6 minute read
Cyber risk and the legal practice – what creates risk and how to begin managing it
ARTICLE
Cyber risk and the legal practice – what creates risk and how to begin managing it
This has become a commonly repeated mantra within business circles over the last few years. The real implication of this phrase is not to imply that all businesses provide technology services to their clients, rather that digital technology is now integral to the working of almost all business.
Mainstream news regularly covers cyber incidents, such as data breaches and denial of service attack. It is thought that 46% 1 of UK businesses have fallen victim to a cyber breach in the last year. With cyber risks ever increasing, where does the legal profession sit?
The key is to understand why a cyber criminal might specifically target a legal firm, how they might go about doing it, and the critical actions firms can take to manage the threat.
Why target a legal firm?
By their very nature, many legal firms hold significant amounts of sensitive client data. Information around mergers and acquisitions, pending legal action, and shifts in the market could be directly monetised by cyber criminals. These are the obvious targets, though this model is still reliant on finding a buyer for the stolen data. Ransomware attacks circumvent this necessity by cryptographically locking digital files, before demanding a ransom for their return.
Ransomware is fast becoming one of the most prevalent type of attacks, because it can be extremely financially rewarding for cyber criminals. This involves using malicious software to encrypt information or lock computer hardware, restricting access unless a decryption key is provided. Typically, this password can only be retrieved through a ransom payment. In 2020, the average ransomware demand has risen to $84,000 2 (£64,500), but demands in the millions are commonplace.
In the event of such an attack, legal firms must be confident that they can continue providing the important services that clients rely on. In the worst-case scenario, a lack of preparation for such an incident can create an extinction event, whereby all operations cease. Regardless of the ransom demanded, the loss of clients, reputational damage, and remedial costs could prove much higher. At the same time, the regulatory backdrop has changed with the advent of GDPR, the consequences of which could see significant fines of up to 4% of global turnover.
As for paying the ransom itself, this could mark you as an organisation that will pay and might encourage other attackers. Similarly, there is also a chance that the attackers will not actually decrypt data, either because they do not want to, or because their malware is faulty and they can’t. The Solicitors Regulation Authority encourages solicitors to ‘consider their duties to the public interest and the rule of law when deciding on ethical questions such as this”.
As more businesses have mitigated ransomware attacks by restoring from offline backups, the “ransom or dump” approach has emerged. In these instances, criminals steal victim data and threaten to dump it onto the open Internet if the ransom is not paid, exponentially increasing the pressure on the victim to pay.
Aside from the obvious ways to monetise data, legal entities are particularly appealing to cyber criminals not only for their privileged information, which is likely be of great interest to many parties, but also because of their interconnected nature with other high-profile targets. Termed “lateral movement”, the basic tactic is to compromise one legal firm in order to compromise one or more of that firm’s clients.
What can legal firms do to manage their cyber risk?
One of the established axioms of security is that if a system is 100% secure, then its 100% unusable. Making any usable system has to carry some risk of cyber compromise, and modern cyber security is about balancing risk against usability.
For a law firm, it is about two things:
1. Taking appropriate measures to prevent an incident
2. Putting in place contingency to appropriately manage an incident
Prevent …
Clearly the best cyber incident is one that never happens. Investing in preventative measures is the one way to ensure that cyber risk is appropriately managed. Effectively implementing this sentiment is driven by a strategic approach to cyber security combined with operational budget allocation.
An important first step is to understand what information you hold and what is the most valuable information to you is. This could be privileged client information or key information about your business. There is a not an objective standard to what is valuable, every organisation needs to understand what information it holds.
The next step is to then apply the relevant controls to protect valuable data and systems. These controls range across multiple sub-disciplines such as cyber threat intelligence, networks security, patching strategy and security operations centres to name but a few.
Respond …
However, even with the best preventive measures in place, it is a case of when – not if – a modern business will be hit by a cyber incident, and it is important to be prepared when this happens. Of the 46% of businesses that experienced a breach in the last 12 months, only 68% of them had a response plan in place. For some of these organisations, plans were purely technical in nature with less consideration given to other crucial components of a response, such as media and employee communication.
Clearly, there is a necessity for a cyber incident response plan that is realistic, wide-ranging, and well-rehearsed. This is the difference between a swift response to keep critical business processes running or facing significant downtime, losing customers, reputational damage.
Developing such a plan is no small task. Many first-time planners instinctively feel that cyber response planning is purely an information technology problem. This is not the case, and while the problem is part technical, if an attack occurs, it will not be the IT department that has to answer your clients’ questions.
A good cyber incident response plan should not only consider technical remediation but also capture how to mitigate the immediate threat to business operations. Who will speak to regulators? What is the communications plan to manage clients’ questions.
It should also be clear about who is responsible for what during an incident. What decision making authority they have delegated to them to take action to mitigate the incident? The plan should also be specific about the skill sets needed to action the plan. For some organisations employing people with all the technical specialties to respond might not be cost effective, so these skill sets will need to be brought in for the incident.
Most importantly, the plan needs to be lived. It must be regularly rehearsed via exercises to ensure everyone knows their part and that assumptions are correct. Such exercises can be as simple as a round table where key stakeholders talk through a scenario, or very complex events with multimedia and technical injects to drive the exercise. Other than dealing with an actual incident and exercise is the only way to validate the effectiveness of the plan.
In conclusion …
Now is the time to act to protect your firm’s systems and data and put a solid incident response plan in place. As cyber criminals adopt increasingly sophisticated tactics, these measures could be the difference between a quick and effective response and a damaged reputation, lost customers, a hefty GDPR fine, or worse – such significant disruption that your firm is unable to recover. ■
Craig Hickmott
Manager, Cyber Incident Response
Deloitte
Craig Hickmott is a manager with Deloitte’s Cyber Incident Response team, which advises clients on how to respond to cyber incidents and offers live response services to afflicted organisations. Prior to joining Deloitte, Craig was an Officer in the Royal Signals, managing communications systems at various government classifications.
1. NCSC Cyber Security Breaches Survey 2020 – www.gov.uk/government/statistics/cyber-securitybreaches-survey-2020
2. www.forbes.com/sites/leemathews/2020/01/26/average- cost-to-recover-from-ransomware-skyrockets-to-over- 84000/#1d4b585913a2
