All posts by Robert Rutherford

About Robert Rutherford

Tel: +44 (0)203 727 3761
Robert Rutherford is Chief Executive Officer of QuoStar, a fast-growing consultancy that specialises in business technology. As CEO, Robert has overall responsibility for business-wide operations and has expanded the company over the past eight years, delivering year-on-year growth and a client retention rate of nearly 100%. Robert is heavily involved in the business community, both in London and in Bournemouth, where QuoStar currently has its offices. He can regularly be seen discussing subjects such as global politics and business technology across the social channels.

Will the Panama Papers finally teach law firms about cybersecurity?

It was recently revealed that the data leak from Panamanian law firm Mossack Fonseca was caused by an outsider who was able to capitalise on vulnerabilities in old-fashioned technology. This is not unique or a surprise, but actually a common occurrence. Law firms around the world are constantly under attack from hackers, undoubtedly because they not only deal with a huge amount of monetary transfers each day, but also due to the wealth of confidential information contained within their servers.

All law firms, and indeed all businesses, can be hacked in a number of different ways, from stealing an office mobile phone to piecing together a shredded document. However, there are two main ways in which a firm is most likely to be breached: through software vulnerabilities or social engineering of its staff.

Susceptible software

Every day, security researchers and hackers find numerous ways to bypass security defences in a piece of software. The vendor of that software will then fix the weakness with an update, and the cycle continues. The issue lies in the window between the vulnerability being identified and ultimately being fixed by the IT team. This could be a matter of minutes, but could be days, weeks, or even years in some cases, depending on the team’s software update schedule and the level of additional security systems in place.

This is an important task, as every single device connected to a network is at risk if the weakness is not corrected in time, ranging from a server or printer, right the way through to a door entry system. It is important to consider how patient a hacker can be as it can take days, months, or even a year for a hole to appear in a network, so it is a waiting game on their part, but one they will willingly play.

Socially engineering staff

Utilising a firm’s employees is undoubtedly the most simple and effective method for breaching a firm’s network. Hackers can exploit staff within a firm to divulge information, either allowing them to directly access systems or build up a picture of the environment, which is pieced together to allow them to breach defences.

This information can be as simple as calling an individual within a firm, stating that you are new within the IT department and need to run some tests on their machine. The oblivious employee will then go onto a fake website and run a piece of software as requested, which will then give the hacker on the phone access to the firm’s network. Once a hacker has got into a network, it is simple for them to escalate system privileges and gain access to whatever they wish.

To get on the right track here, firms must train their employees well and keep them informed of any security threats that are current and could be on the horizon. By demonstrating to employees in a seminar-based format just how easy it can be to succumb to a hack, firms can help to dramatically increase their defences. Offering real world examples alongside regular updates of the latest guises of cyber attacks will help to reinforce this training.

Starting with cybersecurity

The issue facing firms for many years is that hackers can easily learn and develop these skills online – by joining a user group, watching videos or downloading more or less ready to go software applications.

Due to the number of financial transactions that occur within law firms on a daily basis, they are a prime target for hackers and if not protected by a concrete cybersecurity strategy, can be an easy source of money. Firms concerned about their own computer failures following the hack at Mossack Fonseca might not know how to implement a cybersecurity defence, or how to initiate improvements to their existing offering.

The truth is that technology is actually the last piece of the puzzle when it comes to cybersecurity – the real work comes in undertaking risk assessments and understanding what the risks to a firm are. A firm will be truly vulnerable to hackers if these two basic exercises have not been completed.

The issue is that over time, the security landscape changes, and so do the risks. The risks have developed and moved on, but many firms are still relying on the basics to protect their firm. In order to implement an effective data leak protection policy, firms should implement controls such as portable encryption, endpoint protection, email content control, data leak prevention and intelligent firewalls as a minimum.

The ISO 27001 standard is a worldwide standard for managing IT security within a business, and is a fantastic starting point for a law firm looking to implement a cybersecurity strategy. In the main, it boils down to a firm identifying its risk, assigning controls to these risks and then continuously reviewing and improving this process. This approach will give the senior leadership team and staff throughout the firm the confidence that the business has been truly analysed and appropriate controls assigned to potential chinks in its armour.

It is likely that the security systems that are needed to protect the majority of firms from the majority of hacks are already in place. If a firm is already running an Information Security Management (ISM) system by continually monitoring, documenting, reviewing and improving its security processes, then it is certainly on the way to being truly protected. At this point, a firm should look to have its security tested by an expert, to ensure there are no weak points in its structure.

Regardless of how or when a cybersecurity strategy has been implemented, it is imperative that the senior management within a law firm takes responsibility for its security. An IT department, whether outsourced or within a firm itself, should not have the responsibility placed solely on its head if a firm does have a data leak. It is a firm’s responsibility, particularly the board’s, to understand the risks, and prepare for the constant attempts by hackers to find a way into its network. Only then can a firm and its staff feel confident that they are cyber secure.

Scam Emails – How Much of a Threat Are They to Law Firms?

