Speaking to Lawyers Weekly, Aaron Sharp, senior security consultant at Verizon Enterprise Solutions – Asia Pacific, said heightened discussion around cyber security is prompting more firms to get involved in this space than ever before.
“I think there are a couple of things driving the discussion around cyber security in the legal industry, particularly within the local market,” Mr Sharp said.
“There have been some pretty well-publicised breaches that have either directly or indirectly involved law firms that have got the attention of local firms as they’re considering what impacts that might have on them.
“Similarly, I’ve seen a lot of activity around the cyber insurance market, so law firms that are involved in providing advice and services within that ecosystem are taking a lot of interest in cyber security.”
Mr Sharp said this interest in the cyber space presents both opportunities and challenges to law firms.
“It’s a double-edged sword,” he said.
“As more businesses embrace digital processes, trying to drive efficiencies and move from paper records to digital records, all of a sudden they’re opening themselves up for potential attacks.
“[However] as much as I see that as a challenge, I also think it’s an opportunity for law firms, who are in many ways trusted advisers, to get on the front foot of this and help clients through that process.”
Mr Sharp said a big opportunity for lawyers is to upskill themselves in cyber threats, noting that this will help protect themselves, their firms and their clients from key risks.
“If you think about some of the data lawyers are entrusted with, it's pretty far-ranging. It could be everything from intellectual property type of information, sensitive financial data, and in some cases even clients' funds in the forms of escrow accounts and what not,” he said.
“All of these different types of data have value for different threats. You could have espionage-type motivations to steal intellectual property, or straight monetary theft of trying to steal client funds.
“So I think law firms need to be very cognisant of the type of data they’re handling, ask themselves how sensitive it is, and really what they're doing at the end of the day to protect that data.”
Mr Sharp noted firms that don’t place an emphasis on cyber security could be dealt some serious consequences.
“A well-known Japanese entertainment company had a big breach a while back and in that breach there was a lot of customer data that was divulged. While it wasn't the law firm involved that actually breached, they are associated with that and their name is now out there,” he said.
“Similarly, some time back there was a well-known mining company who were negotiating contracts for resources and had their sensitive financial information stolen via the law firm that was advising them at the time.
“[Therefore] you can see these different scenarios, whether it’s in a merger and acquisition environment, an IPO type of environment or intellectual property, the impact on the law firm can be quite bad in terms of reputational damage. Even if [the firm] is just associated with it, unfortunately there can be collateral damage as well.”
Despite the risks, Mr Sharp reiterated that there is a big opportunity for law firms to get more involved in the cyber space.
“I do think that there is a big market opportunity for law firms amongst other players, particularly around cyber insurance, to be at the forefront of advice,” he said.
“I know a lot of law firms are being appointed by cyber insurers as breach coaches and whatnot, so I think that's the message I try to give: yes, there are things that you need to be careful of, but with every risk there's an opportunity as well.”
A recent investigation by Verizon found there has been a significant increase in law firms being globally targeted for cyber attacks.
Commenting on the findings, Mr Sharp said Verizon has been able to identify key factors that firms should keep an eye on to avoid these threats.
“Specifically there were two tell-tale signs [of cyber attacks]. One was around unusual remote access and the other was unusual email activity, so an increase in volumes, more emails being forwarded to external email domains,” he said.
“While they're not the only things law firms can do, based on what we're seeing in the attacks that are happening, focusing on those two areas by implementing strong verification [models] and limiting VPNs to only single remote sessions is a good pragmatic step.
“Similarly, with the email side of things, having restrictions around forwarding emails.”
Outside of this, it’s important for all law firms to have strong security measures in place, Mr Sharp said.
“Be prepared, make sure you've got a response plan in place and that you practise that in the case of a breach. Make sure that you're doing the basics in terms of catching and managing vulnerabilities within your environment and make sure you really know what data you're holding and what the classifications and the sensitivity of that data are,” he said.
“The level of protection you want to put around one type of data may differ to a different type, so really start to understand that data and manage that data well.
“The other thing is managing your third-party suppliers. Many breaches we see are via third-party suppliers, so making sure you have good scrutiny over them in supplier chains will go a long way in helping you prevent and detect any breaches that may occur.”
Chris Novak, director of investigative response at Verizon, will be one of the key speakers at Lawyers Weekly’s inaugural Future Forum, kicking off in Sydney on 9 November and Melbourne on 11 November.
The Future Forum is an event designed for lawyers who want to stay at the cutting edge of technological change and business innovation.
To learn more about the event or to register, click here.