Law firms are seen by hackers as a valuable yet soft target. A recent poll of law firms showed that approximately 80% have reported phishing attempts in the last year and the SRA reports that over £11 million of client money was stolen due to cyber crime in 2016-17.
How would a major cyber breach affect your business?
Canadian Lawyer Magazine offers an insightful answer in relation to the breach at law firm Mossack Fonseca:
‘It’s unlikely it will survive the leak, at least in its current form. It’s engaged in a business of trust and trust quickly erodes when your clients’ affairs are laid out in world newspapers — even if you are the victim of a hack. Who will trust the firm that it won’t happen again?’
What can you do to drastically improve your cyber security and reduce the potential for reputational damage resulting from a breach?
Make your staff an effective and active part of your cyber defence.
Why are law firms such an attractive target?
The breadth and depth of sensitive information law firms hold on behalf of their clients makes them an attractive target for a wide and varied range of would-be attackers. This includes:
- Criminals looking to extort money via the delivery of ransomware or the sale of personal information on the dark web;
- The theft of sensitive client information by organisations, criminals or nation states looking to gain a competitive advantage through the use of corporate espionage or acquisition of intellectual property; and
- The deliberate leaking of sensitive information for political, commercial or ideological reasons.
These threats aren’t by any means exhaustive and neither are they hypothetical. In recent years, many law firms globally experienced significant numbers of attacks, many with devastating consequences:
- Late 2017: a partner at O’Neill, Bragg & Staffin authorised a payment of $580,000 to a fraudulent account as a result of a Spear Phishing attack.
- March 2018: Duncan Lewis, a firm serving England and Wales, was hacked and reported having their clients’ and employees’ data broadcast on Twitter.
- September 2018: Chinese attackers used stolen user credentials to access third-party software used by several global law firms, and leveraged that access to further encroach upon internal systems.
How do the attackers break through your defences?
Figures show the most common type of attack (84%) is phishing therefore reducing you firm’s susceptibility to phishing will significantly improve your cyber security.
Phishing is the preferred attack method because the barrier to entry is low and the success rates are high. The reason the success rates are so high is because they’re designed to utilise common techniques that prey on human emotions in order to achieve a response. The response can be as simple as replying to the email, clicking on a link, submitting information on a web form or opening an attachment. The themes, tone and content used can vary widely but often include:
- An urgent request;
- An instruction from someone in authority;
- Content to peak our curiosity; and/or
- Appeals to our compassion.
If the phish is crafted well enough, it can be hard to spot and if the subject matter is compelling, it will make it even harder for the recipient not to respond to the attacker’s request.
The good news is, there are always some tell tail signs in every phish and with the right training and education, your staff should be able to identify them. Even if they are not sure, their training should enable them to alert the appropriate person or team that something looks suspicious or unusual. However, to be able to identify these wolves in sheep’s clothing, they must first understand and appreciate the threats. If they don’t, the likelihood is they’ll be much less likely to tailor their behaviour to prevent an attack.
It is the recognition that it’s everyone’s responsibility to identify and protect their organisation from these threats that is missing in many firms. Cyber security is often seen as someone else’s responsibility; the IT team, the compliance team or the security team. There is a mistaken belief that the company’s firewalls and anti-virus will protect them. Whilst this is always the hope, history and the news is littered with examples of companies where this wasn’t the case. Not through any fault of the technology or the way it was implemented, but because the attackers found an easier entry point……the staff!
To combat this, communication campaigns highlighting everyone’s cyber security responsibilities can be effective depending on the culture of the firm however, sometimes this needs supplementing with a more formal approach whereby these responsibilities are included in all staff job descriptions and responsibilities. This isn’t meant as a “stick” approach, the opposite in fact. Staff need feel empowered to take ownership and that it’s within their remit to.
Once the basic principles of responsibility and ownership are instilled, providing your staff with the requisite knowledge and confidence to empower them to recognise the threats is the next step. Many companies believe they provide this via their once a year compliance training. However, experience shows this can offer a false sense of security. Whilst compliance training provides a tick in the box for the organisation to pass an audit, it rarely changes behaviours.
For a threat as prevalent as phishing, 1-2 hours of generic training a year simply isn’t enough.