The rise in targeted email attacks to businesses worldwide continues to dominate the news headlines. Attacks like these are dangerous by their very nature. Not only are they increasing in frequency, but they are also becoming smarter by the day.

At the moment, we’re seeing a rise in activity related to of the Business Email Compromise (BEC) scam, where an employee is tricked into believing that he or she needs to make a bank transfer to a known external entity, but ends up sending these funds to a criminal instead.

Targeted spoofing is one of the biggest risks that firms currently face. This is not the age-old problem of SPAM emails, but something much more threatening. SPAM emails involve a single email being sent to millions of addresses, often with falsified branding of a well known company, for example a bank.

This ‘hit and hope’ exercise depends on a number of factors in order to be successful: the recipient must actually be a customer with that bank; the SPAM or anti-virus systems must fail to identify the email as a risk; and the recipient doesn’t recognise it as a dangerous email. As a result, the sender may not even get one bite from sending out hundreds of thousands of these emails.

Targeted email attacks are much more sophisticated – and now involve much more than just email; they merge emails, calls and sometimes physical visits to a target firm’s office- this is truly hacking for the masses. A number of hacking tools are now available for anyone to download, along with all the information they need to manipulate employees into performing actions or divulging confidential information – a key hacking term known as ‘social engineering’.

This will no doubt add to the cybersecurity hysteria that is running rampant across many different sectors, including both legal and professional services. However, the truth is that the security systems that are needed to protect the majority of firms from the majority of hacks are probably already in place.

What does this mean for the legal sector?

In the US alone, the FBI has reported that between October 2013 and August 2015, $750 million was lost across 7000 victim companies through targeted email attacks – an average of $100,000 per attack. In one high profile incident, Ubiquitii Networks lost an incredible $46 million. Most recently, a new report analysed Cryptowall 3.0 ransomware attacks in the US and found that it has cost victims $325 million, with that entire sum potentially going to a single source.

These attacks aren’t conducted at random; they are aimed specifically at certain firms, particularly within the legal market. At a legal roundtable event last month, it was surprising to see how many law firms are being actively targeted. Other sectors have obviously struggled with this same issue, but to nowhere near the same degree.

Law firms have always been a prime target for email attackers due to the large amount of monetary transfers they process, and it appears that the criminals have now realised this too. These attacks show a concerted effort to merge online and offline methods of extracting funds from law firms, to the extent that offices are actually being visited by attackers to gain further information about a firm.

How do you spot risks and threats via email?

It can be difficult, but there are several ways to combat this threat, including watching out for domain names that aren’t quite right, and looking out for language use and spelling mistakes. But these change on a daily basis. As a result, if they are developed properly, targeted emails can get past most, if not all, IT systems.

A firm’s greatest weakness – and greatest protection – therefore lies with its employees. Understanding which emails are suspicious will require training throughout the firm – and that means every firm. It’s a serious mistake to think: ‘but we have bright employees, so it’s not an issue for us’. Firms cannot make any assumptions when it comes to security; they will need to check, assign controls and systems, and check again.

How can businesses avoid succumbing to these attacks?

In security terms, the human factor will always be a firm’s weakest link. This comes down to employee training, from support staff, to trainees to managing partners –anyone who picks up an email, answers the door, or takes a call.

Firms that train their employees well and keep them informed of any security threats will be on the right track. By showing employees how easy it can be to succumb to an attack, firms can help to sharpen their defences dramatically. However, it’s important to ‘make the threat real’ – talk and text just won’t cut it.

Training staff on IT security is also key. Don’t take shortcuts with this – take staff into seminar-based training and explain the risks. Giving them real world examples will help reinforce the training. It’s crucial that employees understand that the whole firm is in this together, with a duty to protect both the firm’s and clients’ interests.

Of course, SPAM filtering, anti-virus software and firewalls will already be a part most firms’ arsenals against these sniper-like attacks. However, it is still imperative to devise internal controls and systems that dictate when and how staff can release confidential information, financial information and funds. Think passwords, phone-out verification, electronic signatures, encryption and secure portals. This might seem like overkill, but implementing at least one or two of these steps will help to ensure that only the right people have access to sensitive information, whether it’s the firm’s data or a client’s.

The ISO 27001 standard

When we are talking about IT security, we are basically talking about the threat to assets. An asset can be a PC, a server or even a member of staff. The largest assets that a law firm possesses are its reputation and its brand. The most effective way of protecting these assets will be to train the user base on how to identify suspicious behaviour, how to report it, and how the firm takes responsibility for review and remediation.

The ISO 27001 standard is, without a doubt, the best way for a firm’s leadership to understand at a high level what the security risks are and the likelihood of an attack, in addition to the impact that a breach would have on the firm.

As such, all law firms should look into implementing the ISO 27001 standard, as this actually takes much of the thought out of the process. It’s not difficult, and certification can normally be achieved for the price of a holiday for two. This is a vital first step for a firm that wants to focus on improving revenue and profit, rather than never knowing for certain if it is secure.