It’s not surprising that the legal sector represents a goldmine for hackers; it is a vital component of UK business and government infrastructure. They don’t just handle highly sensitive IP, business critical and financial data for clients but also personally identifiable information (PII), making them a highly attractive target.
The news of the Panama Papers, an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca, is a prime example of the value and sensitivity of the information law firm’s house. The leak identified links between many political and business leaders around the world and offshore companies and accounts, identifying cases of fraud and tax evasion.
Rules and Regulation
Cyber-attacks on UK law firms have increased 20% from 2014-15 to 2015-16, with nearly three quarters (73%) of the country’s top firms targeted over the past year, according to PwC research and the Information Commissioner’s Office (ICO) revealed a 173% increase in PII-related incidents in the sector over the past quarter.
That’s bad news considering the forthcoming EU General Data Protection Regulation (GDPR) could increase fines for non-compliance to up to 4% of global annual turnover or €20m, whichever is higher. That’s up from current maximum ICO fines of £500,000.
The new regulation covers not just loss or theft of PII, but could also apply to any attacks which involve “unauthorised access” to or “unlawful destruction” of personal data. That means the GDPR could cover outages caused by ransomware, one of the biggest threats to modern organisations, which ripped through international law firm DLA Piper recently.
On top of this, M&A deals also represent a hugely attractive target for nation state spies looking for intelligence which could help them in geopolitical campaigns. Sensitive data held by law firms can also be abused for profit: in December, three Chinese nationals were indicted in the US after allegedly making over $4m from insider trading scam using data stolen from unnamed legal practices.
Law firms are now well and truly in the cross-hairs of the hackers. A report from QBE, an insurance company found that hackers had stolen £85m from British law firms between the beginning of 2015 and July 2016. The hackers tended to strike on Fridays when many housing deals complete and solicitors move their clients’ money, resulting in a term coined the ‘Friday Fraud’ specifically for the law sector.
BYOD has permeated the legal services industry, and many of the challenges associated with data protection in the legal sector are a result of mobility and remote working exacerbating the risks. Data often has to be carried and stored outside of the office, putting it at risk of theft or accidental loss. In fact, loss or theft of paperwork and unencrypted devices were two of the top causes of breaches in 2015/16, according to the ICO.
A comprehensive awareness/education programme for employees to provide sufficient training to prevent against security attacks and/or breaches is a necessity. This is particularly important as remote working and BYOD continue to gather pace. Law firms should implement strict secure remote working policies and ensure these extend out to partners and contractors. Policies must include encryption of all sensitive data, both at rest and in transit, particularly for removable storage devices.
With access and transfer of data extending beyond the corporate network, firms must tighten access controls by rolling out two-factor authentication for accounts and limiting privileged accounts, with remote access to systems authenticated and logged.
Under current data protection law, holders of personal data are responsible for ensuring adequate measures are in place to avoid personal data breaches. The GDPR will introduce various new requirements that law firms processing personal data will have to comply with. Firms must ensure that they are placed to meet these obligations by May 2018.
Further best practice steps include ensuring appropriate security measures are in place, such as advanced anti-malware at endpoint, network, gateway and server layers, and ensuring patches are deployed promptly and IT systems are configured securely. Regular checks and continuous monitoring of all IT systems to help detect any intrusions is a must. Should a breach occur, firms should also be prepared by having an established incident response plan in place.
The increase in high profile breaches such as the Panama Papers has heightened awareness and law firms should ensure that appropriate security measures are in place, or they could be subject to reputational damage along with reprimand by the SRA and the Information Commissioner’s Office (ICO), resulting in huge financial consequences.
Jon Fielding, Managing Director, EMEA Apricorn