We need to talk about cyber

Arthur Piper

As the Mossack Fonseca leak last year showed, law firm data can be rich pickings. Businesses may be investing heavily in technological fixes, but the first line of defence from both external and internal cyber threats must be open communication and effective teamwork.

White hat hackers are full of good stories. Éireann Leverett, founder and Chief Executive of computer security firm Concinnity Risks, for example, says he had been working as a contractor for a large institution – a law firm perhaps – during a major upgrade to its cyber defences. Towards the end of the project, the chief information officer bragged that there would be no way Leverett could get 1GB of data out of the new system.

Really? Leverett went to the canteen, bought a burger and went to the data centre with a friend. As contractors, their bags were searched, IDs checked and they were let in. He then took out a memory stick hidden in his sock and helped himself to 3GB of data. Going through security on the way out, he started a fight with his friend, asked the guard to hold his half-eaten burger while he rummaged through his bag, dropping papers on the floor as he did so, and was rapidly bundled through the exit – with the data.

Leverett’s anecdote underlines the reality that there is no such thing as a safe network because the people running them make mistakes. And while organisations rightly
spend a lot of time and money on technological cyber defences, they are often blind to how people are most likely to act in real-life situations. It is an important issue, especially since the data locked behind law firms’ defences represent such rich pickings for hackers.

Firms focus more on technical measures as it’s easier than addressing cyber risk with staff

Martin Schirmbacher
Partner at Härting Rechtsanwälte and Co-Chair
of the IBA Technology Law Committee

In fact, both the weakest link and the strongest defence in an organisation’s cyber network are likely to be people. About half of the respondents in the recent Building Confidence survey by Accenture’s Cyber Security Research Centre said it takes months to detect sophisticated cyber breaches, and a third admit such incursions may never be detected. Of the attacks that are spotted, the ones missed by the security team are almost always picked up by staff. Despite this poor performance, most of the large, global enterprises surveyed said they would ‘double down’ on their investments that are failing to prevent breaches – with only 17 per cent investing more in cyber training.

‘The reason firms focus more on technical measures is that it is easier to do than addressing cyber risk with staff,’ explains Martin Schirmbacher, a partner and specialist in IT law at Härting Rechtsanwälte and Co-Chair of the IBA Technology Law Committee.

How many law firms, he asks, sit an incoming senior partner down for a two-hour cyber training session as part of the induction process? Would it be too much hassle, cost too much chargeable time and ultimately, be just too boring?

In denial?

The second problem, says Schirmbacher, is that firms are reluctant to talk about their experiences and share information. ‘A topic worth doing at our legal conference would be: “What do we do about cyber risk in our firm?” But it is really difficult to find anyone who would talk openly about it.’

It is not just about confidentiality. He says the problem is widespread both in the legal industry and beyond, and smacks of the business community being in denial that a hack will, at some point, happen to them. In addition to the obvious cost of doing so, it may be a factor in why so few outside of the largest organisations have cyber breach response teams in place.

Hackers, on the other hand, do share – making the battle for security a form of asymmetrical warfare. They invest in research and development, buy attack software from online vendors and target common weaknesses. If organisations beef up their technological defences, hackers will analyse success rates, modify the number and intensity of attacks, and hit the weak spots harder. Hackers are in an unregulated business that uses weaponised mathematics as a way of extracting money from data.

Inside threat

But hackers do not only operate outside firms. Many organisations focus on protecting data from external threats, yet cyber attacks can just as easily come from within. As most lawyers know, the Panamanian law firm Mossack Fonseca was fined $31,500 in April 2016 and $440,000 in November 2016 by the British Virgin Islands’ regulator, the Financial Services Commission, for conduct breaches following leaked data, including failing to have adequate security systems. The ongoing reputational damage from the leak is the stuff of nightmares for law partners.

What the Mossack Fonseca incident shows, though, is that such insider risk from disgruntled employees, malignant contractors or others is today indistinguishable from external cyber threat. Now that all data is embedded in numbers, once accessed from either within the firm or from outside, it is equally available for manipulation and dissemination. Dependency on technological defences is an error.

Of course, user behaviour analytics tools have a role to play – they track activity on the network and look for and report on anomalies in system behaviours. But, as Ryan Meeks, a chartered human factors specialist at Frazer-NashConsultancy says, these tools are not advanced enough to spot genuine bad behaviour with 100 per cent accuracy. For that, organisations must get to grips with the messy reality of human motivation – a task that most would rather avoid.

A transparent insider threat strategy that engages the workforce is much more likely to be successful

Ryan Meeks
Chartered human factors specialist
at Frazer-Nash Consultancy

As well as a raft of measures – such as getting together a dedicated insider threat management team and implementing the right technology – Meeks advocates communicating openly about the problem. ‘Contrary to common belief, a transparent insider threat strategy that engages the workforce – for example, through training and awareness – is much more likely to be successful.’

He believes people are the most advanced sensors a business has and can often pick up on suspicious behaviour well before it shows up on any technological activity tracking systems. That’s why operating in the shadows is not a sound strategy.

Business change

Next year, European legislation governing the way data is collected, stored and used will change under the wide-ranging General Data Protection Regulation. The new regime harmonises data protection regulations throughout the European Union and extends its scope to all foreign companies processing data of EU residents. From 25 May 2018, the regulator will be able to issue eye-watering fines for data breaches – up to €20m, or four per cent of an organisation’s annual global turnover. There is also a greater onus to report breaches than under most of the national rules that currently govern businesses.

Now is an ideal time for law firms to stop and think about how adequate their external and internal cyber defences are, and how much training and information sharing they do. It’s time to start talking about cyber.

Arthur Piper is a freelance writer specialising in risk, technology and governance. He can be contacted on arthur@sdw.co.uk