Mobile technology has enabled today’s lawyers to be more responsive to clients’ needs than ever before but brings added risk of cybersecurity breaches. How are law firms coping with the threats?
Our recent risk management survey, published in March, provided an insight into the level of concern that breaches of IT and data security raise within law firms. Every year since 2008, our annual survey has identified IT/data security breaches as the most significant threat to law firms in terms of actual damage caused and the likelihood of that damage occurring. No firm has fallen foul of a serious reported breach to date but some anecdotal horrors recounting the blasé approach of some lawyers to holding sensitive client data on mobile devices suggests such an outcome is merely a matter of time.
The BlackBerry opened up the world to corporate lawyers, who were no longer tied to a desktop. In the early days, the biggest threat was the hastily and drunkenly typed e-mail to an irate client at one in the morning, or the cost of replacing a handset left on the 23.48 to Woking. But as the level of sophistication of mobile technology grew, so did the risks. As lawyers became more able to access apps and data from virtually any device, so the danger of opening up hundreds or even thousands of potential portals to a firm’s sensitive information increased.
Law firms, their clients and business partners acknowledge the value of the data they hold. While protecting internal systems is relatively straightforward, firms need to consider their vulnerability to mobile cybercrime, which is increasingly used as a way of leveraging human behaviour to infiltrate technologically secure systems.
Growing concern
The latest McAfee Labs Threat Report, covering the fourth quarter of 2013, highlights mobile malware as a growing concern, having increased by 197% against the same period in 2012. According to the security software company, ‘malware can arrive on a mobile device through just about every attack vector – usually as a downloaded app, but also from visits to malicious websites, spam, SMS messages and malware-bearing ads’.
McAfee’s Mobile Security Report found that the more data an app collects relative to its category peers, the more users should be concerned about data loss and possible theft. Sharing tracking information with a mobile app may seem harmless or simply a privacy issue but it raises profound business security implications. In April, it was widely reported that a popular version of Android remained vulnerable to the notorious Heartbleed bug.
David Bailey, chief technical officer for cybersecurity at BAE Systems Applied Intelligence, agrees that mobile devices are an increasingly attractive target to cyber attackers. Defensive tools are less mature in this area, making devices and operating systems vulnerable.
EJ Hilbert, head of cyber investigations at Kroll EMEA and a former FBI special agent, says that professional services are the number one target for cybercriminals who are after client information. Data is a commodity and the information firms collect from their clients for anti-money laundering compliance is exactly the information that cybercriminals buy and sell. The situation is exacerbated by the perception that law firms’ systems are not as robust as those of the organisations they advise. ‘Compliance is not security,’ he says. ‘The rules change every few years, while technology is constantly evolving. We have to stop thinking of the smartphone as a traditional telephone, but recognise it as a small, hand-held computer.’
For many firms, information security risk is a high-level responsibility. Paul Swarbrick, global chief information security officer at Norton Rose Fulbright, observes that mobile cybercrime leverages the ability and speed of mobile technology to access, download and disseminate large amounts of information.
Uncertainty is a key challenge. ‘Harnessing emerging technologies means defining the business need, so devices and software can be tailored to meet the expectations and requirements of fee-earners without introducing new ways to lose our information,’ he says. ‘As mobile devices were created for the consumer market, they do not have built-in security as standard.’
Bailey agrees: ‘Information risk management is not a straightforward IT concern that can be addressed through technical controls. It requires understanding of business strategy, the technology involved and the current threats.’
