continues. The issue lies in the window between the vulnerability being identified and ultimately being fixed by the IT team. This could be a matter of minutes, but could be days, weeks, or even years in some cases, depending on the team’s software update schedule and the level of additional security systems in place.
This is an important task, as every single device connected to a network is at risk if the weakness is not corrected in time, ranging from a server or printer, right the way through to a door entry system. It is important to consider how patient a hacker can be as it can take days, months, or even a year for a hole to appear in a network, so it is a waiting game on their part, but one they will willingly play.
Socially engineering staff
Utilising a firm’s employees is undoubtedly the most simple and effective method for breaching a firm’s network. Hackers can exploit staff within a firm to divulge information, either allowing them to directly access systems or build up a picture of the environment, which is pieced together to allow them to breach defences.
This information can be as simple as calling an individual within a firm, stating that you are new within the IT department and need to run some tests on their machine. The oblivious employee will then go onto a fake website and run a piece of software as requested, which will then give the hacker on the phone access to the firm’s network. Once a hacker has got into a network, it is simple for them to escalate system privileges and gain access to whatever they wish.
To get on the right track here, firms must train their employees well and keep them informed of any security threats that are current and could be on the horizon. By demonstrating to employees in a seminar-based format just how easy it can be to succumb to a hack, firms can help to dramatically increase their defences. Offering real world examples alongside regular updates of the latest guises of cyber attacks will help to reinforce this training.
Starting with cybersecurity
The issue facing firms for many years is that hackers can easily learn and develop these skills online – by joining a user group, watching videos or downloading more or less ready to go software applications.
Due to the number of financial transactions that occur within law firms on a daily basis, they are a prime target for hackers and if not protected by a concrete cybersecurity strategy, can be an easy source of money. Firms concerned about their own computer failures following the hack at Mossack Fonseca might not know how to implement a cybersecurity defence, or how to initiate improvements to their existing offering.
The truth is that technology is actually the last piece of the puzzle when it comes to cybersecurity – the real work comes in undertaking risk assessments and understanding what the risks to a firm are. A firm will be truly vulnerable to hackers if these two basic exercises have not been completed.
The issue is that over time, the security landscape changes, and so do the risks. The risks have developed and moved on, but many firms are still relying on the basics to protect their firm. In order to implement an effective data leak protection policy, firms should implement controls such as portable encryption, endpoint protection, email content control, data leak prevention and intelligent firewalls as a minimum.
The ISO 27001 standard is a worldwide standard for managing IT security within a business, and is a fantastic starting point for a law firm looking to implement a cybersecurity strategy. In the main, it boils down to a firm identifying its risk, assigning controls to these risks and then continuously reviewing and improving this process. This approach will give the senior leadership team and staff throughout the firm the confidence that the business has been truly analysed and appropriate controls assigned to potential chinks in its armour.
It is likely that the security systems that are needed to protect the majority of firms from the majority of hacks are already in place. If a firm is already running an Information Security Management (ISM) system by continually monitoring, documenting, reviewing and improving its security processes, then it is certainly on the way to being truly protected. At this point, a firm should look to have its security tested by an expert, to ensure there are no weak points in its structure.
Regardless of how or when a cybersecurity strategy has been implemented, it is imperative that the senior management within a law firm takes responsibility for its security. An IT department, whether outsourced or within a firm itself, should not have the responsibility placed solely on its head if a firm does have a data leak. It is a firm’s responsibility, particularly the board’s, to understand the risks, and prepare for the constant attempts by hackers to find a way into its network. Only then can a firm and its staff feel confident that they are cyber secure.