Julie’s law firm has a problem. They’ve been shut down by a cyber attack. Julie got an email from a client on March 15 asking to change the payee account on the bill. She opened the attached bill. Copied in the email were two other lawyers on the deal (Brutus and Cassius), and the client. Looks legit. Julie is a senior lawyer and did the cyber training – no spelling mistakes in the email, and the parties sound like they normally do. But the keys have been handed to the hackers.
Not the first time we heard that story, not the last. In fact law firms have been warned by the FBI since 2009, and again in 2012, and we are not just talking about the front page stories such as the Panama Papers. But quite apart from what to do after a cyber attack, why law firms? Often the biggest danger to law firms nowadays is spear phishingattacks. Wait, what?
When it comes to Cyber security threats, law firms have set up shop at a crossroads. It is not usually the law firm who is often the direct target of a cyber-attack, although it can be. To illustrate 73 of the top 100 UK firms were subject to attacks in the last year and a half. By some measures, law firms are now the third highest sector at risk of cyber attacks.
With a nod to David Letterman, here are top ten reasons law firms are hacked.
First, a law firm acts as both an agent for large corporations, and as a vendor manager for these corporations. In this role, a law firm tends to distil important information from a corporation, or bring into focus certain parts of an organisation. Why is the law firm so key? There are a number of sacred cows of the world in 2017 every company must navigate. Data privacy, confidentiality, security, trade secrets.
Think – the law firm is decentralised and also the coordinator of many outside vendors for corporations, or liaises with many third parties on behalf of corporations. Merely trusting in encryption on the law firm side does not regulate the behaviour and online conduct of third parties, who have easy access to the law firm. Law firms handle such issues with signed agreements, which do not stop malevolent actors doing the wrong thing. Also despite many measures to counter the rising risks associated with Bring Your Own Device policies (BYOD), risks remain due to the human factor.
The law of legal professional privilege under which we often say, ‘the lawyer’s mouth is shut forever’, fulfils a lot of separate functions. Firms can get advice for how to deal with embarrassing or potentially injurious actions. Firms can get tactical advice for how to deal with other companies and regulators. Firms can of course also get advance warning about potential sensitive transactions or M&A activity. The list is really endless.
Think – during the past several years the average number of days a hacker is on your network before being discovered has slowly crept down from (around) 250 days to (around) 200 days. This shows how access is not everything, the hacker must discover something to do with your data. A law firm is like Lord Denning’s “red hand” rule – the law firm points to the important information in the company.
The law regarding personal data in different jurisdictions is becoming more important to law firms as they deal with both the law firm employee data and a vast amount of client and third party data which is covered by different parts of the law, which can vary from jurisdiction to jurisdiction. This is an entire topic by itself. When a law firm is hacked, they can potentially break data privacy laws as well by failing to protect personal data.
Think – once confidentiality and potential privilege is in place, a corporation will give law firms access to information about the employees and customers presuming that the law firm will have safeguards to protect this information. While the law firm will treat the information with confidentiality, this does not prevent hackers accessing this data.
The law regarding trade secrets and client connections and goodwill is another major concern and is often the leading topic in seminars I give on restrictive covenants and competition from outgoing employees. Corporations place a lot of importance on trade secrets, client connections and goodwill, and other confidential information of a lesser status than trade secrets, to inform the competitive advantage. This is also a large amount of the information they will need to share with the firm for deals, both M&A, and patent or IP right applications, or other transactions.
Think – for a typical application for intellectual property rights, a considerable amount of research and information will be submitted to the law firm. In the application process, time is of the essence and any leaking of that information during the process might expose the law firm to a liability claim. Forward advanced information about M&A is also especially valuable, and 48 top firms were targeted as a rich source for this.
For a typical fortune 500 corporation, the IT and cyber security budget will be many multiples of even the biggest law firms. The law firm is vulnerable because the major asset of a firm is information, and traditionally a law firm is both cash rich and have weaker defences than the ultimate target. This is not to say law firms do not spend significant amounts on cyber defences, but these are sometimes not effective because of 6 and 7 below.
Think – law firms hire some of the best and brightest as their cybersecurity / CIO / Risk management officers. But these people have a lot of ground to cover.
