Andrew Stanton of Palisade Secure outlines the steps law firms should be taking to reduce threats
According to a 2017 PwC law firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The financial and reputational damage of a cyber incident is significant.
In another recent study, just one organisation out of the top 100 law firms in the UK has ‘sufficient measures in place to fully protect against email fraud’.
Cyber security in modern business has become as important as every other business function, such as accounts, sales and operations. It is no longer something the IT department solely takes care of; it is something that permeates throughout the organisation.
Attackers have evolved along with advances in technology through the years, taking advantage of the latest tech to exploit weaknesses within IT environments. Attackers have different motivations and these motivations will dictate their target. Whether political, financial or just a newbie trying his luck, everyone is a potential target at some point.
Law firms are seen as a particular key target for attackers because they hold sensitive client information, handle significantly large funds and are a key enabler in commercial and business transactions. The National Cyber Security Centre (NCSC) reports that over £11m of client money was stolen due to cyber crime in 2016-17.
Protecting your business from attack is the primary focus of your cyber security function and there is no one-size-fits-all solution because it is not as simple as implementing a bit of technology, dusting your hands and waiting for the next time it needs to be upgraded.
‘Cyber security is no longer something the IT department solely takes care of; it is something that permeates throughout the organisation.’
The NCSC states that the most significant cyber threats that law firms face and should be aware of are:
- Data breaches
- Supply chain compromise
A good place to go for up-to-date information and best practice is the NCSC (which is part of GCHQ.) Their mission is to raise the cyber maturity and resilience of UK law firms.
Effective cyber security is a multi-layered approach, which touches not only technology but personnel too. Your workforce has a key role to play in protecting your business and your assets from a cyber attack.
Following the six pillars of cyber security, you can significantly reduce your risk, demonstrate your commitment to your customers that you take cyber security seriously and that you actively protect their data from a cyber attack.
The six pillars that we advise organisations work through are:
- Threat defence
- Validation and remediation
- Evidencing, auditing and reporting
Industry standards provide a good basis and foundation for any organisation looking to implement, maintain and assure that they are mitigating cyber security risks. Aligning to a standard and implementing robust cyber security measures significantly reduces the risk of your organisation being compromised and, just as importantly, ensures your business and customer data is safe.
An added advantage of aligning to a standard is the ability to demonstrate your commitment to protecting your organisations and your customers’ data. This is important because in the event of a breach happening you need to demonstrate that you took appropriate steps to protect your organisation. This will help when you are being observed by regulators and will help to keep fines to a minimum.
‘It is said that there are two types of companies: those that have been breached and those that have been breached but do not know it yet.’
Different industries will have and maintain different standards, from health to financial. You should look to see what standards you currently maintain to see if there is an element of cyber security within them.
A few standards to consider:
ISO 27001 is an information security standard, part of the ISO/IEC 27000 family of standards. Achieving ISO 27001 demonstrates that your organisation is following information security best practice while also providing independent, expert verification that information security is managed in line with international best practice.
Cyber Essentials is a UK government scheme that helps small and medium-sized enterprises guard against the most common cyber threats, and demonstrates your commitment to cyber security. By following and achieving Cyber Essentials your organisation will significantly reduce the risk of being breached by a cyber attack as well as demonstrate your commitment to keeping your systems and data safe.
In 2016 there was a data breach reported to have been the largest ever recorded – a total of 2.6 terabytes. The company was Mossack Fonseca & Co and the hack became known as the Panama Papers hack. The breach was so significant that the law firm could not recover and had to close. It occurred because the company had not updated its portal since 2013. The portal contained several security weaknesses. If the company had followed processes laid out by Cyber Essentials, the breach would never have happened.
If you are an operator of essential services (OES) you may fall under the NIS Directive – an EU directive on the security of networks and information systems. Network and information systems and the essential services they support play a vital role in society. The NIS Directive is aimed at providing a security framework to essential services, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. The directive identifies OESs that have to take appropriate and proportionate security measures to manage risks to their network and information systems.
It is said that there are two types of companies: those that have been breached and those that have been breached but do not know it yet.
How can you mitigate against a cyber attack if you are not equipped with the tools and strategies to defend your organisation? Threat defence can be as simple as assuring your IT security strategy is robust and that users are forced into good habits when it comes to security, such as password hardening and user education.
