There may well have been a time when there was little chance of you or your chambers being targeted to gain access to data or finances, but unfortunately those days are long gone. And yet, being custodian of your client’s data is expected and even taken for granted.
Some are still very much in denial about the risks: hacking won’t happen to me; major security breaches are a concern for bigger organisations; big firms get shamed on the front of the national newspapers; we don’t have any information that anyone else is really interested in. These misconceptions, whilst becoming less commonplace, still reign for some.
Anecdotes of security issues arising from password sharing, reports of early stage phishing attempts and generic email spoofing attempts continue to serve as important reminders for all, very useful to weave into regular awareness training. However, the following example is a real-life demonstration of just how premeditated and targeted hacks are becoming. There is nothing remarkable about the company that was involved in this series of events: a mid-sized company, a company with their own uniqueness and information which they probably underestimated in terms of commercial value, a company introduced to ourselves in their hour of need.
This chain of events all started with a third party gaining unauthorised access to an email account belonging to a member of the senior management team, via a phishing link which then prompted for username and password details. The ‘hacker’ hibernated for a period and, in doing so, prevented suspicions being raised. During this time, having retrieved the all-important access credentials, they became an onlooker, spending a good month observing the chosen individual’s habits: learning exactly how the individual emailed their senior staff, as well as taking copies of key contact lists, email and documents. The foundations were then in place. Armed with information, knowledge and email account access, the imposter pressed on with taking on the Senior Manager’s persona. This involved sending emails, deleting sent emails and redirecting inbound email via rules, to prevent the victim ever seeing some email chains.
The hackers’ groundwork had also included mapping out the company’s accounting processes. This taught them that payment approvals were not carried out on email but instead via SMS. With this intelligence, they recognised that intercepting the SMS process would give them a golden ticket. Consequently, they altered the victim’s iCloud account to enable payment authority to be provided without their knowledge. Payment requests were made and authorised seamlessly, exactly as planned.
Eventually, mysterious email activity triggered concern and the ‘hack’ was detected and blocked, but unfortunately this wasn’t quite the end of it. The attacker continued to use their newly downloaded contacts file for a few weeks, taking instead to spoof emailing client contacts. And, of course, some of the damage is longer lasting still.
Unfortunately, this tale of woe is not fictitious and this style of organised attack is only set to become more frequent. There are, however, practical steps that can be taken to avoid structured attacks such as this.
- You can start by dealing with enhancing the security basics via industry standards like Cyber Essentials. Standards like Cyber Essentials call for standardisation of best practice. Cyber Essentials Plus involves a third-party audit and demonstrates clear public intent that you take security seriously. It is recognised that achieving the standard is not without its challenges given a chamber’s structure, but it certainly helps avoid far greater challenges down the line. Having a Head of Chambers’, for example, be victim to a similar chain of events to that we have outlined, would make for very bad PR.
- Secondly, providing ongoing training sessions, covering the current risk landscape and how to avoid being an easy target, is essential. It is strongly advised to complement this with regular ‘managed’ third-party phishing tests, to educate barristers and staff on how to spot the latest trends in phishing.
- Thirdly, security tools are often provided as part of your work software. These are not provided to complicate life; they should form part of chambers’ IT policy and be adopted where available. For example, two-factor authentication would have prevented the incident escalating as we have described, had it been turned on for the victim’s account. With Microsoft’s Office 365, this functionality can be switched on without charge. Without significant cost, your IT partner should be able to help customise how this works for your chambers, by enforcing this only outside of your trusted locations, such as chambers’ offices. Maybe you want to consider taking things a step further – either now or in future – and set conditions around which devices can access services such as email.
- Lastly, as part of an improved security policy taking GDPR compliance into account, you can put rules in place to check or audit outbound emails and to block the sending of sensitive or classified documents, or use Information Protection tools to restrict the access of specific documents to internal staff only.
A little expert advice earlier on and this particular attempt could have been thwarted. Even though IT is not chambers’ core business, it is becoming an increasingly important aspect for chambers’ management, staff and barristers alike. Intelligent IT can take on clever crooks, or at least limit the damage they might cause.
By Paul Coote. Founder and MD, Instant On IT
About Instant On IT
Instant On IT have been tailoring IT to barristers chambers’ unique requirements for around 14 years. We provide a full range of IT services, from strategic consultancy and day-to-day management & support, to secure cloud and business connectivity services.
Office locations: central London, New Zealand