Firms are more at risk of cyber security attacks than ever, with research from security firm Symantec indicating that almost half of cyber-attacks online now target small to medium enterprises (SMEs). Law firms are particularly attractive to hackers due to their vast repositories of detailed data about individuals and companies. Such personal information offers a double lure: sensitive data may be held at ransom against lawyer and client, while law firms, keen to protect client confidentiality and marketplace reputation, are perceived as wealthy ‘soft targets’ willing to pay large sums to regain compromised data.
With the estimated cost of the world’s cyber crime wave projected to reach $2 trillion by 2019, having hit $400 billion in 2015, all businesses are on notice to take action on cyber security. Fabian Horton, a College of Law lecturer and expert on how technology affects the law, spoke to Insights about what kind of cyber-attacks threaten law firms, and what firms could do to defend against increasingly common, sophisticated cyber criminal attacks.
“The human factor is by far the biggest threat,” explained Horton. “Social engineering and scams of the phishing variety (including spear-phishing and whale-phishing) are a huge problem.”
Social engineering attacks rely on human error, often involving some form of deceit against company employees or users which causes them to hand over sensitive or confidential information – for example clicking on a malicious link. Spear-phishing relies on the user believing information comes from a trusted sender – the tax office claiming you have a refund, the bank, a manager or colleague, or even DropBox or Facebook. Clicking on the link may result in unauthorised installation of malware on your computer and any connected drives. Whale-phishing is much like spear-phishing, but its intended targets are wealthy, high-level members of an organisation.
Recently, more complex multi-tier versions of these phishing scams have emerged – some, triggered by a major celebrity death, might involve a ‘goodbye video’ which leads to a fake BBC news page, which in turn links to online surveys. Scammers benefit by using affiliate programs to earn money regarding the completion of surveys and file downloads.
Both forms of phishing are attempts to access confidential information such as passwords, financial details or making payments for fake software. Alternatively, should malware be triggered, your key strokes, passwords and other confidential company information may be recorded. This approach was used in a billion dollar heist across 30 countries; codenamed ‘Carbanak’ by security firm Kaspersky, it involved hackers commandeering bank systems, artificially inflating bank balances, so a customer’s account balance might increase from $1000 to $10,000, of which $9000 would go to the hacker.
“Even professionals can get caught in these traps,” said Horton. “In addition, malicious insiders can weaken a law firm’s security considerably. Law firms should be vigilant and monitor the access levels of all personnel.”
As cyber attacks become increasingly organised, Horton urges law firms to keep up to date with tactics being employed by cyber-criminals. “There is a growing list of technology based threats that cyber-criminals use to attack infrastructure and compromise data. New threats are constantly emerging.”
In response to mounting cyber security threats, Horton’s counsel is simple: take cyber security seriously.
“At the moment, it is still considered a function of the IT department. Rather, it should be treated as a professional responsibility issue,” Horton said. Horton’s advice is particularly relevant given confidentiality requirements imposed on lawyers as part of their practising certificates. “A culture of cyber security needs to be instilled into every legal practice. This needs to be championed from the partner level.”
“Law firms should also be partnering with cyber security experts to put in place a complete cyber security strategy. Along with a complete cyber security policy, law firms should work with experts to create and implement a robust technological cyber security package .”
Fabian Horton, as well as Terri Mottershead, Director of the Centre for Legal Innovation at the College of Law, will be presenting a Technology and the Law intensive in March 2017. Fabian is also teaching a new subject in the Legal Practice Management major of the LLM (Applied Law) Technology in Legal Practice.