9 minute read
Cybersecurity - What you need to know
Barbara Relph
Is your practice protected from cyber threats? The cheap lock on the back door to your practice could be as simple as your choice of passwords, or failure to use two factor authentication on your emails – and is just as easily remedied.
The tech world is full of buzz words, and the buzz word “cyber” simply means the use of technology, so a “cyber threat” is a risk which arises from the use of technology.
Government organisation CERT NZ (Computer Emergency Response Team) figures showed a 65% increase in the number of cybersecurity reports made by individuals, small businesses and large organisations in 2020 compared with the previous year. There is no doubt that there are vastly more unreported incidents.
How do you keep your information and your clients’ secrets safe? This is especially difficult when that information needs to be easily available wherever you are working. The marked trend towards remote working adds to the problem by moving client information on to other devices which may not have the necessary security.
The storage of client information is clearly the lawyer's responsibility. Aside from requirements under the Privacy Act and the Client Care rules, it is simply bad for business when there is a breach of data security. But the question is how much you - a lawyer - need to know about technology in order to meet your obligations.
The US, Canada and Australia have regulated the issue of cyber security for law firms in their codes of ethics.
For instance, the New Hampshire Bar Association regulates the competence of a lawyer to include “a basic understanding of the technologies they use”. And further, “as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.”
In New Zealand, we haven't reached that point. But it is certainly arguable that you need to know enough so that you are not negligent. It can be quite a conundrum to find the gold standard of the best technology and the ability to access information from anywhere, all while keeping costs as low as possible. This is the challenge for a small business such as a barrister's practice.
Defining types of incidents:
The burgeoning cyberattack industry has produced new industry-specific words which can be heard or read on any news platform. You may be familiar with some or all of them, but they are roughly defined here.
• Malware (malicious software): Malware is designed to infiltrate a system, causing damage without you knowing or consenting. This includes viruses, worms, Trojan horses, spyware, and adware.
• Ransomware: Similar to malware, but ransomware has the specific purpose of exploiting a vulnerability. It encrypts the contents of the hard drive it is installed on and demands the user pay a ransom to recover the files.
• Phishing and credential harvesting: These are emails, texts or websites which attack by convincing users they are genuine when they are not. They are clever, masquerading as being from authentic sources and result in people volunteering information or money.
• Spear phishing (payment fraud): Similar to phishing, this is where someone hacks into a system and impersonates a known contact. They then set up a fake account almost identical to that of a trusted supplier or even staff member and ask you to make payment to that account.
• Scams and fraud: Computer-enabled fraud that is designed to trick users into giving up money, such as phone calls or fraudulent internet pop-up advertisements which con users into installing fake software on their computers.
• Reported vulnerabilities: This covers weaknesses in software, hardware or online service, which can be exploited to cause damage or gain access to information.
• Suspicious network traffic: Detected attempts to find insecure points or vulnerabilities in networks, infrastructure or computers. Attackers usually try to work out if your system is worth attacking and these attempts are sometimes detected by security systems and can provide an early warning.
• Unauthorised access: Successful unauthorised access can expose networks, infrastructure or computers to a wide range of damaging activities. These activities generally either compromise confidentiality, or improperly modify the integrity of a system, or affect the availability of a system.
How do you know if you are being attacked? The weak link with cyber security is usually people. Minimise this risk by learning about what you should look out for, with the aim of preventing attackers getting through your defences. Phishing is the main type of threat identifiable through email and is the most likely avenue for a successful cyberattack.
What a threat might look like, and how to protect yourself
Imagine this. Your secretary, Marie, receives an invoice for $25 from a new supplier for two memory sticks. Marie is frantically busy and just pays it because you are working on a huge case and have asked not to be disturbed.
That invoice may have been sent to 50 or 5,000 businesses, in the hope that a few will just pay without checking. It’s small, so it is likely to fall under the radar, and now they are a new supplier in your business so future invoices are likely to get through the system also.
This is phishing.
Another scenario. Marie receives an email from you saying, “Hi Marie, I need this account paid urgently.” She pays the account promptly, as you have asked. Marie didn’t check the email address which the instruction came from – why should she? It was likely to be very similar to your actual email address, but unfortunately, it wasn’t from you. Your email account had been hacked and a fake account set up, and you are now out of pocket with little hope of seeing those funds again.
This is spear phishing.
Encourage your staff to trust nothing which arrives by email. Have a list of known suppliers and their associated bank accounts; and verify any new payment instructions using a secondary method – a phone call to a known number is good.
