Law firms are a tempting target for competitors, protesters, hackers and intelligence services intent on cyber espionage.
Firms hold their clients’ most sensitive information and usually work for several clients at a time. They employ intelligent and hard-working people with heavy workloads, tight deadlines and sometimes lots of travel – the type of people who have neither the time, expertise nor temperament to think actively about cyber security. Lawyers need to process and share information quickly, often on the move, creating vulnerabilities for an attacker to exploit.
The cyber-espionage threat to law firms has always been present, but is now rising. Attackers are moving on from sectors such as defence, bio/pharma, government and financial services, which have all improved their cyber defences in recent years. In 2010, the FBI briefed 200 New York lawyers on some foreign spies’ deliberate shift towards targeting law firms for their clients’ secrets. The UK Security Service (MI5) has also emphasised the threat. In 2013 there were astonishing revelations about large Far Eastern cyber-espionage groups spying on large Western firms seemingly at will. One group had nearly 500 targets, including prominent law firms, and unfettered access to IT systems for an average of 356 days – and in one case nearly four years.
Many law firms’ instinctive reaction will be to buy new hardware or software and hope this reduces the risk. But this is not enough. Even the most sophisticated technology cannot protect against popular techniques, such as duping staff into downloading espionage software by attaching it to innocent-looking emails.
But there is no need to despair. Intelligent thought and a strong corporate culture make all the difference in cyber security – and law firms have large amounts of both. A clear-sighted assessment of the situation will reveal that focusing on good IT housekeeping, making sure the ‘tone from the top’ is right and designing out potential vulnerabilities are by far the most effective means of strengthening cyber defences.
Choose good housekeeping over James Bond glamour
In 2013 Australia’s equivalent of GCHQ announced that just four countermeasures would have stopped 85% of even the most serious cyber attacks against the country. Those countermeasures can be categorised as good IT housekeeping, and include keeping software up to date and controlling access to information. An IT department with good processes and procedures may not have the glamour of James Bond but is one of the most powerful defenders for any firm.
Make employees part of your defence
Employees in all areas of a firm are a vital defence against cyber espionage. But they need to be briefed, trained and mobilised if they are to become fully effective. Leadership makes all the difference, even in such simple matters as communicating a clear and well-supported ‘tone from the top’ about the importance of cyber security to the firm’s interests. Leading by example is also vital.
Firms’ leaders also need to plan how to educate staff, and should avoid one-size-fits-all training or hefty policy documents. Different roles require different messages; PA finds that the smart use of ‘nudge theory’ can maximise the impact of the message and make firms significantly safer against attack.
Design out problems
To make it as easy as possible for staff to support strong strong cyber security, law firms should ‘design out’ problems where possible, for example by using encrypted email, disabling USB ports and blocking emails to/from webmail addresses. It is vital to focus on outcomes not just process. For this reason the new outcome focused British Standard on cyber-security, PAS 555, is proving very popular.
The first step for any law firm concerned about defending its interests against cyber espionage is to appreciate that it is a target. Effective solutions are then possible, but they demand intelligent thought. Fortunately, that is a watchword for lawyers.
To talk to one of our experts about protecting your firm from cyber espionage, contact us now.