Neil Ford discusses how cybersecurity trends seen in 2017 are likely to develop in 2018, and outlines how you can affordably mitigate the threats your firm faces, while meeting increasingly complex compliance obligations
Although it was high-profile data breaches, such as those that hit Yahoo (three billion affected accounts) and Equifax (145.5 million), that garnered the most press coverage last year, it’s important not to lose sight of the fact that smaller organisations are also affected by security issues on a daily basis.
59 per cent of organisations in the business and professional services sector were hit by ransomware in 2017, with organisations each suffering, on average, not one, but two attacks
Two recent examples from the legal sector can be found in DLA Piper, which lost access to its email and telephone systems for two days when it was one of the many organisations hit by the NotPetya malware attack last June, and London firm Anthony Gold Solicitors, whose email account was hacked in December, causing it to send out 16,000 phishing emails asking recipients to open a malicious attachment.
These are scarcely isolated incidents, either: the PwC Law Firms’ Survey 2017 found that over 60 per cent of all firms reported suffering some form of security incident during the last year. So to suggest that 2018 will see more – and worse – incidents is no great leap of the imagination. In this article, I look at cybersecurity trends in 2018, and outline some simple steps your firm can take to protect itself against cyber-risk, and prepare for legislative change.
The explosion in ransomware in 2017 – estimated by Malwarebytes’ Cybercrime tactics and techniques: 2017 State of Malware report to be a 90 per cent year-on-year increase – was exemplified by the WannaCry pandemic in May, which infected more than 200,000 victims across 150 countries, the most high-profile of which was arguably the NHS.
According to the report The State of Endpoint Security Today, by software and hardware security provider Sophos, 59 per cent of organisations in the business and professional services sector were hit by ransomware in 2017, with organisations each suffering, on average, not one, but two attacks (once may be regarded as a misfortune…).
Ensuring devices are kept up to date and vulnerabilities are patched, and training all members of your firm to beware of phishing emails – the most common way in which ransomware is spread – go a long way to help mitigate this threat. It’s also good practice to undertake regular penetration testing to determine where the flaws in your software and systems lie, and patch and reconfigure as appropriate to prevent malicious outsiders from accessing your networks and machines.
Just as the word ‘ransomware’ made it into the Oxford English Dictionary in January, some argued that the criminal use of ransomware had in fact peaked, especially as the latter part of 2017 saw a surge in another threat: the malicious use of cryptomining software, as criminals sought to gain from the continuing inflation of the cryptocurrency bubble.
Rather than dropping ransomware and hoping victims would pay to regain access to their encrypted files, criminals were increasingly cutting out the middle man and infecting victims’ machines with code that uses their spare processing power to mine for cryptocurrency – essentially, a practice that entails running complex calculations in return for payments.
It’s worth saying there’s nothing wrong with cryptomining per se – in itself, it’s just part of the cryptocurrency translation. However, using others’ computers without their knowledge undoubtedly constitutes malicious and illegal activity.
Events in early 2018 suggest that this malicious mining or ‘cryptojacking’ trend is likely to continue: according to cybersecurity provider Check Point, approximately 23 per cent of the world’s organisations were affected by the Coinhive mining script in January, and Proofpoint found that the Smominru botnet had infected more than 500,000 machines around the world – most of which were servers – to mine for the Monero cryptocurrency, the value of which has increased some 3,000 per cent in the last year.
If your machines are overheating while seeming to run excruciatingly slowly, it could well be that your CPU and/or GPU power has been diverted to cryptomining. Scan for and remove any software that you don’t want, and clear your browser cache to remove any cryptomining code.
Meltdown and Spectre
The year started with the news that the chips present in most computers suffered from major security flaws. Worse, the process of attempting to patch the vulnerabilities was widely acknowledged to be deficient. For the numerous organisations that could not apply patches, there remains the possibility that the so-called Meltdown and Spectre flaws will be exploited by cybercriminals.
Microsoft has now added a Meltdown and Spectre detector to its Windows Analytics telemetry analysis tool, but researchers from Princeton University and GPU manufacturer Nvidia have identified new ways of exploiting the flaws, so it’s likely that criminals won’t be far behind and will use Meltdown and Spectre to launch attacks on vulnerable machines. Again, ensuring you test and apply patches in a timely manner will help protect your firm from attacks.
