Lawyers the weakest link in firms’ cyber security, expert warns
Law firms’ biggest vulnerability in the digital world comes from within, according to a cyber security expert.
Roy Zur, the founder and CEO of security company Cybint Solutions and a qualified legal practitioner, warned lawyers at the 2017 International Bar Association (IBA) conference in Sydney that they will increasingly be targeted by hackers.
“You are a target because your data is interesting and your clients are interesting,” Mr Zur said.
“Even though you might think everything is okay, hackers will try to get into your firm, or into your company or into whatever organisation you are in, because your data is worth money.”
Mr Zur said staff are the weak point in law firms, as hackers can exploit human nature, not just digital vulnerabilities.
“Lawyers, or employees in general, are the weakest link,” he said.
“Ninety-five per cent of all security incidents involve human error. It doesn’t have to be intentional. Human error can be a lot of things … So your employees, your lawyers, your staff, whoever has any access to your system – even guests that you give access to your Wi-Fi network, depending how secure it is – you need to understand that’s your biggest threat.
“We need to understand that hackers are using human nature against us, whether it’s trust, whether it’s greed, there are a lot of things that hackers know how to take advantage of.
“When I think about cyber security awareness I think about cyber crime, about identity theft, social engineering, malware, safe browsing, Wi-Fi security, and of course mobile security.”
Mr Zur demonstrated how easily Wi-Fi security can be compromised with two simple examples.
“Who is connected to the Wi-Fi network here?” He asked the audience.
“You should know that if you’re connected to the Wi-Fi network, whatever you’re doing, browsing, while you’re connected to the Wi-Fi network, is exposed.
“I can, right now, by just connecting to the same Wi-Fi network, I can see what you’re doing on the internet just by using a very easy-to-do attack that is called ARP [address resolution protocol] spoofing. I can download two tools for free online and do it.
“Second, and I did it yesterday, I can change the name of my phone and call it ‘IBA free Wi-Fi’, and change the password of my phone and give the password ‘[redacted]’, which I think is the password of this conference.
“I did it yesterday and a few people connected to the internet through me. Of course, I immediately shut it down, but I was their access point to the internet, which means that everything they are doing is going through me. It’s illegal, so I stopped, but you should be aware of that.”
Mr Zur said every internet device is a potential access point to a law firm’s data, including mobile phones, printers and security cameras.
“Your phone is not a phone, it’s a computer,” he said.
“You need to treat it as a computer: antivirus, anti-malware ... If you’re doing all these security measures with your computer but not with your phone, it means that if nothing else, your phone is also the best eavesdropping machine.
“It has a camera, a microphone, and with just one text message, if you click on it, it can become an eavesdropping machine in your office, in your board meeting, in your partners’ meeting, whatever.”
Mr Zur urged lawyers stop thinking of cyber security as an IT problem, and to make sure their staff and partners are trained as fast as possible.
“I work with several industries: financial, legal, law enforcement, corporates. One hundred per cent, the legal market is way, way behind in understanding the threats,” he said.
“Usually the response I get from lawyers is: ‘That's the IT responsibility’, ‘That's a technical issue’, ‘It's not our problem’.
“The thing is that, as lawyers, we are the target. We have the data and we also do the legal processes around other companies’ data, for example: due diligence.
“So I think there is a long way that lawyers need to go, even to keep up with the pace of change in cyber security.”