The rules are simple:
• Slow down.
• Check everything - the email address and other credentials of the sender, verify any payment demands.
• If you don’t recognise the sender, don’t reply.
It’s unrealistic to think you could prevent every cyber breach, but there are practical steps you can take to minimise potential risks.
How will you manage a cyber-attack? Has your IT supplier advised you on systems able to withstand a ransomware attack? Most small businesses will call their IT company as the first port of call, so check your IT supplier is experienced at handling cyberattacks.
Prevention being the best form of defence, CERT offers sound advice 1 to protect the security of your client information. Work through this list with your IT supplier.
Top tips for safeguarding business or client information:
• Install software updates as soon as they are available.
• Implement two-factor authentication on key systems (email, cloud services, document storage, client information storage) so anyone who logs in to your system has to verify that they are who they say they are.
• Back up all your data, ideally automatically to remove human error.
• Log multiple failed log-in attempts so you are alerted to any unusual or unexpected events.
• Create a plan for when something goes wrong (sorry, but the buck stops with you).
• Update default login details from the factory pre-set, ensuring new passwords are strong. A password manager is a useful tool.
• Choose a cloud service which suits your needs – do they provide a back-up service? Do they offer two factor authentication? Do they monitor security breaches?
• Only gather data you really need. For legal work this may be ambitious since you will be gathering a significant amount of private information from clients, but it does raise the point that security is more important for legal work than most other businesses because of the sensitive nature of all the data collected.
• Secure your devices using anti-malware software on every device that accesses your systems.
• Secure your network, considering connections in and out of your business, and limit access to only those who need it.
• Check any payment requests against a known list of suppliers, confirming new suppliers by a secondary means.
What to do if you are the victim of a cyber-attack:
If you are the victim of a cyber-attack, the Law Council of Australia offers good advice 2 .
• Get help immediately from your IT supplier to identify the threat (determine what is happening, if or how it is spreading, and whether you are being targeted directly or is this attack broader than just your system).
• Neutralise the attack (protect your own and your clients’ data, limit access to all data, find and remove the threat).
• Review your system through a complete audit to minimise further risks (check all data and consider data recovery options, prioritising data recovery methods).
• Restore and rectify infrastructure to eliminate vulnerabilities (isolate the system, rebuild the platform, review the entire system).
• Recover your data, ensuring you know what data is accurate and what is unreliable.
• Test to ensure all systems are functioning properly and resume operations.
Once the system is secured, it’s time to reflect and learn from the experience.
• Write or ask your IT supplier for a report on the event considering what happened and how the problem will be avoided in future.
• Implement any changes that have been identified.
• Notify the National Cyber Security Centre and consider your obligations to report under the Privacy Act 2020.
• If you don’t have cyber insurance already, this might be the time to sort that out. If you do have insurance and the breach may result in a claim, talk to your insurer.
• If client information may have been breached, you have an obligation to notify your clients.
How can cyber insurance help you?
“Cyberattack has grown to be one of the most prevalent business threats in recent years, and the value of having a policy has really been tested, especially in the last 12 months,” says Jono Soo, Head of Cyber Specialty at Marsh New Zealand.
The value for a small business is that this type of insurance provides a support network enabling barristers access to the same resources as big corporates. “Cyber insurance gives immediate access to data recovery and forensic investigation experts to help get back online quickly or manage a potential data breach. These resources can cost a lot without insurance, depending on the level of complexity of recovery.”
The bottom line:
You may be a legal expert, but chances are your IT skills don’t match your knowledge of the law. Carefully select an IT supplier who you trust and who is responsive. They must fully understand your system and be proactive, offering advice on security before you ask for it.
Further resources:
Computer Emergency Response Team (cert.govt.nz)National Cyber Security Centre (ncsc.govt.nz)
Bar Council UK - Information Security Guidance https://www.barcouncilethics.co.uk/documents/ information-security-3/
Marsh Insurance https://www.marsh.com/nz/insights/risk-incontext/rising-cyber-threats.html
Law Council of Australia http://lca.lawcouncil.asn.au/lawcouncil/cyberprecedent-tools (please note this site displays a "not secure" warning at the time of writing. When a site is not secure, you may want to avoid transactions or using the site in a public network).
Lawyer Monthly https://www.lawyer-monthly.com/2021/04/ strong-defences-are-not-enough-why-lawyersneed-a-new-way-to-think-about-cybersecurity/
* Barbara is a professional writer, editor and proof-reader – www.barbararelph.com.