Inside out: mobile cybersecurity tips
Ben Sapiro, senior manager at KPMG in Canada, offers seven tips to help firms avoid falling victim to cybercrime:
1. Keep software updated
2. Use strong, unique passwords. Keep them complicated – a phrase rather than a pattern of letters
3. Operate two-factor authentication
4. Encourage user awareness of using different tools for business and leisure
5. Have a clearly defined security strategy
6. When it comes to cybersecurity, every situation is different. Engage a dedicated professional to advise you – don’t go it alone
7. Ensure you can remotely wipe mobile – it’s your data and it needs to be secured to your firm’s level of comfort
Although mobile security is a strategic business priority, its IT function is responsible for delivering practical solutions. With this in mind, BAE Systems Applied Intelligence’s chief technical officer for cybersecurity, David Bailey, offers some relevant mobile security advice:
1. Protect devices with a suitably locked down operating system to stop it being used as a listening device or to prevent sensitive client documents and personal data being stolen
2. Protect the data communicated between your mobile device to your corporate network by using an encrypted link
3. Choose which corporate IT resources you will allow the firm’s mobile devices to connect to and the devices owned by the firm’s staff
4. Prevent mobile devices from connecting with unauthorised and dangerous websites using internet filters
5. Use a device manager to control devices remotely – especially those that have been lost or stolen – and enforce usage policies
6. Define an acceptable use policy – clearly communicate this to employees
7. Link the systems protecting mobile devices to monitoring systems so that the firm is alerted to security incidents as they arise
Mobile risk
Whereas in the past most firms issued users with BlackBerry devices, many are now introducing a selection of user options, under a bring-your-own-device (BYOD) strategy or a choice between particular devices provided or supported by the firm – ‘choose-your-own-device’ (CYOD). Jan Durant, Lewis Silkin’s director of IT and operations, has adopted a corporately-owned, personally-enabled (COPE) approach, where users can choose between BlackBerry, Apple and Samsung devices. ‘Lewis Silkin owns the phones and can wipe them remotely. We own all e-mails and contacts,’ she says.
Lewis Silkin uses BlackBerry Enterprise Service 10, which gives the firm administrator control over all devices while allowing users secure mobile access to documents ranging from e-mail attachments to the firm’s intranet, separating managed applications from personal ones. Complex passwords are mandatory. Additionally, all e-mails to the firm – on any device – are routed through Mimecast e-mail management, which has its own security and anti-virus features.
Durant does not believe in stopping users downloading apps on smartphones and tablets. ‘When businesses block useful features, people tend to use multiple devices and that increases risk as they forward information from their work phone to their private phone,’ she comments. ‘We’re supposed to be enablers, not blockers.’ Durant acknowledges that life was simpler when the firm would just roll out the latest BlackBerry, whereas it now supports numerous devices and payment plans.
BYOD can produce vulnerabilities. Ben Sapiro, senior manager at KPMG in Canada specialising in computer and network security, advocates using one phone/tablet for business and another for personal use – to avoid malicious apps and websites. Apps are a relatively new vulnerability, with Apple generally considered less vulnerable than Android. ‘Trojan horse’ malware can be hidden within genuine or cloned apps, for example clones of the discontinued Flappy Bird game were found to have malware.
At Taylor Wessing, UK chief information officer Stuart Walters has limited BYOD support to Apple’s iOS operating system as he feels that Apple compartmentalises its apps better than Android. ‘Android devices are permitted on a choose-your-own-device basis, but with tighter security and control,’ he says. ‘We install software and supervise any software users want to install and we are currently looking at security and anti-phishing software on Android and iOS.’
Although Walters has taken a comprehensive approach to securing the firm’s systems, he still has concerns around vulnerabilities to cybercrime. He explains that none of the firm’s existing malware prevention software will work on so-called ‘zero-day’ threats – when someone seeking to infiltrate a firm’s systems hires a hacker to carry out a targeted attack, so conventional malware prevention software will not spot it. To address this type of threat, Taylor Wessing is trialling Bromium software, which operates in real time. ‘It treats everything as a threat, but doesn’t stop people doing business,’ he says. ‘It allows users to open a document, work with it, print it and save it, but if an attachment tries to do something abnormal, like write a script or access files or other systems, it will stop it.’ Although Bromium products are currently limited to the desktop, there is a roadmap for mobile technology.
Other mobile device management (MDM) products provide similar protection without installing software on the device. One example is Vodafone’s Mobile Threat Manager, a cloud-based security product developed with BAE Systems Applied Intelligence that scans all traffic to and from mobile devices, safeguards against malicious attacks and blocks inappropriate content. A service able to work on different networks that supports BYOD remotely, its comprehensive cloud-based cybersecurity capabilities include a sharp focus on the prevalence of fake wifi hotspots, which capture users’ details when they try to log on, leveraging the smartphone and tablet roaming capability which automatically seeks out the nearest wifi signal.
Osborne Clarke (OC)’s IT director Nathan Hayes observes that although law firms are highly regulated, they are for the most part relatively small entities compared to their clients. Hayes is strongly in favour of BYOD: ‘Mobile is critical to good service delivery, but BYOD is not about being mobile – it engages users with technology and makes them more productive. Lawyers can use their device of choice to access our productivity tools too – for example our time recording apps.’