On top of an increase in cyber threats, firms face an increase in compliance obligations. May sees the introduction of two major pieces of EU legislation pertaining to data protection and information security, both of which will be implemented in the UK: the General Data Protection Regulation (GDPR) and the EU Directive on security of network and information systems (the NIS Directive).
The GDPR in particular – the requirements of which will form the bulk of a new Data Protection Act in the UK – will mean that organisations that have until now taken advantage of the UK’s relatively low-key compliance under the Data Protection Act 1998 will face greater responsibilities.
However, the vast majority of organisations are under-prepared: recent government research found that only 38 per cent of businesses had heard of the GDPR, and only 27 per cent of those – about 10 per cent of businesses overall – had made changes in preparation for the GDPR’s application on 25 May. According to research by managed services provider CenturyLink Emea, only a quarter of UK law firms said they were ready for the GDPR as of November 2017.
At present, only the public sector is obliged to report data breaches to the supervisory authority, the Information Commissioner’s Office (ICO), but this will change in May. The GDPR will require data processors to report breaches of personal data to data controllers, and require data controllers to report breaches to the ICO within 72 hours of their discovery if there is a risk to data subjects’ rights and freedoms. Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms. (Exactly how these levels of risk to rights and freedoms will be quantified remains to be seen.)
The maximum penalties for non-compliance with the new law are administrative fines of up to four per cent of annual global turnover, or €20m – whichever is greater. Aggrieved data subjects also have the right to effective judicial remedies against controllers or processors if their rights are infringed by processing that does not comply with the GDPR.
The ICO is proud of its reputation as a ‘fair and proportionate regulator’, and has robustly denied that it will make early examples of organisations for minor GDPR infringements, or regularly dole out maximum fines. (In 2016/17, only 0.09 per cent of cases concluded by the ICO resulted in fines for the organisations involved; this is unlikely to significantly change.) This should reassure most firms that, if they can demonstrate that they’re taking appropriate action to comply with the law, they need not fear regulatory fines.
However, there is equally no doubt that civil litigation in the form of individual or group actions will be increasingly likely, and ‘no win, no fee’ GDPR claims firms – like personal injury lawyers – will emerge to try to cash in, as organisations’ levels of cyber-resilience come under greater public scrutiny.
The consequences of non-compliance will therefore be very public, and reputational damage suffered as a result of breaches could be significant. You can find more from the Law Society’s GDPR pages and our own website.
The NIS Directive
The NIS Directive aims to achieve a high common level of network and information systems security across the EU by improving national cybersecurity capabilities, increasing cooperation between EU member states, and requiring operators of essential services and digital service providers to take appropriate and proportionate security measures.
Although the NIS Directive will not apply to law firms directly, you are more than likely to engage with organisations – as corporate clients, suppliers to in-house teams etc – that are within its scope, and these could require you to demonstrate a standard of security that guarantees the security of their supply chain. Moreover, the directive’s requirements provide a useful framework on which to base your own cybersecurity activities, so compliance could certainly be considered beneficial.
You can find more on our website.
Mitigating cyber-risks and demonstrating compliance
Implementing and maintaining the appropriate technological and organisational measures necessary to mitigate the majority of cyber-risks and demonstrate compliance with the new laws will become a matter of great importance for all organisations in the UK.
The government’s Cyber Essentials scheme provides a set of five security controls that organisations can implement to achieve a baseline of cybersecurity, and against which they can achieve certification to prove their credentials. These five controls can help prevent 80 per cent of the most common attacks.Certification to the scheme provides numerous benefits, including reduced cyber-insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.
For firms that aspire to a greater level of cybersecurity maturity, the international standard ISO/IEC 27001:2013 (ISO 27001) sets out the requirements of an information security management system (ISMS) – a risk-based approach that enables organisations of all types and sizes to mitigate the specific threats they face with appropriate measures.
Firms that implement a compliant ISMS can achieve independently audited certification against ISO 27001, to demonstrate their commitment to securing their clients’ information – and their compliance with the GDPR’s data protection requirements.
There is also an operational advantage to implementing the standard. Bringing your processes and procedures into compliance with ISO 27001 will lead to greater business efficiency, as well as making your firm more secure.