Law firms in top 5 most-breached sectors (and the threat is increasing)
Lawyers are prime targets for economically or financially motivated actors, writes Mark Goudie.
With the number of notifiable data breaches up by 19 per cent in Australia in 2019, and the extensive list of high-profile cyber security incidents recently, cyber attacks are becoming increasingly more sophisticated with attackers finding new ways to compromise organisational networks, across a number of different industries, everyday.
Particularly for large enterprises, more often than not remediation of these breaches and attacks requires the services of legal professionals to navigate issues of notification to regulators and liability to impacted stakeholders. But what happens when the service provider becomes the target?
Lawyers hold a wealth of high-profile and often controversial client data that can be monetised and held for high-value ransom or strategic advantage in a financial negotiation, making them prime targets for economically or financially motivated (e-crime) actors. In this time of unprecedented crisis, with most professional services firms enforcing remote working arrangements, it is more crucial than ever that law firms maintain a strict focus on cyber security.
The high-profile Panama Papers case, for example, which was a hacktivist attack on law firm and offshore financial service provider Mossack Fonseca, demonstrates the devastating impact that a cyber attack can have on a supplier and their clients.
CrowdStrike’s Global Threat Report 2020 found that of all the various types of e-crime attacks, the largest majority (26 per cent) of incidents reported in 2019 were targeted ransomware attacks on large enterprises, a tactic that is also known as big-game hunting (BGH) that targets low-volume/high-return ransomware deployments. This number increased to 37 per cent when combined with reports of banking trojan malware, operated by BGH adversaries.
Lawyers, both in-house and in firms, are becoming key targets for cyber attackers as ransom demands continue to amount to millions of dollars. This is borne out in the latest report from the Office of the Australian Information Commissioner (OAIC), ranking the sector in the top five sectors to report breaches.
Ransomware attacks have matured beyond the traditional email phishing style attacks, to become much more targeted. For example, adversaries compromise a target and then install ransomware from within the organisation, through techniques such as credential dumping and masquerading. The most prominent technique reported in 2019 was “masquerading”, whereby an attacker pretended to be an authorised user of a system to gain extra privileges.
Notably, this year’s report discovered the use of a new tactic – email thread hijacking. Attackers are stealing content from a user’s email inbox address and are using subject lines to recognise an email thread. They then formulate a reply to the thread which drastically increases the likelihood of the recipient opening a malicious attachment or link and allowing an attacker access to their network.
In order to protect themselves and their clients, it is crucial that all lawyers, whether in-house or at a firm, understand the ever-evolving threat landscape, which goes beyond just the suspicious attachment or generic malicious link in an email.
What can lawyers do to protect data?
IT teams should implement strict procedures within their firm that focus on good cyber hygiene practices such as strong password protection and especially implementing two-factor authentication. They should also ensure that all employees are connecting to secure Wi-Fi networks when working remotely and should deploy robust security solutions which can monitor and proactively stop the threat of phishing across all devices.
IT teams within an organisation or law firm should ensure all applications and software are patched and up to date as well as maintain partnerships with cyber security providers that practice managed hunting by actively scanning a firm’s networks for security weaknesses or evidence of intrusion.
Encourage cyber security training
Cybercriminals are at the forefront of technology and are constantly refining their methods and attack vectors. Employees are the first line of defence in an organisation but often lack cyber readiness, with many unaware of current scamming techniques. This makes them easy targets.
As such, the view that the security team is an impenetrable barrier to cyber threats is now obsolete and dangerous.
In order to combat this, firms of all sizes should encourage employees to enrol on cyber security certification programs. Employees here can keep their knowledge current and learn new skills, ultimately empowering them to better protect organisations and stop breaches.
Effective education and training are the best way to reduce staff vulnerability, which will in turn reduce the number of data breaches the legal sector has to report overall.
Have an incident response plan and stick to it
Firms of all sizes should ensure they have the resource, capability and process in place that will enable them to respond quickly to threats. This includes a mature cyber security plan that allows organisations to navigate this evolving threat landscape to ensure an orderly, effective response that will protect data and the organisation. A loss of client data would severely damage reputation and revenue – an effective incident plan underpins the ethical and commercial obligation lawyers have to keep sensitive client data safe, secure and confidential.
The plan will consist mainly of roles and responsibilities concerning incident response team members, a summary of all resources and tools that need to be in place, as well as data recovery processes.
However, it is critical the incident response plan is communicated effectively, so all employees understand the plan.
After all, the most essential concept in cyber security is speed. Possessing cyber-literate employees with an understanding of what to do in the event of a breach will drastically improve the efficiency of the incident response team to locate and contain the attack.
Mark Goudie is the APJ services director at CrowdStrike.