The least sexy IT topic might be the most important
This morning on the BBC News website, I read the an article outlining how a Norwegian aluminum producer is recovering after hackers took 22,000 computers offline at 170 different sites around the world. Norsk Hydro refused to cave in to the cyber-criminal's demands for money and have spent 50 million Euro trying to restore their business to full strength. The attack comes as evidence grows that hackers are getting paid off in secret by large organizations who want an easy way out.
This article is the last before the summer holidays. We will be back as usual on Friday September 6. This last article of the season will be poorly read, I know this even before publishing. I know from experience that cyber security is very low on the list of partners at law firms. It is not a sexy topic. While Legal Tech is surrounded with a positive vibe and law firms almost tumble over each other to do statements on their websites and press releases on Legal Tech, most remain utterly silent as it comes to cyber security. There is an enormous discrepancy between the investment in Legal Tech and the investment in cyber security. This may one day prove to be a costly mistake.
We have seen law firms crippled by crypto lockers
Not only large companies, the power grid or the government are targeted by hackers. Also law firms are attacked although this rarely gets mentioned in the news. Based just on our TGO Consulting practice, over the past 12 months we have witnessed two clients who getting crippled by a crypto locker. Within less than 30 minutes after the attack no one in the whole firm could access any file. All files were encrypted by the hackers. Both firms sought the help of specialized IT consultants and both ended up paying a substantial amount in Bitcoins to unlock the files (there is no guarantee whatsoever that the files will be unlocked after paying the ransom, after all you are dealing with criminals).
Another client of ours, got their email system hacked and compromised. The hackers send out emails on behalf of lawyers and secretaries to all contacts of the firm. These emails contained a document for review. After opening the document the receivers’ computers also got infected. This obviously is a very bad situation. Both for the law firm and for the clients.
Please do not think the law firms mentioned are amateurish. All 3 are considered the elite in their respective jurisdictions. If this happens to them, it could also happen to your firm.
For lawyers confidentiality is key. Law firms are not only being targeted by crypto lockers and viruses, but hackers are also actively after the data. Just type in ‘law firm hacked’ in Google and you get over 7 million results. Results feature well known cases such as ‘Panama Papers’ and Cravath and Weil being hacked back in 2016. While some cases are well documented, most hacked law firms manage to keep out of publicity. The Insurance industry estimates that 1 in 5 law firms are being hacked. Again, this could very well be your firm. If it can happen to Cravath, why would it not happen to you?
Clients demand proof that law firms take data security serious
Increasingly clients of law firms are asking their panel firms to state what measures they take to assure the security of confidential data and the protection against hacker attacks. Having a robust cyber security policy will be an important requirement to get business. Given all facts mentioned above there is surprisingly little sense of urgency among partner groups. Even to the extent that sometimes sensible measures implemented by IT experts need to be rolled back because partners find them inconvenient. This is potentially a dangerous attitude.
So instead of raving about their Legal Tech, law firms should start prioritizing Cyber Security. Here are some basic measures for every firm to take.
Make sure all software is updated. We see too many law firms that still run on outdated versions of Windows, just because of all the legacy systems they have running. Older versions of Windows are less secure. That is why WannaCry could wreak havoc and cripple major companies back in 2017
Restrict access ta data to a need to know basis. Many law firms have a file system that can be accessed by every lawyer and every secretary in the firm. While this might be convenient, it is not safe
No data stored locally unless needed on that specific day. All laptops fully encrypted. Only remote connect through VPN. Never send documents to self by email.
Give regular (at least twice a year) training to all staff on all aspects of cyber security. Train people on cyber hygiene and learn the how to recognize suspicious emails. We at TGO Consulting for example have a policy never to click on links or open documents that were sent unsolicited, even if it seems to come from a client. Before opening we will always ask the sender to confirm that the document has actually been sent by them. This simple policy has saved us twice from getting infected by malware during the past 6 months.
Do never use USB to carry client documents. Never use USB that has been received as a giveaway. USB should be treated in the same way as a syringe: use only when fresh out of the box. Even then only use USB for non-confidential presentations and destroy after use.
Do not let anyone except for your own lawyers and staff ever enter the ‘production floors’. Clients and third parties are limited to the meeting rooms. Make sure that you know exactly who is doing the cleaning in the morning. Make sure you have done a background check on each and every cleaner. Keep record of when they enter and when they leave. Do not permit cleaners to carry cellphones while at work. Third parties that need access to production areas should be properly identified and should be accompanied by a staff member at all times. The person checking the sprinkler, could be there to steal information, so stay with them for as long as they are in production areas.
Do never work on clients’ documents while traveling on airplanes or trains. I fly a lot for business and you will not believe the number of times I have seen the person next to me or across the isle work on confidential documents. Only last week the person next to me during a flight was preparing for a presentation to the board of a listed company. Without any effort I could see in which areas sales was going down and in which areas this company was going to invest and how much. This could arguably have led to insider trading. Just don’t do it. Watch a movie or read a book instead.
Never talk about confidential matters outside the office. Again, you will be surprised how much confidential information can be overheard while traveling. If two colleagues travel they will almost always end up discussing work. Not to mention telephone conversation. People easily forget that they are not alone when they are focusing on the conversation. So don’t talk client matters outside the office.
Data Security is as much human behavior as it is technology: educate and train your lawyers and your staff!
The list above is by no means complete, but it shows that a big part of cyber security comes down to human behavior. This is both good news and bad news at the same time. The bad news is that all your investments in IT security and defense will not be effective if humans are not behaving in the proper way. The good news is that you probably don’t need to invest a lot before your cyber and data security can improve. Start by training your lawyers and staff on a permanent basis. Setting up such a program might be an excellent way to spend the summer, so training could start as soon as everyone returns after the holidays.