By Christian Toon, Chief Information Security Officer for Pinsent Masons
Why Cyber Security is your problem too
Cyber security is important because smartphones, computers and the internet are now such a fundamental part of modern life, that it’s difficult to imagine how we’d function without them. From online banking and shopping, to email and social media, it’s more important than ever to take steps that can prevent cyber criminals getting hold of our accounts, data, and devices.
Cyber Security is now one of the top 3 global risks facing business today, and law firms are no exception. We are trusted advisors to many industry leading and regulated businesses, we’re either prosecuting or defending in legal proceedings or transferring high value transactions between our clients.
This means we hold a lot of sensitive data and money that will be of interest to criminal groups, nation states or activist groups. Behind most of the data breaches you’ve read about to date, are groups looking to make financial gain. So you can see, for a business such as Pinsent Masons, it’s easy to see why we’re a target.
The Law Society and the National Cyber Security Centre (https://www.ncsc.gov.uk/report/-the-cyber-threat-to-uk-legal-sector–2018-report), have called out four key cyber security threats to UK law firms, but these apply around the world. They include:
Phishing – Emails or text messages sent to with malicious intent. They either include links for you to click on that take you to somewhere you don’t want to go, or attachments with a malicious file attached that could cause damage to your systems. Harder ones to spot are where emails contain no malicious content at all, but may be the start of a social engineering attempt where they try to get you to do something you wouldn’t normally do by pretending they’re something they’re not.
Data Breaches – Data around law firms flies through inboxes, cloud based storage sites (such as Dropbox), printed copies of material as well as data stored on CD’s, USB’s and hard drives. Keeping track where your information or client information is has to be a priority. This sensitive information is also of interest to others. Either accidental breaches or targeted compromises can pose a threat to the integrity of our clients and firm.
Ransomware – Software with destructive and damaging capability that makes laptops and servers impossible to operate. Losing your email, payment systems, telephone, time recording, documentation management systems can be a painful experience. A magic circle law firm has already felt the pain of having to rebuild their IT from the ground up. The aim here is to make files and systems unusable, and ask for a ransom to be paid to unlock them.
Supply Chain Risk – Vendors, business partners, contractors and other third parties in the supply chain helping you deliver on your matters are also a key threat. They will have access to the same information and systems as employees, and may not have the same levels of protection we have. There’s also a number of cases where suppliers have been either the route into a data breach or are compromised themselves whilst holding data for others.
Steps You Can Take
All is not lost; there are some steps you can take to help safeguard the firm and your digital lives too:
Use a different and complex passphrase (a memorable sentence or phrase, interjected with special characters or numbers) for each of your services. Repeating passwords means if one gets stolen, other services are at risk too. If you feel comfortable using a password manager, then do. Pinsent Masons is sourcing one for everyone shortly. Writing down passwords can help, but you need to secure those physically, just as much.
Services such as www.haveibeenpwned.com can tell you if your information has ever been made public in a major data breach, and even alert you if it happens in the future. Pinsent Masons subscribe to this for all @pinsentmasons.com email addresses.
Multi-factor authentication (MFA) can mitigate against password guessing and theft, including brute force attacks. MFA can also be called two-step verification or 2-factor authentication (2FA). This is used in the form of receiving or generating a code either through an application, a token or SMS and gives you a unique bit of information that is required during the log on process. It should be enabled on all accounts that give you the option to do so, such as webmail, LinkedIn, Twitter, Snapchat, Instagram, Facebook etc. It will add a few more seconds to the login process but is invaluable in protecting your accounts.
Be vigilant, if something sounds to good to be true or you are asked to operate outside of process then there’s clearly an ulterior motive. Or if you weren’t expecting correspondence and contents from a person then approach with caution. If you get engaged in conversation with someone you haven’t met, validate their credentials. We recently detected someone acting as a ‘Whistleblower’ in favour of a client’s case. Turns out this ‘Whistleblower’ was intent on doing us harm by sending us Ransomware and software to give unauthorized access.
If you’re unsure on how to keep safe, speak to an Information Security professional, they should be able to provide further advice to ensure you’re protected both at work and at home.