However, Hayes acknowledges that BYOD requires significant investment in support services and security arrangements as well as purchasing the different devices. ‘On the mobile front, the challenge is the increasingly diverse and complex nature of our platforms and the need constantly to be aware of emerging threats.’
OC uses MDM software MobileIron to manage access to the firm’s time recording and document management systems, but this requires a complex password, meaning that users need one passcode to access their phone and another to access the system. So for light-touch security, for example, for making a quick call home or to the office, it uses a different MDM – Good Technology.
This was fine until the introduction of smartphone fingerprint sensors, making it possible to hack into devices by exploiting touch technology. However, OC’s BYOD policy includes remote wipe, making the likelihood of someone hacking into a device before it has been wiped fairly low. ‘It is about assessing the risk associated with devices and applications and deciding whether they are acceptable to our business, and in some cases we have had to say no,’ adds Hayes.
At RPC, BYOD security is dealt with using Citrix MDM, which creates a secure ‘container’ on any device. IT director Julie Berry is also considering introducing a MDM tool. However, she says while the latest BlackBerry separates business and personal functionality, apps that can save documents to anywhere, including to iCloud, present risks in terms of compliance and data leakage.
Swarbrick at Norton Rose Fulbright adopts a similar approach. ‘It is about segregating the BYOD community from the firm’s core infrastructure by using virtualised environments rather than relying on remotely wiping devices.’ Citrix makes it possible to remove problematic ‘sandboxes’ – programmes that have been isolated by the security mechanisms – instead of wiping the device completely.
Berry points out that while the Solicitors Regulation Authority has rules relating to mobile devices, they are not reviewed as regularly as technology changes, leaving them often outdated. Furthermore, the type of significant insurance and financial services cases that RPC handles means that it is deliberately targeted by cybercriminals. For Berry, the response has been to outsource security so that it is monitored 24/7, including mobile devices.
‘However, it is equally important not to lock systems down,’ she says. ‘If you are issued a RPC security card you are trusted to use the system responsibly. Ethical walls are secure and different levels of classification and confidentiality are respected. The security system covers everything and mobile is treated no differently from other platforms.’
An effective mobile cybersecurity strategy requires different tactics to deal with different threats. Sapiro says that an advanced persistent threat (APT) is a network attack in which a hacker gains access to a network and stays there undetected for a long period of time, with the intention of stealing data rather than damaging the network or organisation. APT is generally a long-term threat, whereas other cybercrime tends to be more opportunistic. Targeted cybercrime involves criminals with the objective of acquiring specific information, in the case of a law firm perhaps information around a particular transaction. Although no strong examples of a mobile compromise affecting a law firm have come to light yet, client relationship management (CRM) systems, accessible via mobile devices, represent one clear path into the system.
Such are the dangers that some firms take a zero-tolerance approach. Weightmans’ insurance work involves working with significant volumes of confidential data, so partner and IT director Stuart Whittle has rejected BYOD in favour of the latest BlackBerry. Like others, Weightmans runs Citrix for remote access, and nothing is stored on remote machines. Whittle says the firm’s security policy is driven by the firm’s roster of insurance and public sector clients, who require assurance that their information is held securely. ‘We are currently completing ISO 27001 certification [the information security management system standard],’ he says. ‘Our mobile security is based on BlackBerry and Citrix and all devices are encrypted. The downside is that the encryption software extracts executable files, which are automatically referred to the IT department.’
Asked about the next generation BlackBerry, which separates work and leisure on one device, Sapiro acknowledges that there is no evidence that the separate containers have been breached, which supports the strategies adopted by Norton Rose and Weightmans.
Educating wetware
Walters emphasises that a significant element in the fight against mobile cybercrime is communication and education. ‘You have to implement the right security software and control, have policies and procedures in place and continually communicate in a language that users understand,’ he says.
He talks about an internal poster campaign to help communicate the message: ‘Passwords are like pants – change them regularly, don’t let people see them, and don’t loan them out to anyone.’
‘It’s not dumbing down,’ he adds. ‘If you talk about IT security policy in technical terms, people will switch off.’
