Cyber security and the risk of cyber-attacks are suddenly at the top of every business’s agenda, and particularly those of lawyers.
The recent Worldwide “Petya” and “Wannacry” cyber-attacks are focussing attention on the risks of such attacks and how organisations can protect themselves.
The phrase “cyber-attack” is used to cover a multitude of sins and it is worth separating out the strands in order to analyse the risks and consider what organisations need to do to protect themselves against those risks.
Risks – Legal, Regulatory, Reputational
The risks of a cyber-security breach include legal, regulatory and reputational risk. Lawyers are under information security obligations under both the Data Protection Act and (from May next year) the General Data Protection Regulation. Under the GDPR data controllers must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Given the highly sensitive nature of data held by lawyers this implies a relatively high degree of information security.
The BSB Handbook requires barristers preserve the confidentiality of the client’s affairs, which also requires cognisance of information security risks.
The reputational damage arising from a significant breach may outweigh any legal or regulatory consequences.
The main threats are:
- Viruses – usually now some form of encryption software;
- External hack of system leading to either data loss or money loss and which could come from a variety of sources such as password theft / brute force attack;
- Payment diversion fraud email (although Barristers are unlikely to be handling client money);
- Invoice fraud;
- Internal fraud – usually either involving data theft or straightforward theft of money
The concern many people have – of a password being “guessed” is probably the lowest risk and the least likely to occur. That isn’t to say of course that suitable safeguards shouldn’t be put in place to protect against this risk, but it may be that it isn’t the biggest risk you face the priority it is given should be judged accordingly.
There are in my view at least three main types of preventative steps organisations can take to try to reduce cyber risk:
- IT based
- Training based
- System based
Separately, steps can also be taken to mitigate the consequences after the event if (when) a cyber-risk comes to pass.
IT based protections
These protections may include:
- Running up to date anti-virus software running on individual PCs and on servers.
- Keeping your operating system up to date. The recent NHS virus attack focussed on weaknesses in Windows XP but many businesses, quite understandably, do not always update to the latest Microsoft OS as soon as it comes out. We all know that upgrading software often brings its own challenges and costs. So this is one that needs monitoring and a judgement made about when to upgrade the OS.
- Running server monitoring software which is designed not to identify and quarantine viruses, but to flag up unusual activity on servers. The software, which is not cheap, monitors systems for unusual activity and flags up to your IT team if it identifies anything of concern. An encryption virus, which changes file suffixes, should be spotted by this software as soon as it starts to run.
- Setting up a “honey trap” server. Many encryption viruses launch their attack alphabetically and a server which is set up to be the first in line for attack and with plenty of nice juicy files for encryption, which you are happy to lose, gives you a better chance of spotting the virus before it has made its way to the other servers, particularly if used in conjunction with the server monitoring software which should spot the virus attacking the honey trap. But beware, the virus designers will soon find ways of creating a “product” which side steps this protection.
- Regular penetration tests using a suitable expert firm are a useful test of IT security. Using different suppliers for this is also helpful. Different firms will approach the test in a different way.
- Locking down USB ports and CD/DVD drives on PCs and MFDs so that no one can introduce a device or data to the system without prior IT authorisation. This prevents both engineers from, say, a third party supplier from plugging their laptops in to your system to diagnose faults, which could be the source of introduction of a virus or, in malign hands, could present a golden opportunity to a hacker and it prevents staff from putting CDs / DVDs / USB keys into their personal PCs and inadvertently introducing a virus.
This is of course at the heart of all cyber security issues. And this is not easy. How many times have you heard someone pronounce solemnly that your cyber protection is only as good as the weakest human link. Unfortunately it has more than a grain of truth. But if you supply too much training or your training is too generic you risk it going over staff’s heads or being ignored. If your warnings are too blood-curdling you risk paralysing normal activity and neutralising people’s judgement. And a good sense of judgement is what you should be trying to inculcate in staff, not a rule bound abdication of responsibility. By the same token some systems are needed, but can’t be so bureaucratic that they are either ignored or turn the business sclerotic.
My view is that little and reasonably is the best way. Real life examples and ideally ones which produce a reaction which is just the right side of “there but for the grace of God go I…” are probably the best. Examples that staff can relate to but which don’t produce a fatalistic attitude to the risk.
There is a balance between threat and reassurance. All businesses want their staff to take the threat seriously and to hold up their hand immediately if anything happens – speed of response if there is a virus attack is often absolutely vital – but at the same time everyone must understand how serious it is and that there could be potentially very serious consequences for an individual who is at fault in allowing or facilitating a virus into the business’s systems.
What does that all mean in practice? Well I would suggest the following:
- Regular intranet items on cyber security issues that have either affected the firm, or similar businesses or are a current live threat;
- A standing item on the agenda of departmental meetings to discuss the latest cyber security threats and to share experience – it is important here that senior staff lead the way by using examples of their own “near misses” to encourage information sharing;
- Periodic training on the latest risk – such as spotting fake emails;
- The use of false “fake” emails to flag the risk in a safe way;
- A regular item on internal conference agendas;
System based protection
These overlap with staff training to a substantial extent but they address different issues, or have a different emphasis.
The organisation should have clear policies on cyber issues – use of mobile devices, use of removable media, internet use, remote access to systems and passwords are just some of the areas that policies should address – and requiring active acceptance of those policies to hammer home the message about their significance.
Internal systems for authorising payments. Not often seen as a cyber issue, but they are both the final line of defence against fraud diversion emails and against conventional frauds with a cyber twist. The fraudulent invoice apparently from an established supplier but with changed bank details is very common. Who has to authorise what level of payment from which account in which fashion? Whose internet banking access allows them to do what? Who would have to collaborate with whom to effect precisely what level of payment?
This is where that balance between operational simplicity and efficiency rubs up against risk. There isn’t a right answer, but you can think about it and make a judgement. Don’t be afraid to change what you’ve done if it proves unworkable. That’s fine.
After the event
A regular back up of your system is the first and most obvious step. Of course, a virus could get into the back up. But it may not do so, and you will still have a back up from at some point before the virus did get in.
Just as, if not more, important is running a specific cyber based disaster recovery exercise. How easy is it to get your systems back up and running post attack? Does the back up work smoothly? How do you communicate with everyone when your IT systems are, by definition, down? Where is information held that you need for disaster recovery and can you access it in the event of a cyber attack? Many of the questions are standard ones in a disaster recovery situation of any description, but there are particular issues when the disaster is a cyber attack.
Cyber attack insurance is now commonly available. It has not yet been tried and tested and you need to look carefully at what it is actually insuring you against and to what extent you need that protection. Usually the policy provides emergency IT support, compensation for loss of income, costs of repair to systems damaged by the attack and reputation management.
Cyber security certification – ISO 27001. More precisely ISO 27001 is about information security. My impression is that the standard is not yet common in the legal world. The challenge with any such standard of course is always weighing up the bureaucracy, process and therefore cost that it imposes on you against the advantages that it brings. At the very least though, benchmarking your business against the standard will give you an idea of what it involves and what you need to do and, that word again, help you form a judgement about the cost/benefit analysis that certification would involve.
Managing Partner, Russell-Cooke
Specific guidance on information security has been issued, available at http://www.barcouncil.org.uk/practice-ethics/professional-practice-and-ethics/it-issues/information-security/