With so much noise around cyber security and guidance on mitigating against these cyber risks coming from every corner – what practical steps can solicitors take to address cyber risk?
While Irish law firms may not be the first to adopt emerging technologies, the time of paper-based practices is fading quickly. Many firms are adopting new and innovative technologies, from digital dictation to flexible remote working solutions.
Aside from technologies used to run their practices, many firms are using advanced technologies to manage the large volumes of data which form the core of any modern discovery exercise.
Clients are also demanding more in terms of leveraging technology to deliver efficient and cost-effective services. High-profile and security-conscious clients are asking how their solicitors ensure the confidentiality and security of their data. This is especially so in litigation, where a firm will hold sensitive data relating to their client.
The cyber risk landscape
In what may come as a surprise, the majority of sophisticated data breaches start with an innocent click on a booby-trapped email attachment or website link. As such, firms are exposed to a similar threat landscape as many other businesses, primarily due to the fact that they have money and valuable data. On that basis, some of the top threats to law firms are:
- Ransomware – when malicious code locks you out of your systems or data. The attacker then demands a ransom payment in order to unlock your data.
- Financial fraud – when the attacker poses as the Managing Partner or an important client (in the middle of a transaction) and uses social engineering (typically fake emails) to convince the finance contact to send funds to the fraudster.
- Espionage – cyber-criminals (typically under instruction by a third party) will break into a firm’s IT systems in order to gain information on a client or transaction (often during mergers/acquisitions/litigation), giving the other party the ‘inside track’.
Unlike once-off incidents, motivated attackers mount persistent dynamic campaigns. A cyber breach can have a significant impact on any business, both in terms of cost and reputational damage. Even the most technically advanced organisations struggle to manage the risk.
While threats in cyberspace mainly target weaknesses technology, the risk posed is about far more than just technology, but rather it is about practice disruption, client disruption, brand damage and significant financial impacts. Money and data are just part of the equation, cyber-attackers could also prevent you from practicing or put you in breach of your license to practice. The hard evidence also shows that it’s not the IT person who appears on the news when a breach occurs, it’s the Managing Partner.
12 steps to prevent, detect and respond to cyber-attacks
It can be overwhelming to understand the risks, never mind deciding where to start. The steps below provide an overview of how firms, of all sizes, can go about improving their cyber resilience. While many of these steps are necessarily technology-focused, it is important senior management understand them (or ensure those responsible for cyber risk within your firm do) rather than just having them sit with IT.
1. Get organised
- Given the critical impact a cyber breach can have on a firm, clear governance, defined roles and responsibilities and the support of senior management is required for the successful management of cyber risks.
- Start by understanding key business drivers and obtaining senior management support for a robust cybersecurity programme. This should be followed by establishing roles and responsibilities, agreeing your security strategy (aligned with your business and IT strategies), developing policies and standards, and enabling reporting.
2. Identify what matters most
- Understanding what and where your digital assets (i.e. key systems and information) are is an important first step in protecting them. After all, if you don’t know what you have and where it is, how can you even start to protect it?
- Map services/objectives/products to supporting people, processes, applications, middleware, data and technology infrastructure, and rank by criticality to your firm, all stored in an asset inventory.
3. Understand the threats
- Threat actors vary in capability and sophistication, whilst also constantly changing depending on the value of the prize they seek. Depending on the nature of your firm and the digital assets you hold, you will likely be of interest to one or more threat actors. Know your enemy – Learning as much as is practical about your exposures is an important step in defending against them.
- Understanding who might want to attack you, why, and how they might go about it will allow you to focus your efforts on how to respond to the most likely threats. Record the results of your risk assessments in your risk register.
4. Decide what you’re willing to risk
- The next step is to estimate what your major threat scenarios, if realised, might cost your firm. Without an understanding of what the risk exposure is in terms of monetary value, it can be very difficult to justify investment in reducing the risk.
- Start to understand what the most likely cyber-attacks could cost your business by using cyber risk quantification coupled with a cyber risk management framework which forms part of your overall risk management processes. This includes setting your risk appetite and ensuring you’re operating within it, which is recorded in your risk register.
5. Focus on awareness
- The majority of cyber-attacks include some form of human interaction, typically early in the attack lifecycle, whereby a legitimate user of a system is tricked into providing the attacker with access. This comes in many forms of ‘social engineering’ such as phishing emails, phone calls, and physically bypassing building access controls. Remember, your people are your first, and most critical line of detection, defence and response.
- Establish an education and awareness programme, ensuring all of your people (from junior to staff senior partners), contractors, and third parties can detect a cyber-attack and are aware of the role they play in defending against cyber-attackers. This should include email security, online banking procedures, mobile device usage as well as incident reporting procedures and how to manage security technologies such as encryption.