Areas of threat defence that should be considered are pre-emptive as well as proactive intelligence, such as dark web threat intelligence. These are some of the threat defence areas that are worth considering:
- Password hardening
- Implementing and penetration testing robust firewalls
- Implementing and updating robust antivirus and anti-malware
- Secure, encrypted email communication and encrypted file transfer
- Storage encryption
- Cyber threat intelligence – dark web
- Regular software and hardware security patching
It is reported that over one million leaked and hacked credentials from the UK’s top 500 law firms have been found on the dark web, leaving firms vulnerable to phishing campaigns and significant data theft. Carrying out regular dark web scans will ensure visibility over compromised credentials circulating the dark web.
Every member of your organisation has a part to play in mitigating the risks of a cyber attack. The users of technology should be sufficiently trained and made aware of the risks and challenges they may face while going about their day-to-day tasks.
‘A strong policy can be easily undermined by employees using easy-to-guess or dictionary-based passwords.’
For example, phishing presents a significant risk to an organisation and users of your system are the key target for a phishing attack. Recognising a phishing attempt and dealing with it appropriately is your main line of defence. Technology can block a significant number of phishing attempts, but when the odd one makes it through, you need your users to be equipped with enough information to recognise an attempt and to deal with it.
Do not be complacent – attackers have mastered the art of running complex, targeted phishing campaigns. Phishing campaigns can be highly individualised, bypassing technology that has been implemented to prevent an attack getting through.
Most information security strategies will include an annual training plan, but you may also want to consider regular training sessions, and ways to communicate and test your strategy. Poster campaigns for example can be a quick and easy way to get a simple message around the workforce.
Validation and remediation
Implementing robust cyber security controls is a critical component to managing cyber security in any organisation, but how do you assure that what has been implemented is working or that it has not been ‘worked around’ and ultimately created another risk elsewhere, or maybe someone has installed or updated some software that has ‘opened up’ a vulnerability?
Validating cyber security is critical to ensuring that controls are working and that there are no ‘holes’ in your defence. Using artificial intelligence technology can significantly increase your ability to spot weaknesses and implement effective solutions to close the gap. For example, 24/7 penetration testing allows continuous monitoring of your network and immediately demonstrates where risks are within your environment, allowing you an opportunity to plug them before the weakness is exploited.
Validating that your employees are using strong passwords and following your standards is vital to a strong defence. A strong policy can be easily undermined by employees using easy-to-guess or dictionary-based passwords.
Regular vulnerability scanning can also be performed to detect weaknesses across the organisation’s environment, which allows for quick remediation and tightening of systems.
Spotting and fixing security holes in your environment takes up a lot of time, which is why it tends to be put to the back of the queue when considering technology changes. However, it is critical to remediate issues as soon as possible. Implementing tools such as pen testing and simple-to-view security dashboards allows you to prioritise remediation by understanding critical attack paths and the points in the environment that need immediate attention.
In the very worst case, ensuring that back-up and recovery is a central part of the cyber security strategy will help to reduce the overall impact of an attack. Back-up and recovery needs to include data as well as systems. Testing and timing procedures will give your organisation an overall understanding of the impact of a crippling system or data breach.
Evidencing, auditing and reporting
So, you have worked hard at implementing controls and technology, and you have educated your users. How do you evidence this and how is this presented to the board of directors within your organisation? What happens when a breach is detected, particularly if the breach looks to have occurred months or years ago?
Auditing is critical when considering incident management, and assuring cyber security controls are in place and working when communicating to the board.
Having a holistic view of logs and information will help you act quickly when an incident occurs or a threat rears its head. For example, when WannaCry became visible, were you in a position to understand the impact on your environment and how quickly you could remediate the threat?
Directors are not going to want to sift through reams of log files and PDF reports – assuring your cyber security efforts is a key part of an organisation’s cyber security activity. Therefore, implementing online compliance, reporting capability, and understanding what and how to evidence controls and incidents to external bodies needs to be considered up front.
Addressing these six pillars is key to being able to deliver a sustainable cyber security strategy.
For more information, please contact:
Andrew Stanton, managing director, Palisade Secure
T: 01702 749651