Concerns about cybersecurity used to be the preserve of banks and businesses that have incurred the wrath of the computer literate section of community called cyber-activists. That is no longer true. The Irish legal sector has moved rapidly into using new technology to support practice development, from cloud-based dictation to remote working, from data-sharing to online banking – all of which both benefit legal practitioners and leave them at risk of cyber attacks.
The IT landscape for the legal profession in Ireland
Many Irish legal firms have already adopted a range of information technology that speeds up activity and allows for more sophisticated responses to client demands. One way that the legal profession has always been IT conscious is that it has inevitably been the repository of vast amounts of data – from handwritten briefs to online petitions – law generates and stores data like almost no other sector. Which is why many law firms are now moving into new technologies that permit easier management of this data – a development that can leave them open to attracting the attention of cyber-criminals.
There is good news though. Much of the work of developing robust cybersecurity has already been done by those organisations that have been most under attack. This means that within the legal sector there is plenty of scope to learn from that work and to put in place cost-effective mechanisms that identify, protect and report cyber threats. It is straightforward to reduce your risk to threat rapidly, and because the first generation cybersecurity development has already been done, it’s a much less expensive process to protect your law firm than you might imagine.
Why would Irish Law Firms be at risk of cyber attack?
One of the biggest problems for many Irish legal practitioners is simply grasping the reasons that they might be putting themselves, and their clients, at risk. While we’ve become used to the idea that firms get hacked and attacked, it can be difficult for a mid-sized legal organisation to understand that it also has the potential to become a cyber victim. Here’s why:
Ransomware – this is a malicious code, usually activated by somebody in the organisation clicking on an email attachment or website URL. It locks the firm out of its own data and demands a ransom before handing over the ‘key’ to unlock the data again. Ransomware has caused chaos for firms ranging from international shipping line Maersk, through to Chinese universities, the French railway, SNCF and British advertising agency WPP – and these are just the high profile victims who’ve gone public. Smaller organisations tend to pay up and keep quiet … if they can. Ransomware tends to come in waves, attacking several hundred firms worldwide at the same time and anybody, anybody at all, is at risk.
Espionage – as any competent private detective agency will tell you, cybercrime has become one of the most common reasons for companies to engage a private investigator. For law firms this activity may come in one of two forms. The first is a remote attack where hackers (usually hired by a competing party) breaks into the firm’s files to obtain crucial information that will give their client an advantage in a contentious case which may be commercial (mergers and acquisitions) or family law (divorce and custody hearings). The second is where an existing employee is subverted to provide information (passwords etc) that can then be used to enter a computer system undetected and find the information required by the hostile party.
Leverage attacks – the increasing transfer of information from paper to cloud has put Irish law firms in the firing line for a leverage attack, a sophisticated process where a major target such as an international bank, pharmaceutical company or international figure is attacked through an intermediary; their lawyers, doctors or travel agents, to find sensitive data that can then be used to leverage further data breaches, closer to the target. This is a particularly sensitive risk area for legal practitioners because they have vast amounts of data, much of which they may not recognise as threat-sensitive but which can be used to breach security systems elsewhere.
Phishing is possibly the most common form of cyberattack, and because it’s personal, it’s also one of the most underreported crimes worldwide. One cybersecurity company reports that its customers confirm that 48.2% of phishing emails were opened by the intended victim. That’s a staggeringly high percentage, and while most people stop at that point, a further 7.9% of phishing victims went on to click links and supply information that gave the phisher access to their systems.
Financial fraud is also on the increase, and it’s a real risk for legal firms. It commonly happens where legal organisations have a cloud-based system that allows remote working and will begin as an email from a major client, or even a senior partner in the firm, demanding that an employee transfer funds to a particular account to allow an impending deal to go through. Often carried out at weekends or in the evenings, this kind of fraud relies on a degree of information about the organisation (often gained by phishing) and on tired staff being inattentive to detail and just wanting to get things done to please the client or partner.
Cyber campaigns are unlikely to be conducted against Irish legal firms, unless they have a client base that exposes them to this kind of risk. However, campaign attack behaviour needs to be understood because even the biggest and most robust organisations have proved themselves incapable of transcending a campaign attack. The likely form of cyber campaign that a legal firm might experience is denial of service or DoS. These attacks flood servers, systems and/or networks with traffic (enquiries, orders, requests) that literally cause the system to overflow and become impossible for legitimate users to access. To put DoS in perspective – a DoS attack on the UK National Lottery in 2017 took down the lottery website and prevented people across the UK from buying tickets online. It began at 7pm, lasted until 11pm and continued to cause problems until 3am the following day.