So what is the answer?
Good cyber behaviours and practices need to be embedded and reinforced every day within the culture of the organisation. To achieve this, having the right awareness programme in place is critical. It must be an ongoing engagement that’s measurable, regular, concise, adaptive, personalised and appropriate. The content must be pertinent to the threats that your organisation face.
Subject areas can also cover non-corporate areas of focus such as securing your Facebook profile or guidance around online shopping. By making some aspects of the subjects relevant to people in their personal lives, they’ll be more likely to adopt those good behaviours in their corporate lives.
Finally, by using gamification techniques by making it competitive and engaging, knowledge is much more easily retained.
Starting out by addressing a single risk area such as phishing is a great way to effect real behavioural change. Once embedded, it can then grow to include other risk areas such as password security, social media, information handling and other relevant subject areas.
Ethical phishing campaigns provide a good source of benchmarking and return on investment reporting. By attaining a baseline at the outset, you can follow up regularly with ‘all staff’ campaigns and campaigns to specific teams (Spear Phishing) or individuals (Whaling), based on the risks you face.
There some key underpinning foundations that must be at the heart of your staff cyber awareness programme:
- Stakeholder buy in and sponsorship: The partnership must be behind the programme and be included in it for it to be success as they set the tone for the whole firm. Equally, they are often the biggest targets for threats such as Whaling (highly targeted phishing attacks that are aimed at senior executives.)
- Communication: Ensure you talk to your peers and gain their buy-in as HR, training, legal, compliance and many other areas will all have a role to play
- Champions: Have champions throughout the firm to help spread the word, maintain momentum and share the workload. These champions can come from anywhere in the firm and the more diverse the better. You’ll be surprised by the passion that people can bring to cyber security if it’s delivered in the right way and they feel it’s relevant to them.
- Recognise people for the right behaviours: The carrot is always better than the stick and recognition can take many forms.
Your staff should be one of your strongest defences against cyber-attacks. However, for you to make the most of their capabilities or to improve their vulnerabilities, your staff will need to:
- Feel it is their responsibility to understand the threats the firm faces;
- Feel confident they have had the necessary training to know what to look for in a potential attack;
- Be vigilant in spotting attempted attacks; and
- Be diligent in reporting anything suspicious.
Investment in the right technology to protect your firm is very important and many law firms have robust technical defences but can the same be said of your staff? Only by having both robust technical defences and a cyber aware workforce with a cyber security culture embedded, can you be confident in your ability to be resilient to the cyber threats your organisation faces.
BLOCKPHISH provides law firms with the ability to improve their resilience against phishing attacks. We deliver simulated phishing emails and awareness learning to your staff, specifically tailored to emulate real-world cyber threats. BLOCKPHISH aims to improve recognition and understanding of these threats, and reduce the possibility that a phishing email will compromise your security or lead to a sophisticated cyber-attack.
We provide a vast and broad cyber consulting capability to ensure your firm receives the guidance and expertise it requires to strengthen its defences against cyber-attacks.
- Support the creation and realisation of an appropriate cyber strategy from managed Security Operations Centres (SOCs) to the delivery of manged ethical phishing campaigns.
- We will help you to understand the cyber risks your firm faces and identify, establish and operate a robust and pragmatic governance and management system to address those risks
- Assess your people, process and technology solutions and deliver a remediation and improvement plan to mitigate any vulnerabilities
- Provide first responder capability in the event of a cyber incident to the stem the impact of an attack, restore services or data quickly and prevent repeat occurrences.
- Embed cyber aware behaviours within your firms culture to reduce your vulnerability to cyber-attacks.
- Deliver cyber simulations and incident and crisis simulations for key staff to ensure your firm is best prepared to respond effectively in the event of a cyber breach
- Provide training and professional development for your security professionals
- Assess and support you in your journey to comply with the EU’s General Data Protection Regulation (GDPR) and ensure you avoid the high penalties (4% of global revenues) for non-compliance
- Our Certified consultants deliver assessment services including Cyber Security Risk Assessment, Cyber Security Strategy & Architecture, Cyber Essentials, PCI DSS, ISO27001, UK DPA and other internationally recognised standards