Cyber security for lawyers

Over the past year alone, law firms have seen a steady increase in email scams, ransom attacks, and privacy leaks.

Lloyd Gallagher

In addition, 60 per cent of client work in law firms now includes some kind of technology-related aspect, especially in litigation.

The speed at which new technology is being embraced has allowed it to become a breeding ground for hackers, especially as innovative solutions to possible vulnerabilities lag behind. The days of “beta testing” have been quickly replaced by a rush to market and a “patch as you go” mentality that has created a playground for even the most novice hacker.

The increase in simple computing power of the home PC, along with internet tools such as “gohacking.com” and scribd.com’s “must have hacking tools”, have resulted in a rapid increase in both legitimate testers and illegitimate hackers of all ages. This has resulted in industry costs skyrocketing (estimated at $445 billion in the US alone in 2016).

The cost for law firms of all sizes is also seen to significantly increase due to a lack of understanding at user-level, opening pathways to would-be ransomware attacks. Such concerns are also being voiced at government-level.

But can the government intervene? It is all well and good to say “let’s legislate”, but will this really stop law firms being put at risk due to poor practices? Neither tort, criminal law nor equity provide a defence when negligence is present, and here (arguably), a basic lack of good practice towards the technology being used may similarly be considered negligence.

Technology such as the Cloud, public WiFi access, general browsing, email scams and security flaws in open app policies all present day-to-day challenges for the uninitiated, which may lead to a breach of privacy principles or a breach of the Lawyers and Conveyancers Act.

This is because, unlike other companies which have rigid IT policies imposed by their industries and implemented by knowledgeable IT personnel, many lawyers and law firms have yet to implement clear IT safeguards.

Further, many lawyers simply draw down basic policies from the internet and consider the matter closed. This leaves them particularly vulnerable, as many such policies are weak and do not properly cover employees.

The comparative weakness of security in relation to a typical employee who has access to the firm’s data systems is a treasure trove to would-be hackers. A hack that gains access to such an employee can result in full rights to the firm’s data, and can be more time-and cost-efficient than hacking the company directly.

Lawyers are a mine of information and often have knowledge of their clients’ most important business matters, meaning that hackers may not need to sift through voluminous data to find the most valuable information. Moreover, a lawyer’s knack for identifying and segregating information may work to the hackers’ advantage, as the most relevant information is often helpfully placed in organised silos, ready for the taking.

In addition, hackers, like the general public, are well aware that firms are obliged to read all emails received, which allows the hacker to target the employee with a well-designed email scam or ransomware phone call.

In recent days, I have had a number of professional clients who have been contacted with ransomware scams that were initiated by callers identifying themselves as being the “Microsoft service desk” and then requesting the installation of applications. Once the application was installed, it seemed to be a harmless diagnostic tool, but in the background it was undertaking a password security hack and screen capture.

These sorts of attacks are on the rise as hackers try to initiate legitimacy by instigating first contact in a personal way, rather than email.

But regardless of how an attack is initiated, the implementation of clear security policies and an increased understanding of what to look out for can enable lawyers to better protect themselves and their clients and mitigate the risk of something going wrong.

Lloyd Gallagher will be overseeing an upcoming ADLS workshop entitled “Cyber Security for Lawyers”. Taking place on Saturday 1 July 2017, the workshop will cover a number of security issues facing lawyers in small- to medium-sized firms. Dr David Harvey (Auckland University Law School), Edwin Lim (Partner, Hudson, Gavin Martin) and Arran Hunt (Solicitor, Turner Hopkins) will also facilitate at the workshop and participants will be logged on to computers in a practical, hands-on session. For more information or to register, click here.

Further reading:

https://www.scribd.com/doc/3191076/Must-Have-Hacking-Tools-for-Both-the-Novice-and-Professional-Security-Tester

https://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/

https://www.concise-courses.com/hacking-tools/top-ten/

https://www.blackhat.com/us-16/training/basic-tools-and-techniques-for-hackers-beginner-level.html

http://www.cnbc.com/2016/02/05/an-inside-look-at-whats-driving-the-hacking-economy.html

http://www.americanlawyer.com/top-stories/id=1202786228047/Will-Ransomware-Attack-Make-Law-Firms-WannaCry?mcode=1202615731542&curindex=2&slreturn=20170417182410

http://www.independent.co.uk/news/business/news/cyber-attack-ransomware-microsoft-wake-up-call-governments-wannacrypt-a7736036.html

https://www.lawsociety.org.nz/lawtalk/lawtalk-archives/issue-876/cyber-security-protecting-your-data  

http://www.dykema.com/media/site_files/128_Attorneys_%20Liability%20for%20Data%20Breaches%20--%20Sean%20C.%20Griffin.pdf  

http://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?article=1887&context=aulr

Contact Us
Phone 09 303 5270
Fax 09 309 3726
Email reception@adls.org.nz