Ways to recognise and respond to cyber-risk
So, now you understand the reasons that you need to ensure your cybersecurity is first rate, but how do you take steps to protect your firm, and your clients?
There are three stages to succeeding in cybersecurity: understand the risks, take action to protect physical systems, educate employees to ensure personal awareness of cyber-breach.
Understanding risk shouldn’t be the preserve of your IT team or practice manager, it needs to be something that senior management both understands and responds to. This sets the tone for an organisation that can engage with the potential for cyber risk at every level. Transferring understanding outside of specialist areas like IT itself is vital to having a robust cyber-attack response.
Maintaining Your Understanding
Maintaining your understanding of risk is also crucial. Cyberattack is a fast-moving and sophisticated field of criminal activity, often undertaken across national boundaries and utilising multi-stage attack systems that make it impossible to track attacks back to countries of origination. Last year’s big stories like the Wannacry and Petya ransomware virus attacks are exactly that – last year’s stories. Every few weeks there is a new attack, a new virus, a new wrinkle to the way that cyberspace is being challenged. It’s vital that somebody in your organisation is responsible for staying on top of this risk evolution, and that the person whose role this is, also has the authority and power to educate the whole firm in risk.
Weaknesses in Technological
Weaknesses in technological systems are the most common reasons for cyberspace attacks. Hackers, both professional and amateur, simply test systems at random to see if you have changed installation passwords (often ‘Admin’ ‘Password’ or ‘123456’) – if your system opens to this initial test, then your entire system is compromised from personnel files to online banking details, including confidential client files and tax data – anything in your computer system is fair game to the hacker.
Guarding Your Physical Data
But guarding your physical data systems requires so much more than this. For example, in 2017 a researcher found a publicly accessible database that held the personal data of over 198 million American voters. That’s almost everyone who has had the right to vote for the past decade. How could this happen? Well a data firm had misconfigured its database on a server so that while most of the data was shielded, over a terabyte (that’s one trillion bytes!) of the data was open to public view. Knowing how to protect the data you already hold, regularly testing your data security against threat and recognising the need to stay ahead of potential cyber-attack are all key elements of a physical security system that will work in the long term.
Balance your risk with action. Once you know your major threats, you can begin to quantify your risk and put actions in place to protect against it. Many firms operate a risk register which both records the level of risk that you’re willing to operate within, and outlines management systems for the day to day management of risk. Your threat action plan should sit alongside your register so that as soon as you identify a potential risk, whether it’s a data breach, a phishing scam being reported by an employee or one of the national threat warnings about ransomware, your organisation has a structured response that gives you a strong defence against the risk. Unless you know how much a cyberattack could cost you, it’s impossible to create the systems that protect you against it. Some Irish legal firms run simulations to test their systems while others circulate digests of the most recent threats … it all helps keep your organisation proactive rather than reactive and gives your team confidence that they are equipped to handle whatever may be thrown at them.
Educating for personal awareness is also vitally important. Going back to our earlier statistic, over 35% of those clicks on phishing emails were in the workplace, because while people are becoming increasingly aware of their personal risk, they are often still obtuse about the idea that they may be scammed or phished while at work. This means that your law firm’s strongest cyber defence is only as strong as its weakest link – which may be your temporary paralegal employee.
Giving clients confidence in your cybersecurity
It’s important to know what is at risk from cyber attack. It’s not just that your technology may be permeable, that your data may be leaked or that you could be exposed to phishing or fraud. Reputational threats are a paramount consideration for Irish legal practitioners, as is the likelihood of disruption to business as a result of attack and the knock-on financial loss consequent on experiencing a cyber attack. Clients haemorrhage from firms that are exposed to risk, even if there have been no adverse results from that exposure. Not only that, but legal firms may be at risk of fines, or even suspension, if they fail to maintain data integrity.
Cybersecurity as a client benefit
On the other hand, being able to claim cybersecurity as a feature of your legal practise is increasingly likely to help you attract and retain substantial clients. It’s becoming commonplace for clients to ask how their legal advisers guarantee both data confidentiality and data security – for those working in litigious areas, proof you can handle data with sensitivity can be a deal-closer for a cautious client.
IT and Cybersecurity – a threat and a potential boon for the Irish legal sector
In summary, while there is no doubt that many Irish legal firms are not fully aware of their risk or protecting themselves from it, there are many potential upsides to becoming cybersecurity conscious and building a strong cybersecurity system to guard against cyberattack.