Cybersecurity in the Legal Sphere: Protecting Yourself before Defending Others
Any organisation handling sensitive data should take their cybersecurity seriously. This is especially true when most of the developed world are integrating several of their critical operations with advanced technologies ranging from the Cloud, to various project management services supplied by Google. The information stored on such platforms are crucial to an organisation’s survivability in today’s technology and data driven marketplace.
Recognising the operational value of data, governments have started to introduce various regulations to ensure the security of digital information. Regional regulations such as the General Data Protection Regulations (GDPR) in the European Union, and national level legislation such as Singapore’s Personal Data Protection Act (PDPA) have been introduced to ensure organisations are handling such material safely.
Data, Law Firms and Cybersecurity
According to PriceWaterhouseCoopers (PwC), 62% of law firms reported a cyber attack on their systems in 2015. Later in 2017, PwC released another report indicating that 40% of all firms reported a form of business disruption that was caused by a cyber attack, where the majority of the firms suffered losses within the space of a year.
Law firms are all handling significant amounts of sensitive data, ranging from personal information to life-altering evidence of criminal activity. As more law firms of different sizes journey into a world now dominated by technology and data, the greater importance cybersecurity will be to their survival against malicious online threats targeting them for their sensitive evidence. As more law firms across Singapore continue to digitise their operations, they need to have a robust security plan capable of protecting their client data and extending their reputation across the nation.
Interviewing a Security Professional
Law firms need to not only be aware of cybersecurity, but also how to implement various procedures to ensure their digitised improvements remain secure. In that light, Horangi decided to interview our very own Chief Technology Officer (CTO) and Co-Founder, Lee Sult, for his insights as to how law firms can enhance their cybersecurity resilience to ensure greater resistance from cyber attacks.
Lee Sult hails from a diverse background firmly rooted in security and getting his teeth cut through his former experiences working with federal agencies in the United States. He was a cyber incident response expert during his time at Trustwave, SpiderLabs and Palantir. His extensive experience in working with clients from both the private and public sector uniquely equips him with keen insight into what cybersecurity challenges and threats organisations today will face.
Cheng: Thank you very much for attending this interview Lee. As I am sure from your background with Law Enforcement in the United States, that there are different law firms that specialise in handling different cases. However, it is not the responsibility of the law firms to do cybersecurity, but to focus on defending their client. In that case, why do law firms of all sizes need to know about cybersecurity today?
Lee: Thanks for having me Cheng! Well, attackers consider law firms as high-value targets because they store critical data for all of their clients and the attackers can monetise that data. Trade secrets can be used to influence deals or pricing, the stolen intellectual property can be used to by a competitor to offer a similar product for the lower cost, and stolen email credentials can be used to persuade fraudulent bank transfers. These examples are all taken from real-world cases I’ve dealt with in the past.
Cheng: Over the last few years, more traditional firms in Singapore are gradually integrating their operational technologies to accommodate digital evidence from cases related to cyber crimes. In addition, we are also seeing a large number of small and digitally integrated law firms appearing across the nation. Given both are joining the digital age in their own respective ways, what do they need to protect when operating online or when interacting with various digital services or tools?
Lee: Law firms need to start focusing on securing their communications and file shares. Attackers are interested in client data these firms retain or handle. Rather than the data that belongs directly to the law firms. These kinds of sensitive client data are nearly always found in email, text messages and file shares.
Cheng: Fair point there about their communication, as it is always easier to intercept information in transit then extracting it from a security-hardened database. However, what risks would these firms face should an attacker be successful in extracting sensitive information from them? What can they then do to enhance their cybersecurity posture to minimise their risk from these acts of maliciousness?
Lee: Primarily, law firms face a loss of confidentiality which is one of the primary values that their clients covet. Significant reputational damage can occur to a law firm if they are responsible for the loss of intellectual property or their email servers are used to send fraudulent emails to their clients. Attackers often target intellectual property and trade secrets that are stored on a law firm’s servers, as attachments in email or even just as knowledge in the email bodies themselves. If attackers can gain access to a law firm’s email usernames and passwords, they often use the law firm’s email accounts to request fraudulent wire transfer instructions to their clients. While it’s hard to prevent all attacks from occurring, using multi-factor authentication for email access and ensuring computers and mobile devices stay up to date goes a long way toward improving security.
Cheng: Thank you for that insight into attacker behaviours, targets and even on some security features, like multi-factor authentication. Having mentioned security features, can you comment on how can firms identify what security features they need, and what is a reasonable expectation for the level of security to be met?
Lee: It’s hard to say which security measures a specific firm should take. At the very least, everyone should be using multi-factor authentication on their email accounts and should allow their devices to do regular updates. It’s also a good idea to work with security personnel or a security partner to help ensure the confidentiality of their client’s data. Familiarising key stakeholders or senior staff with foundational cybersecurity and data handling practices is also a good step towards ensuring operational security is adopted across their organisation.
Cheng: Thank you very much for providing your insight and advice into how law firms can better protect themselves in our digital age.
Lee: Thanks Cheng, I’m always happy to provide advice on how these organisations can be safer today.
Putting Things in Greater Context
Many thanks to Lee Sult, the CTO of Horangi for pitching in to support this article’s objective of determining the why and how law firms can protect themselves within the current technology-driven state of the world. It remains clear that despite the vast differences between law firms and their specialisation, they remain equal when pitched against different cybersecurity adversaries.
Within the narrower contexts of law firms operating in Singapore, it is without a doubt that many would need to automate and digitise large components of their operations to handle the amount of digital evidence available today. With the introduction of the Singapore Cybersecurity Act, the national government is keenly aware to ensure that its cyberspace is governed by the correct people, organisations and processes.
