Cyber Security 101 for professionals
Cyber security is a thorny concept to grasp. Conversation surrounding it oscillates between the incomprehensibly technical and the unhelpfully vague, with most (whether they admit it or not) convinced that the principles thereunder are the responsibility of "the guys in IT" and, therefore, safe to ignore. This has never been the case. But this does create a unique challenge for those whose job titles identify them as responsible. To do their job effectively the whole organisation needs to be security aware, but they also have to be cognisant to the fact that most professionals aren't looking to be trained for two jobs.
That is where a talk like "Cyber Security 101 for Legal professionals", organised and chaired by the Law Society with speaker Andrew Milne from Field Effect, shows its value.
The goal of the talk was manyfold. To explain why Law Firms are such high target values for cyber criminals (and therefore why those that work in them need to be vigilant), why protecting themselves from these criminals has tangible benefits for the firm (that exceed the investments required), and to give some examples of how those threats might target a firm and the best practices to minimise impact and protect data (as well as the firm's reputation).
To explain the appeal of a law firm’s data, Andrew introduces the concept of a supply chain. In simplified terms, a supply chain is the network of organisations that source, produce, and transfer goods or services in the course of providing a good or a service to an end customer of client. Law firms play an integral part in the supply chains of their clients. Not just in their direct relationship to the firm, but law firms are often intermediaries in the relationships their clients hold with other organisations within their supply chain. They hold data about mergers and deals, contract negotiations, and other vital information that backbones the operations of their clients.
A hole in the security of one aspect of the supply chain can create cracks all along the network. A tangible example of such a supply-chain exploit was reported in 2012, where flaws in an Apple tech support process led to a compromise of an Amazon account and then all accounts 'daisy-chained' to that one.
The strength of the supply-chain depends on all components. So, the firm cannot just be worried about its own practices, but the practices of those that it shares data with on a client's behalf. A comment raised by the chair suggests that this a recurring issue clients have with their firms. Solicitors instructing barristers that have introduced security risks.
Andrew talks about the imperative of holistic security. No part of a cyber security strategy can afford to treat the threat surface (the areas of exposure to threats) as disjointed. But as the boundaries of the threat surface expand to entitles outside the organisation with whom you share data, the boundaries of the organisation are also expanding. The introduction of personal devices and remote working is nothing new, but as Andrew explains, 2020 brought rapid expansion on this frontier. And, as always, the threat actors (the cyber criminals) were, and continue to be, quicker to adapt.
In an hour-long talk, it is impossible to give full consideration to all threat vectors (methods by which cyber criminals attack the organisation) and defences, but underlying principles Andrew discusses remain true for all threats.
Cybercrime is a sophisticated industry. On the black market, tools and services are rented out and sold. These tools can allow for things like A/B testing to determine effectiveness of a method, and then rapid scaling of the attack to target enough organisations that makes it financially viable for them to come for even the smallest of firms with the least ROI for an attack. No size organisation is safe.
You cannot afford to just react to cyber-attacks as they occur. Andrew explains that the most crucial time following an attack is in the hours that immediately follow. Make sure you have protocols in place, so everyone knows who they need to talk to when they detect an attack and what actions they need to take.
You must minimise the potential damage to your firm. Restrict access to systems only to those that need them, back-up vital data (and protect that data from unauthorised access too), limit data transfers to just what is required rather than what is convenient, and do your research on the organisations you introduce into the supply chain.
In the talk, Andrew spoke on ransomware (a headline grabbing threat that refers to a form of malware that holds data ransom) and the potential forms that can take. Encrypting data, stealing data, leaking information, and denial-of-service amongst others. Many feel it should be illegal for organisations to pay the ransoms, for fear of funding this cybercrime industry further and providing financial incentives to motivate cyber criminals, but it has anyway been found that paying the ransom is, for most organisations, ineffective. Findings in 2020 showed that only 8% of organisations that paid the ransom got their data back, and 29% of those that got their data back reported that less than half of the data was returned.
For full awareness of the most prominent threats today, there are lots of resources online. Datamation provides a top 10 cybersecurity threats of 2021, for example, and OWASP’s famous top 10 threats to web applications is also updated yearly.
A basic understanding of cyber security throughout an organisation doesn't just help "the guys in IT" do their job. We're all responsible for the decisions we make and the consequences that they can have for, not only our firms, but the clients we are ethically required to protect.
The ‘Cyber Security 101 for Legal professionals’ live event was held on the 11th of November, organised and chaired by The Law Society, with speaker Andrew Milne from Field Effect.