Have You Considered All Of Your Cybersecurity Risks?

Many law firms assessing their cyber security risk will approach the problem from the perspective of technological vulnerability.  However, it can be equally as important to take a business and operational perspective on potential weaknesses.  By doing so, law firms can adopt a full circle approach to detection, prevention, and management of cyber-attacks.  In this article, we will take a closer look at some of the work which law firms routinely undertake which unwittingly may expose both themselves, their employees, and/or clients to risk.

Protecting client employee data

Any law firm assisting with the transfer of employees from one business entity to another, e.g. following a purchase, will at some stage in the process be required to, as per the Transfer of Undertakings (Protection of Employment) Regulations 2006 as amended by the Collective Redundancies and Transfer of Undertakings (Protection of Employment) (Amendment) Regulations 2014 (known as TUPE), be required to provide the new employer with detailed information on the existing workforce they will become responsible for.  Understandably, the Information Commissioner’s Office (ICO), from a data protection stance, is keen to ensure that information is handled in such transactions in a manner that safeguards employees.  To this end, they recommend that data be anonymised, the transfer is undertaken securely, and when fully integrated into new systems, any unnecessary information should be removed.

From a cyber security standpoint, transferring potentially hundreds or thousands of records relating to employees should not be undertaken lightly.  In October 2018, it is believed the United States’ National Aeronautics and Space Administration (NASA) started an investigation into the compromise of a server on which employee personally identifiable information was held.  This may have included social security numbers of current and past staff (NASA employs over 17,000 people), which may place individuals at risk and have profound implications for US national security.

While employee records may be secure within your organisation, safely tucked behind a secure firewall, in a ring-fenced part of your IT network, on an encrypted enterprise-level database, the same is unlikely when transferring TUPE employee data between businesses.  It is common to see information transferred via email using spreadsheets.  Indeed, templates are provided by large legal services firms for this precise purpose.  But in doing so, provides a readily accessible, pre-packaged, and potentially insecure list for any competent hacker to access simply by gaining access to an email account, or shared folder.

Before allowing your team to handle TUPE related employee data, ask your IT department for the most robust method they can offer to ensure the transfer of information is entirely secure.  This might include sending an encrypted file through a point to point connection, or you may elect to hand-deliver the information.  Regardless of the option taken, it is crucial to avoid any method which leaves you open to the unauthorised disclosure of personal employee data.

Protecting clients with high or sensitive profiles

According to a report by the National Cyber Security Centre NCSC, the cybersecurity threat to the legal sector is ‘significant’.  Their statistics show 60% of law firms reported an information security incident in 2017. The threat is not always centred around financial gain.  The NCSC believe that law firms are also being targeted because they represent clients working in locations hostile to the UK or work in controversial sectors such as life sciences (e.g. drug testing), energy (e.g. fracking), and therefore vulnerable to threats by groups and ‘hacktivists’ with related agendas and ideologies.  And this, they state, is an increasing risk as more law firms offer digitally based services.

Understanding the risk is important, but what can law firms serving clients of this nature do?  Increased precaution is required in these cases.  Any Solicitor or other employee working on a ‘sensitive’ account, should be highly briefed on the potential for ‘phishing’, data breaches, ransomware, and supply chain compromises, either by a hacktivist or an external state actor.

Hacktivism was the fate that befell Panamanian law firm, Mossack Fonseca, which in 2015 had 11 million documents stolen and leaked, exposing their clients, including over 200,000 offshore entities both legally and financially.  And the cause?  Many experts believe it was, at least in part, due to outdated information technology.  As a case in point, Mossack Fonseca was using a version of Microsoft Outlook Web Access which had not been updated since 2009.  In addition, emails were not encrypted.  Speaking to Wired.co.uk, Angela Sasse, professor of human-centred technology at University College London stated, “given the business they’re in, I find it quite surprising that they haven’t thought about securing their emails better”.  In this case, the precise facts of who and why such a massive amount of personal client data was stolen still is not known.  However, the key lesson is – if your firm represents clients which others are keen to compromise, hackers will look for even the most simplistic of backdoors into your organisation to achieve their aims.

A 360-degree view of cyber security vulnerabilities

For any law firm, especially those which are relatively new to the assessment of cyber security risks, it is vital to take a holistic perspective of your operation; from the inside-out, and the outside-in, and from the legal service delivery and technical sides.  By looking at all of your client-oriented legal service delivery processes, with the assistance of your internal legal teams, you can benefit from their understanding of risks you may have never previously considered.  By putting in place a system to report new potential risks, these can quickly be closed down, averting the likelihood of any compromises for your business, and valued staff and clients.  Empowering and rewarding your internal teams to act as your eyes and ears, will provide considerable security dividends.