The Why: Responding to Current Security Practices
In today’s data-driven environment, data transmissions and storage are highly valuable assets favoured by all types of malicious actors. Especially when such organisations are handling highly sensitive information that can change the course of someone’s life forever. Singapore is a heavily technology-dependent country, where cyber crimes will always be a persistent threat across both the state and the region. However, despite the abundance of cybersecurity services and education available, most organisations still understand cybersecurity as a predominately technical challenge that should be (or can be) entirely managed through an Information Technology (IT) professional or department.
This is inaccurate.
As more organisations across Singapore depend on digitised services and online platforms, law firms must adapt to ensure they are capable of handling digitised materials. As a business requirement, this will come to define how security procedures and protocols are developed. Remember, the more sensitive information firms hold, the more valuable they become to sophisticated cyber criminals.
Like a hospital or clinic, clients will always surrender credible information to law firms. To any criminal, this is a treasure trove of information that can be used to leverage innocent victims through blackmail or fictitious scams. Hence, being able to outline the business value of the information firms hold is an essential context for any professional (IT or cybersecurity) to defend a legal organisation properly. The cybersecurity challenge that is broadly known today can only be resolved through a collaborative effort between business and technical professionals.
The How: Starting from the Individual unto the Organisation
Despite the slew of advanced security tools and services currently available to everyone, having some necessary security awareness can directly enhance a firm’s digital resilience through empowering the individuals who hold access to sensitive information – at a meagre cost.
At the top of the list of security practices is the implementation of Multi-Factor Authentication on all online accounts – if it is an option. Next is to be keenly aware of any identifying signatures of both their colleagues and clients when utilising digital communication platforms or service (i.e., Whatsapp, Email, Slack, Skype, etc…). The third is to merely be aware of any cyber attacks involving other law firms, clients or software that is being used by your organisation. Through remaining aware of the experiences amongst others in the legal community already enhances your security posture through foreknowledge.
Like building a proper case against a criminal indictment, one must look first to the individual. It remains no different in cybersecurity. An essential first step to ensure a secure organisation is to begin with protecting the individual. While this provides an excellent first line of defence against conventional cyber attackers and threats, more sophisticated threats (i.e., Targeted Ransomware, Cyber Espionage) would require professional support from a security expert either as an internal hire or external procurement.
Cybersecurity Baselines Everyone Can Employ
|1||Enforce use of multifactor authentication.
Passwords get leaked for various reasons for time to time and are often shared across multiple accounts increasing the impact of the affected user.
Many web-based applications support multi-factor authentication via (short message service) or Google’s Authenticator among other options, enforcing an additional, convenient authentication factor.
|2||Establish policies around communication of critical information.
(Eg. Finance related requests only coming from a single account.)
Phishing leverages on the lack of established or clear communications channels and policies.
In the above-mentioned example, if users are informed that finance-related requests come from a particular email account, in a certain format and authorisation from a separate channel, the risk of users falling prey to a phishing attempt targeted in enabling a money transfer is reduced.
|3||Keep regular backups of critical information and data.
Phishing leverages on the lack of established or clear communications channels and policies.
|4||Protect information stored at rest via encryption. (Windows Pro and Apple OSX have their own encryption systems, in addition to functions provided by external programs.)
This ensures information confidentiality and integrity, preventing a malicious individual from gaining physical access to a hard drive, laptop or other forms of data storage.
|5||Keep a record of data types and classification, as well as storage and usage policies around each type. (Eg. public, confidential, secret)
This provides a basis for how data is handled and ensures sensitive data is not exposed excessively.
|6||Ensure channels used for communication are secure.
Ensures communications cannot be intercepted. This applies to a variety of things – email encryption, messaging applications, HTTPS on websites etc.
|7||Have strong passwords of a combination of mixed characters, special characters, and numbers; and do not share them across applications dealing with different levels of sensitivity.
Ensures passwords are not easily guessable.
|8||Ensure applications and systems used are kept updated.
Outdated applications and systems often have publicly available exploits malicious users will be able to leverage on.
|9||Keep informed about threats and current trends, as well as updates and advice around them.
Trends and threats evolve rapidly – it is essential to ensure the organisation is aware of these threats.
The What: Identifying the Next Key Step
There is no expectation for law firms to become cybersecurity experts and employ every single security feature available out there. Despite being legal organisations, law firms are still businesses with a limited amount of resources just like any other business. Hence the next step is to identify what you are trying to protect.
Learning about your operational and digital environment is essential towards enacting a strategic expenditure of resources. You can achieve this through first identifying what sort of “data” you are collecting, holding, and distributing. Next is to determine the vulnerabilities associated with your digital assets and tools as attackers would often exploit weaknesses in your equipment to gain access to entire networks. Finally, know the vulnerabilities in your business processes. Despite the existence of digital platforms like Google Suite and Microsoft 365 Business Editions, they remain as tools designed to help people. Knowing how instructions are disseminated across your organisation is the essential human component only an experienced security professional or expert can protect.
Collectively analysing these three areas of knowing your “data”, identifying your “vulnerabilities” and securing your “processes” can directly help law firms to secure their organisation environment strategically. Protecting what’s important and not wasting precious revenue on off-the-shelf digital locks.
Regardless of which industry organisations are in, they cannot escape the reality that cybersecurity is a collective battle. The security of our systems depends critically on our understanding of our networks, as well as those belonging to our partners or clients.
The information and concepts that we have covered here provide you the foundation towards ensuring greater cyber resilience in today’s technology-dependent environment. It is also important to be aware that no two organisations, like fingerprints, are mimicries of each other. Each law firm, like any other organisation, possesses their business priorities and processes unique to them.
It is not a question of how, but when a malicious attacker will compromise us. We can push the odds in our favour by employing the right protective countermeasures, and making things harder for the bad guys.