Law firms most often have a partnership structure. A partnership increases independence and autonomy of individual partners to the point where different partners can appoint different vendors, agents, software and solutions. You don’t have to be the CIO of a law firm to realise that this proliferation of people, software and processes creates a vast number of new entry points to the law firm.
Structures such as the Swiss verein structure offer no additional protections against the above problems, and can even make these firms targets for mischief for a organised cyber attacker due to the increased coordination needed internally.
Think – the seven major law firms which have verein structures – Baker McKenzie, Dentons, DLA Piper, Hogan Lovells, Norton Rose Fulbright, Squire Patton Boggs, King & Wood Mallesons. The attack perimeter involves many individuals across locations who will not necessarily be able to tell friend from foe in the situation of a phishing attack.
Traditionally, the right to practice law is a strong barrier to entry. This leads to firms focussing on what gives them the monopoly advantage on certain activities – the practice of law. This requires a singleminded devotion which often means legally trained persons have less time left over for activities involving the adoption of technology. They are pulled kicking and screaming into the technological age.
Think – to quote the Financial Times, Willie Sutton, the notorious US outlaw, famously said he robbed banks “because that’s where the money was”. Faced with five banks with good defence and two with vulnerabilities, a bank robber will just target the two. Small firms appear to be targeted in some jurisdictions because of lesser security.
Law firms are known for being places of secrecy and trust. If a cyber hacker cannot discover what to do with email and other information, they can either disclose to a third party, or use one of the other options we are all familiar with, denial of service or ransomware.
Think – Hilary Clinton’s email scandal is applicable to lawyers who work from home. Law firms have potential for this level of embarrassment. Also there have been cyber-insurance cases where law firms tried to claim for loss of work product during down-time from a cyber attack, and loss of data. So far these have been largely unsuccessful. We will talk a lot more about cyber insurance in future updates.
Most law firms will have at least one or two partners now specialising in cyber security, because “data is the new oil“. But this kind of expertise is likely to not be resident across the partnership level of the practice. In fact, it will very often be pushed down to associates. So that “cyber training” which partners are too busy to attend will be attended in their stead. Also, a law firm is a path to multiple client’s data stores.
Think – there are many types of cyber criminal – nation states, activists and criminals are the traditional divisions but these are largely blurring. Reputation takes a long time to build but a short time to lose, and professional embarrassment is a much higher concern for a law firm than other firms.
In Hong Kong I have been giving Risk Management Elective courses for continuing professional development for almost ten years. Normally a common feedback is “great course but could you spend a little less time on risk management“. People in the countryside do not lock the doors because they do not see a risk of theft. Not considering cyber as the major risk management topic is akin to not locking your doors of your car in the city. Risk assessments are not that common in this area, and training is insufficient. We sometimes talk about enough training “to be dangerous”, i.e. – enough to make people panic when the spoofed email from your helpdesk tells you to patch something urgently, which is itself the cyber attack.
Think – wifi security. Many people who say they are careful with these matters will routinely connect to public wifi. Public wifi or wifi from unknown networks is akin to accepting a ride from a stranger. In fact it is worse. It is like giving a stranger the keys to your house for a short period. The stranger can do anything while they are there, and probably find a way to get back without the keys later if they wish.
Law firms structurally and situationally present an attractive opportunity for hacking. We are all now familiar with the spoofed phishing email, but law firms often face more danger from spear phishing. Hacker gets into law firm A, realises that they are dealing with law firm B on a connected transaction. They send spoof emails between the law firms on either side of the transaction. Now, they send the same spoof emails to the clients of both law firms. In just a few small clicks, the hackers have gained access to two large law firms and two fortune 500 companies. Now they can sit back over the next two hundred days and find out what to do with all this information at the disposal of the malevolent actors.
And if, even if, they cannot find anything to do with the information, they still have the option of denial of service or infecting the system with ransomware. Because ransomware is the hacker option only when no better option presents itself. Few see a ransomware attack as a lucky escape, but it is. The hackers couldn’t find what your data is really worth. They figure it is worth a lot to you though!
Date Created: 1 June 2017 |   Date Modified: 12 December 2017 |  Author: Dmitri M A Hubbard