6. Implement basic protections
- In a large number of cases, cyber-criminals exploit weaknesses (known as ‘vulnerabilities’) exposed due to a lack of basic protections. Most exploits require an IT system which has not been kept up to date with security patches and/or has out-of-date malware protection. Implementing basic protections can significantly reduce the risk of becoming a victim of a cyber-attack, especially at the hands of an unsophisticated cyber-criminal who is only capable of exploiting basic vulnerabilities.
- Research the numerous technical standards available (such as ISO, NIST, etc.) and implement appropriate technical protections covering areas such as anti-malware, firewalls, patch management, secure configurations, removable media, remote access, and encryption.
- Implement programmes covering vulnerability management (identifying weaknesses and fixing them – usually through penetration testing), identity and access management (who has access to what, as well as strong authentication), data protection and privacy, and managing third parties who have access to your data.
7. Be able to detect a cyber attack
- Most organisations will be attacked, if they have not been already. Attackers are many and sophisticated, and dedicated attackers have a high chance of getting in given enough time and persistence. Detecting that you are under attack is the first prerequisite to any form of response.
- Establish an activity/event logging and security monitoring capability which can detect an attack through monitoring activity at various levels. This can be a basic system whereby an alert is generated and emailed when suspicious activity is detected on a firewall, through to a 24 hour Security Operations Centre monitoring networks, operating systems, applications and end users.
8. Be prepared to react
- Attacks will occur, therefore having the capability to respond is crucial. Firms who are well-prepared and rehearsed for this eventuality will typically experience a greatly reduced impact.
- Establish a formal incident management team who have been trained in and are able to follow a documented plan, which is tested at least annually. Plans should include how an incident will be detected, incident categorisation and classification, how it will be contained, how the root cause will be investigated and how the firm will recover from the incident. Plans should include all stakeholders, such as business owners, HR, communications/marketing, risk/compliance, investigations, as well as IT/incident management.
9. Be resilient
- Resilience is about the ability of a firm to recover from disruption caused by cyber-attacks. When the inevitable cyber-attack does occur and damage and/or disruption is inflicted, a firm’s ability to recover quickly will be key to survival.
- Establish recovery plans (including comprehensive backups) for all processes and supporting technologies in line with their criticality to the survival of the firm.
10. Strengthen with additional protections
- Once basic protections have been implemented, along with the ability to detect and react, firms should consider additional protections to further reduce cyber risk. These should be considered in line with steps three and four, so that additional protections are focused on reducing the greatest risks further.
- Work to mature existing capabilities in addition to implementing complimentary capabilities/technologies such as Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), Web Application Firewalls (WAF) and Data Loss Prevention (DLP) systems.
11. Test regularly
- Once a firm is comfortable that they should be able to protect against, detect and react to their current cyber threats, the next step is to test that capability to gain some assurance that it is effective.
- Carry out cyber incident simulation exercises to test your executive management’s ability to manage the response to a significant cyber-attack. Carry out red team exercises to test your technical ability to detect and respond to sophisticated attacks.
12. Refresh the cycle
- Cyber risks will continue to evolve, along with a firm’s exposure. Establishing a cyber risk management lifecycle is essential for effective ongoing management of cyber risks, while making the task part of business as usual.
- Reflect on all areas of your cyber risk management programme and identify areas for ongoing improvement, repeating risk assessments on a regular basis, and considering compliance with relevant regulations.
While these steps provide an overview of actions a firm could take to improve its ability to prevent, detect and respond to cyber-attacks, every firm is different and will necessarily manage cyber risks in line with their size, complexity and risk appetite. In many cases one person will bear all responsibility, where in larger practices there will be multiple people tackling each of the areas outlined above.
Many Irish law firms have a significant advantage by not having being the first to adopt new technologies. As such, they can leverage significant experience and best practice from industries such as financial services to jump up the cybersecurity maturity curve, thus quickly reducing their risk exposure.
Firms may use this guidance as an initial approach to the challenges which must be addressed when managing cyber risk. A starting point would be to ask whoever is responsible for risk and whoever is responsible for IT in your firm if they have answers to and/or are carrying out the activities suggested above. If not, it’s time to start. In doing so, you will be able to ensure that, should a cyber-attack strike, your firm will be ready to detect and respond.
Simon is a Cybersecurity expert who brings over 10 years’ practical experience from investigating cybercrime to helping organisations mitigate cyber risk. He helps companies to develop and implement preventative measures, and in the investigation of cyber-attacks.
EY recently opened a newly expanded Advanced Security Centre (ASC) which is the largest cyber facility of its kind within the professional services sector in Ireland. Located in Dublin, the ASC hosts EY’s dedicated cyber security team, who conduct ethical hacking, computer forensics and vulnerability research activities.
For more content from the EY Ireland team, visit our YouTube channel.