What lessons can law firms learn from three of 2019’s top cybersecurity attacks? John Clarke considers
The growing impact of cybercrime in the UK will come as little surprise to solicitors. According to the Solicitors Regulation Authority, £10.7m of client money was lost in 2017 at the hands of cybercriminals. It issued 217 scam alerts in 2018 alone.
In a survey conducted by PwC in 2018, 82% of top-100 law firms expressed concerns relating to cybersecurity, but only just over a quarter were confident that their firm’s business-critical systems could be recovered following a cyberattack.
Meanwhile, cybercrime continually evolves, as cybercriminals go to any lengths to leverage new hacking tools and techniques. Below, I look at three high-profile recent cyberattacks, and what lessons the legal sector can learn from them.
Toyota: going through a subsidiary
In March 2019, the personal details of up to 3.1 million Toyota customers were exposed, after hackers targeted the servers of Toyota subsidiaries which held stored sales information, including names, dates of birth and employment information.
Hackers are increasingly targeting subsidiaries, which may have less stringent security measures in place, as an easier means of accessing a larger parent company’s data. If a subsidiary suffers a data breach, the consequences can be equally as damaging for the parent company in terms of reputational damage and customer data being exposed.
Make sure your subsidiaries adopt the same security protocols as you and communicate clear written procedures which outline accountability and responsibility for specific digital policies. Frequently monitor the security performance of your subsidiaries to ensure mandatory IT procedures are being adhered to, and evaluate whether remedial action needs to be taken.
Citrix: password-spraying
In March, an estimated six terabytes of confidential internal information were compromised at leading cloud-computing provider Citrix. Hackers bypassed multiple authentications for critical applications and services, and also gained unauthorised access to virtual private network (VPN) channels by using ‘password spraying’, a technique that exploits weak passwords.
Introduce a mandatory company policy of complex, unique passwords which avoid common phrases, or an employee’s name or nickname, to protect against password spraying. You could encourage employees to use password manager applications, which can generate and securely store random passwords comprising combinations of letters, symbols, punctuation and capitalisation for each of their accounts, which make them harder for cybercriminals to crack. To access them, you’ll just need to remember one ‘master’ password.
IT departments should regularly run audits to identify common passwords, and monitor for potential password spraying attacks – such as one-time failed logins by many different accounts in rapid succession – and for hackers adding additional users.
Hydro: ransomware
Also in March, Norwegian aluminium company Hydro suffered a ransomware attack which reduced its production by up to 30% and brought one of its business units to a standstill. The devastating cost to Hydro, which employs 35,000 people in 40 countries, is estimated at £25m, but the overall business impact remains unknown. Since the attack, Hydro’s IT and security teams have been praised by cybersecurity experts for isolating the malware and preventing it from spreading further, as the company has been using its back-up systems to recover data. Hydro has also announced that it does not intend to pay the ransom to the cybercriminals.
Ransomware was deemed one of the biggest malware threats of 2018, and this pattern is set to continue throughout 2019 and beyond. Make sure your firm has a formal cybersecurity strategy and incident response plan in place. This should take into account what happens when a cyberattack occurs and what procedures staff should follow, as this is essential to resiliency in the immediate aftermath of an attack.
Consider backing up your most important data on a separate secure network or device, so if you were to lose important files in a ransomware attack, you could easily restore them. Ensure your antivirus systems and other critical business software solutions are up to date, and make sure everyone is vigilant when opening any and all emails and attachments.
Why it matters
Some law firms have historically perceived data security to be a cost with little benefit. As a result, investment in modern IT infrastructure, cloud-based solutions and secure third-party data storage facilities is often a low priority, and can appear like unnecessary insurance.
But with cybersecurity threats becoming more frequent and sophisticated, an ounce of prevention is worth more than a million pounds of cure. Specialist commercial finance providers can offer payment-over-time solutions to enable legal firms to spread the cost of preventative measures to mitigate the risk of cybercrime, such as investment in robust encryption software, IT support, and cybersecurity training for staff.
If 2019 is anything to go by so far, cyberattacks will continue to break new ground. The threat to the legal sector is significant. Law firms run the risk of further suffering unless they take a proactive approach by investing in improved security systems and ensuring that a culture of cybersecurity awareness is embedded throughout their entire business network.
John Clarke is head of direct sales at Wesleyan Bank. Wesleyan is the Law Society’s partner and can provide our members with cash flow or longer term commercial finance, cyber security funding, PC funding and personal finance and protection