The most prevalent mobile phishing takes the form of text and SMS, asking people to click on links or respond to e-mail addresses. It therefore requires a degree of user complicity, which can be addressed by training users. ‘Our biggest concern is the “wetware” – the people,’ says OC’s Hayes, referring to phishing and other more targeted attacks. OC is focusing on information security training, including mock penetration attacks, followed by targeted training delivered by companies such as PhishMe. The idea is to retain this as a regular service in order to keep everyone vigilant.
Taylor Wessing’s Walters uses the analogy of a locked door – two-factor authentication, encryption and products like Bromium make the door harder to get through, but uneducated users can effectively leave a window open by sharing a password, for example. ‘It’s about keeping risk awareness communication fresh, interesting and relevant and teaching users to manage risk by classifying the data and managing it accordingly.’
Mobile isn’t just about smartphones and tablets; it’s also about transferring data. For example, RPC uses only its own USB sticks which are secure. Others have to be scanned by IT security before they can be used on firm hardware.
At Weightmans, Whittle puts considerable effort into raising awareness. USB sticks are encrypted by default. Like Lewis Silkin, Weightmans uses Mimecast, which means a user can send a link to a document rather than e-mailing files or sending USB sticks or CD-ROMs. The extranet is secured over a secure sockets layer (SSL) and active directory, and a password policy which requires users to change their password every 30 days. Attitudes can be changed by penetration testing, for example, by sending staff nicely packaged USB sticks to see if they plug them into their machines and if they do, a warning message pops up explaining what could have happened had it been infected with malware.
With Schillings developing its reputation not just as a libel law firm but also handling reputation management and privacy issues for high-profile clients, it routinely handles sensitive client data. As such, information security specialist David Prince has introduced regular security awareness training across the firm, which includes penetration testing via simulated phishing attacks, including on mobile devices. This approach is driven by clients asking for assurances that the information they share with the firm is as safe as it can be.
At RPC, data is protected by tools that alert to unusual activity. ‘It’s about common sense and the lawyer’s fiduciary duty to the client,’ says Berry. ‘It is also about training lawyers not to read client files on the train or make confidential phone calls in public places. We need to encourage the right behaviours – and discourage the wrong ones.’
Providing assurance
Firms have realised that client engagement is fundamental in allaying clients’ fears over the robustness of their cybersecurity defences. The UK government has also got in on the act: in April, the Department for Business, Innovation and Skills (BIS) published new guidance for businesses on how to mitigate the risk of cyberattacks, referencing BYOD. Proposals include a certification scheme, where businesses that meet specified standards will be able to obtain independent certification acknowledging the robustness of their cybersecurity measures.
But according to Chris Fowler, general counsel – UK commercial at BT Legal, although mobile cybercrime is recognised as an ongoing threat, it is not BT’s primary concern when instructing and working with external law firms. However, he adds: ‘We have recently started working with alternative service providers and the accreditation process we are going through in terms of interlocking with their systems is more significant because they are offering technology enabled solutions. Law firms’ solutions do not have technology at their heart.’
For law firms, perceptions continue to die hard. Fowler says it is assumed that law firms have the requisite mobile security safeguards and standards but it is interesting how little faith there still is in law firms’ defences. ‘Most of our legal advice is verbal or in encrypted documents and the fact that law firms do not provide technology solutions creates a natural boundary,’ he says. ‘Our security team evaluates all our suppliers and our level of control depends on how much access they have to our systems. Law firms are not embedded into our systems as much as other suppliers.’
CPA Global provides intellectual property management software and other legal support services to law firms. It also instructs law firms, so interacts with the profession from multiple perspectives. ‘We work only with firms who are able to provide the exacting standards of security that we provide to our clients,’ says general counsel Ruth Daniels.
CPA Global has ISO 27001 certification for its own IT security and for its product development, testing, hosting and support and employs third-party examiners to test its systems for potential weaknesses or vulnerabilities. It applies the same stringent standards to its IP software, Inprotech, which is web based; and FoundationIP, which is cloud based, combining internal security audits with vulnerability and penetration testing conducted by a third party.
However, there is only so much testing that can go on and it is how firms cope in real attack situations that really matters. Fowler believes that mobile cybercrime will take on a different level of significance as and when there is a significant documented mobile security incident involving a law firm. ‘This type of discussion brings into the spotlight the fact that big corporates’ level of interface with their law firms is not as integrated as it is with other suppliers,’ he says.
Where the trust is limited, so is the end result. Law firms will not be able to get as close to their clients as they may wish. LB