The high-profile hack of Mossack Fonseca last year brought the collective frailty of the network infrastructure of members of the legal profession to the forefront. While the fallout from the ‘Panama Papers’ might have stolen the headlines, malicious attacks on the network infrastructures of solicitors and law practices are becoming a regular occurrence.
With firms holding a disproportionate amount of valuable and confidential data, hackers know that the profession is notoriously understaffed, under-resourced, and under-trained when it comes to protecting their firms’ digital data. Furthermore, law firms suffer from a certain information asymmetry; data is often gathered ubiquitously and invisibly in a way few solicitors understand.
Why are law firms sleepwalking into a cyber-security nightmare? First, they hold a disproportionate amount of valuable information compared with other small-and-medium enterprises of a similar size. The Law Society of England and Wales has said “law firms are particularly attractive sources of information”. While banks and financial institutions hold millions of account details, they have significant security measures in place to mitigate against intrusion and, in most cases, cover any loss.
In a world where information is power, details about an upcoming corporate merger or takeover can yield far greater return than copying a customer list or stealing customer details ever would. Knowledge of a forthcoming patent application yet to be submitted to the UKIPO could result in losses of hundreds of millions of pounds of revenue. Hackers broke into the computer networks at some of most prestigious American Merger and Acquisition law firms (Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP), with the FBI investigating whether the valuable information stolen was used for insider trading.
Secondly, the very nature of a law firm ensures that they act as a conduit for information that one might not want in the public domain. Normally, less stringent security and under-trained staff make law firms an attractive target. Many cyber-attacks against come about as a result of the targeting of a third-party organisation that the firm represents. A typical law firm will hold data relating to litigation strategies, confidential information relation to the business operations of a client, valuable information relating to intellectual property rights and a host of other sensitive and confidential data. The data held on a law firm’s server is a digital treasure trove to which hackers are attracted because of its intrinsic value.
Third, law firms are notoriously under-staffed and under-trained when it comes to cyber-security. Small firms and sole practitioners have limited resources and capabilities to maintain a secure network. Simply having a web presence is enough; making sure your name is out there and high-up the Google Page search rankings. Little to no thought is put into securing that web presence or implementing best practices for securing client data. Laptops aren’t encrypted, phones are not password protected, staff are not aware of the tricks of the hacking trade and are vulnerable to social engineering and other ‘cognitive hacks’. The last of which is becoming the most prevalent tool of the trade for the hacker.
This is why I recommend a more practical approach to securing a firm’s data than traditional passive network defences. Historically cyber-security has focused on securing the firm’s network and its infrastructure. Catch phrases like “We need a firewall!” and “invested millions in network security…” mean nothing if humans are susceptible to social engineering by a malicious hacker. Verizon’s 2015 annual data breach report highlighted an ominous fact: the great majority of hacks, estimated to be 90%, succeed because of human error. Ultimately, the sole practitioner is the firm’s best defence, but it is also the law practice’s weakest link.
Social engineering is when someone maliciously takes advantage of the cognitive vulnerabilities humans have when making judgements. We are prone to trust others and when someone sounds convincing, we tend to make a lot of poor decisions. Our systematic errors become even more exacerbated when under pressure. So when a fake email from a law firm’s managing partner was sent to the finance manager at a large law firm asking them to pay funds to a bank account that in reality belonged to a social engineering hacker, you can imagine what happened next. Or a quick phone call to the law firm from a hacker pretending to be from BT asking them to reset their box in order to allow testing on the line: “That’s great! We are all working 100% now. Do you mind reading me the numbers on the back of your wireless router please for my files?” Intrusion complete.
Social engineering as a means of cyber-attack is gaining traction among the hacking community. Thus recognising social engineering, through staff training, for example, is an important facet of cyber-security. Law firms must begin to understand that they are the target because they are more vulnerable and because of the valuable data that they hold. High value information secured behind hundreds of millions of pounds’ worth of network security is routinely sent to law firms that have inadequate protection.
Law firms that rely simply on passive forms of network defences are doomed. Identify the node in your office that is likely to be seen as the weakest link by hackers and get them trained in cyber-security now. Today. Do not wait. This person is not likely to be a senior partner. It’s going to be the law student working on placement or a trainee, or the freckle-faced IT guy that has sysadmin privileges over your network. Prioritise security as a requirement among your business partners and agents that handle information on your behalf. Ask questions of your cloud providers and your web ‘guy’. Is he running regular updates on your web software?
Solicitors and law firms are far more of a target than they realise, especially as we move to 100% digitisation and cloud-based storage (the Internet has no boundaries, neither do hackers). It is not just the legal consequences of failing to keep information secure; there is a real chance of business loss. Large companies can afford to take the hit, but smaller firms face irrecoverable losses. There is also reputational loss. Mossack Fonseca held details on 72 former and current world leaders. It is not known how many of these left the firm after the hack, but it is a safe bet that it would be exponentially harder for them to land client 73.
Mark Leiser is a cyber law lecturer at Strathclyde University.