[BreachExchange] Cyber-security - Kryptonite for lawyers

Fri Apr 15 14:19:39 EDT 2016

http://www.scmagazineuk.com/cyber-security--kryptonite-for-lawyers/article/489116/

This may come as a shock, but some people dislike lawyers.

So, when Mossack Fonseca described itself as a victim of crime (the massive
data breach that revealed 11.5 million confidential documents), the firm
was probably the only one ‘amazed' that it attracted so little public
sympathy.

Whether the documents came to light from an insider, as claimed by German
paper Süddeutsche Zeitung, or an external hack, or a mixture of the two,
analysis by security experts exposes how with a single line of code an
attacker could pwn the law firm's client data.  Failure to patch
vulnerabilities for years, failure to segregate, failure to encrypt - the
list of basic security flaws goes on.

In fairness, Mossack Fonseca is not alone.  Cravath, Swaine & Moore LLP,
and Weil Gotshal & Manges LLP, two of New York's magic circle firms, are
being investigated by the FBI following data breaches last year.  British
law firms lost £85 million to cyber-crime in the past 18 months, according
to insurers QBE.

These are not unlucky incidents, against the run of play. The legal
profession's poor cyber-resilience has been well understood for some time.
Back in 2013, The Lawyer predicted the ‘inevitability of a prominent legal
practice going down in flames as a result of a cyber-attack breaching
client confidentiality.'  In February 2016, Elite Insurance announced its
withdrawal from the solicitors' professional indemnity market (an already
thinly populated market), citing increased risk of cyber-attacks.

As a lawyer who qualified in the late 1990s - just as the commercial
internet took off - I've been surprised by how many of my contemporaries
display a rather patrician attitude, boasting about their lack of technical
knowledge, and looking down on cyber-security experts as jargon-babbling
snake-oil salesmen.  This cultural problem is not exclusive to the legal
profession: a recent study by Chatham House on the cyber-resilience of
civil nuclear installations notes that ‘One of the biggest problems we have
is that – as in any industry – the operations people dislike IT.'

Some professional scepticism is required, of course, but there is still a
gap between the extensive measures to provide physical security and those
aimed at securing clients' electronic data - the crown jewels of any legal
practice. Rather than delegating the task to the firm's geek, while
sniggering behind his back about his lack of social skills, maybe it's time
for lawyers to engage their super-brains and deign to understand the
technology.

The profession's regulatory rules don't help.  The Law Society excludes
non-lawyers from owning more than 10 percent of a legal practice - meaning
it is highly unlikely that technologists would be at the heart of a
practice's management or ownership, guiding investment decisions, testing
the claims of security contractors.

But if some lawyers are too posh to take cyber-security seriously, they do
worry about their insurance - a prerequisite of remaining in practice.  So,
the insurance market could become a source of much-needed change in the
legal profession.

The challenges are much greater for small to medium sized practices, which
have limited resources, and are facing difficult business conditions.
There are fewer extenuating circumstances for the large, international
firms.

It's not all bleak. There are multiple factors potentially driving change
for the better.  QBE is resolving to ‘ask searching questions about what
exactly firms are doing to thwart the criminals'.  Meanwhile, the Federal
Appeals Court of Virginia has [this week] confirmed that commercial general
liabilities policies may cover data breaches.  If insurers are on the hook
to pay out after hacks, they will make sure that they tighten requirements
for their customers.

Cyber-security experts understand the impossibility of guaranteeing
resilience against a determined attacker.  That said, 80 percent of cyber
attacks could be prevented by businesses putting simple measures in place.
When insurer Aon visited a client (not a law-firm), it observed that 19
percent of employees were still using their system's default password
“PASSWORD”.  Six months later, after a little talking to, the client had
tightened up its security - with the result that 23 percent of employees
had their new passwords stuck to their screens with sticky notes.

While few people may be able to find it in their hearts to feel sorry for
Mossack Fonseca, the firm's apparent cyber-security weaknesses, coupled
with other high-profile hacks on magic circle law firms, and changes in the
insurance market should all provide a wake-up call to the profession.
Cyber-security is regarded by the UK government as a tier one threat to
national security - with all the resource consequences that implies. The
same should be true for major law firms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160415/ca83f706/attachment.html>