Law firms relying on conservative cyber security put themselves in jeopardy, writes David Blundell. Managing Director at cloud security company CyberHive.
The warning from the UK’s National Cyber Security Centre (NCSC) that £11m of client money has been stolen from law firms should be concentrating legal minds on cyber security. A worrying 60 per cent of legal practices are reported to have suffered cyber-attacks. Unfortunately, it is hardly any longer a case of “if” but “when” a breach happens, making it imperative that law firms and small businesses radically change their approach to security to avoid joining the list of hacked organisations.
Although law firms have cyber security high on their list of concerns, IT resources are often limited and dependent on outsourcing. With a vast array of compliance and system-management matters to deal with, cyber-security expertise can be in short-supply. Whatever their IT set-up, law firms need to change their mindset to defend themselves against the growing sophistication of cyber-attacks. They must shift from defending themselves against predictable external attacks using outdated, anti-virus technology to adopting fail-safe solutions that identify more sophisticated attacks as rapidly and as accurately as possible. Instead of placing their faith in easily-breached perimeter defences they must acquire the capability to shut down an attack before any damage is inflicted.
It is the human element that leaves law firms vulnerable. Most cyber-attacks begin either through a security slip-up by an employee or as the result of some clever social engineering in a phishing email that looks convincing but is entirely malign. This is how hackers and organised crime groups insert malicious code inside the defences of even the most heavily protected organisation.
When thousands of emails are exchanged every day with clients, third-party business partners and prospective customers, it is almost inevitable that a member of staff will click on a macro or link that triggers the download of a new malware variant that AV cannot identify and which may go undetected for months.
While the malware is hiding in the system it will be siphoning off highly confidential data, stealing cash or waiting to use the firm’s servers as a backdoor into the systems of important clients.
Although email filters will eliminate most phishing attacks, many still get through. Filters are also largely ineffectual against spear-phishing that targets a specific individual with cunningly crafted emails, using data to create a personalised lure.
The majority of mid-sized law firms still rely on conventional on-premises data storage – using servers in their own offices. As business has evolved, however, it has become necessary to access data from anywhere, which can be a combination that increases vulnerability. When a firm hosts its own servers, it creates the need to update, patch and secure them, while at the same time they must of necessity be accessible from the internet by many of the firm’s employees.
Law firms also use third-party software for their customer management. Being hosted on their own servers, this may well open up further holes in security.
The alternative is to move entirely to cloud-based data-storage, enjoying all the enormous benefits of scalability, flexibility and lower overheads. Yet this is no trivial question for law firms, since security is a paramount consideration. A single breach can be sufficient to inflict catastrophic damage on a practice’s reputation. These understandable security fears are why law firms often ban staff from using cloud-based applications such as Dropbox.
Security among cloud-service providers is by no means certain, either. Security breaches can be instituted by malign cloud employees who place unauthorised software on a server or those who simply fail to follow protocols.
Despite the worsening record of both current and next-generation AV, the legal sector still regards perimeter security as the best form of defence, with two-factor authentication and encrypted VPN access as standard. Yet even if access to data-handling inside the system is restricted, it will not provide any protection if the device being used to access the data is compromised.
Alternatives such as security based on network traffic analysis technology, which identifies suspicious patterns of data-use to enable rapid investigation, has proved to be difficult to implement and liable to excessive numbers of false positives. Law firms are left with the option of either lowering their alert thresholds and increasing their risk-exposure, or of operating with technology that could lock down access to systems just when access to data is most critical.
To provide themselves with protection against threats, law firms need to adopt far more effective technology and institute better training for their staff. Education will go a long way to reducing the dangers of employees clicking open socially-engineered emails, exchanging details that are valuable to criminals, or of failing to follow system management protocols. Yet this can only ever be the underpinnings for a more substantial overhaul. Law firms now need to escape from the conservative reliance on out-dated perimeter defences and deploy more advanced solutions. These will defend their servers from unauthorised intrusions or security lapses, whether in the cloud or on-premises.
Such solutions have a more secure foundation, being based on the power and integrity of chips on the motherboards of every server. They check the status of servers every five seconds, monitoring their security using a combination of hardware-based cryptography and whitelisting technology. This protects servers from all unauthorised activity and malware in a way that traditional solutions are simply unable to match.
The chip at the centre of this security revolution is impervious to hacking and the solution founded upon it can consequently guarantee that no person or organisation can tamper with servers, falsify verification data or bypass server security. For law firms in the frontline of cyber-attacks, reliance on AV and perimeter security is no longer a realistic security posture. The legal sector needs to defend itself against the potentially catastrophic effects of breaches by deploying solutions capable of countering all the threats cyber criminals devise.
