Timothy Hill explains why in-house lawyers need to consider cybersecurity and how they can take action
Most people need to know something about cybersecurity; solicitors need to know more than most. Client confidentiality, legal professional privilege, code of conduct obligations and data protection are just some of the reasons you need practical and theoretical knowledge. Practical knowledge to avoid becoming a victim; theoretical knowledge to know your obligations and to advise others.
Some in-house lawyers may assume that cybersecurity isn’t their problem: that it’s something their parent organisation takes care of, or should. If that’s the way you think you may want to ask yourself some questions:
- Who advises your organisation about its obligations under the Data Protection Act and associate regulations?
- Who alerts them to upcoming legislation like the EU’s proposed General Data Protection Regulation (with provision for compulsory data breach notification)?
- Who advises them about legal professional privilege and lawful interception by the police or security and intelligence services?
Now the answer may be someone else, but even if it is:
- What about the cybersecurity and data protection implications of matters you do advise them on?
- Could you or your team be the weak link that leads to a security breach?
- Does your team have any special cybersecurity requirements and have these been discussed with your organisation?
- Are you involved in third-party transactions (like M&A activity) and have you, or anyone else, thought about how these can be secured electronically?
- Are you ‘leaking’ information of value to a hacker via your public website or through social media?
Understand the threat
One of the more alarming findings of the Government’s 2015 Information Security Breaches Survey is that the average cost of the worst single breach suffered by respondents has risen sharply. For large organisations (more than 250 employees) it now stands at £1.46m to £3.14m. For medium and small businesses (1-249 employees) at £75k - £311k.
The number of breaches has also risen. 90 per cent of large organisations reported a security breach in 2015, up from 81 per cent in 2014 and 74 per cent of small businesses reported a breach, up from 60 per cent.
Staff – including legal staff – are often a point of vulnerability. This is one reason there was a significant increase in the number of organisations undertaking staff security awareness training with 72 per cent of large organisations and 63 per cent of small businesses offering ongoing programmes. Mass phishing and spear phishing are two techniques that exploit untrained staff.
Mass phishing is a form of electronic deception in which an individual is persuaded to take action or disclose information by a seemingly trustworthy attacker – someone impersonating a bank, for example.
Phishing is increasingly used not only to trick targets into revealing personal information, but also as a technique for installing malicious software (malware). Early attacks were quite crude but have become increasingly sophisticated. Successful attacks lead to reputational damage, theft of proprietary information, disclosure of sensitive information, compromised infrastructure to host further attacks and backdoor control over systems.
Spear phishing is targeted email deception. Spear phishing is often the starting point for targeted attacks on organisations. Attacks have a high success rate.
The foundation of a good spear phishing attack is reconnaissance to obtain public information like staff contact details, email addresses, organisation charts, job descriptions, or technical information about systems. Law firms and even in-house legal teams are often quite keen to make information about themselves publicly available.
This information is used to create a spear phishing email. Usually it will appear to come from a trusted contact and will contain an attachment and/or a link to a website. Opening the former or following the latter will result in the installation of malicious software. This, in turn, will result in theft of sensitive information, sabotage, or secondary use of compromised machines.
In targeted attacks malware is used to play a long game. If your firm becomes of interest to an attacker they may well take a long-term and systematic approach to achieving their cyber-attack objective.
Whether or not you are dependent on your organisation for your cybersecurity and whether or not you formally advise them on the topic, there are a number of accessible resources that it’s worth being aware of and, perhaps, drawing to the attention of whoever takes lead responsibility.
The Law Society’s information security practice note discusses senior level commitment, identifying someone to take the lead, drawing up a written security policy, and undertaking a risk assessment. Our data protection and cloud computing practice notes are also relevant.
Cyber Essentials is a government backed scheme for cybersecurity that identifies basic technical controls that organisations should have in place. These cover boundary firewalls, secure configuration, user access control, malware protection and patch management. It involves self-assessment with responses independently reviewed by an external certifying body. Ten Steps was used by over 30 per cent of respondents. Cyber Essentials defines a set of controls which aims to provide cost effective, basic cyber security for organisations of all sizes. It focuses on five key controls: boundary firewalls and internet gateways; secure configuration; access control; malware protection and patch management. The scheme offers accreditation and 49 per cent of respondents were badged to Cyber Essentials / Cyber Essentials Plus – or planning to be.
10 Steps to Cyber Security is practical guidance on cyber security from GCHQ. It’s just been updated and re-launched. 58 per cent of FTSE 350 companies have assessed themselves against the 10 Steps guidance since it was first launched.
Cyber-security Information Sharing Partnership is a joint industry government initiative to share cyber threat and vulnerability information in a secure online environment. The environment includes groups who share advice about combating particular types of cyber-attack – for example the use of scam emails that can infect your computer.
If you are involved in corporate finance transactions then take a look at Cyber-Security in Corporate Finance.
Finally, Cybersecurity for legal and accountancy professionals was developed by the Law Society, the Institute of Chartered Accountants and the government. It comprises four 15-minute online modules and is freely available to qualified and unqualified staff via the Law Society CPD Centre. Why not take it?
- Clarify who’s responsible for what in your organisation
- Understand the threat
- Read and apply the advice in the Law Society’s information security, data protection and cloud computing practice notes
- Get certified against Cyber Essentials
- Apply the 10 Steps to Cyber Security
- Join the Cyber-security Information Sharing Partnership
- Read the Cyber-Security in Corporate Finance guide and
- Take our free online cyber security training.
The Law Society is considering guidance on electronic signatures