Lawyers vulnerable to hacker extortion
Sophisticated hackers are increasingly breaking into corporate systems to hold data hostage – and law firms make for attractive targets.
According to information at DLA Piper’s ‘In a Flash: A lesson in cyber security’ seminar, there have been at least six instances of data extortion at large corporates in Sydney in the past two years.
Under this practice, hackers break into a company’s secure files, encrypt confidential data, then demand a multi-million dollar ransom in exchange for the data's release.
DLA Piper partner Peter Jones warned firms were likely to be among potential future victims.
“As a law firm, we are acutely aware that as a result of the work that we do we are sitting on significant corporate transactions and dispute issues. We absolutely are obvious potential targets,” he said.
Fellow DLA partner Jacques Jacobs agreed, warning firms “own, control or keep safe very valuable information”.
To raise awareness of the issue, DLA Piper commissioned an hour and a half feature film tracing the downfall of fictional company BaySan Global at the hands of East African criminals.
The breach starts when an executive at one of BaySan’s vendors misplaces his laptop – using this source, hackers are able to encrypt data in the BaySan system and demand $50 million in exchange for the encryption key.
While the company pays up, the fall-out from the hack – including leaked information, plummeting stock prices, class action lawsuits and regulatory investigations – drive the company into the ground.
Although an extreme example, Mr Jones suggested similar breaches were entirely possible at Australian firms.
Frequently, in his experience, the risk arrives in the form of phishing – emails sent from legitimate-seeming sources that seek to obtain access to internal systems.
Yet data security comes at a cost, he warned, from keeping the latest software installed to developing protocols and providing comprehensive training. Moreover, high security can make data difficult to access or impede flexible working arrangements.
“The more security you overlay, the less flexibility you have, the less ease you have with access – you have to balance all of these things,” he said.
From a firm perspective, he emphasised the importance of having security protocols that are actively used and creating a culture “of appreciating the value that information has.”
Mr Jacobs agreed that a security-conscious culture was one of the biggest factors in protecting data – he warned security systems were likely to be ineffective unless staff made security a priority.
“Everybody from the administration staff to lawyers [and] management need to know the culture and need to understand it,” he said.
However, Mr Jacobs also pointed out lawyers have a personal responsibility to safeguard their client information.
“As lawyers, we have ethical obligations that stand outside of our firm,” he said.
The film prompted a lively discussion among its audience of DLA Piper clients, including general counsel at major and mid-sized companies.
Like this story? Subscribe to our free newsletter and receive Lawyers Weekly every day straight to your inbox.