The rise in targeted email attacks to businesses worldwide continues to dominate the news headlines. Attacks like these are dangerous by their very nature. Not only are they increasing in frequency, but they are also becoming smarter by the day.
At the moment, we’re seeing a rise in activity related to of the Business Email Compromise (BEC) scam, where an employee is tricked into believing that he or she needs to make a bank transfer to a known external entity, but ends up sending these funds to a criminal instead.
Targeted spoofing is one of the biggest risks that firms currently face. This is not the age-old problem of SPAM emails, but something much more threatening. SPAM emails involve a single email being sent to millions of addresses, often with falsified branding of a well known company, for example a bank.
This ‘hit and hope’ exercise depends on a number of factors in order to be successful: the recipient must actually be a customer with that bank; the SPAM or anti-virus systems must fail to identify the email as a risk; and the recipient doesn’t recognise it as a dangerous email. As a result, the sender may not even get one bite from sending out hundreds of thousands of these emails.
Targeted email attacks are much more sophisticated – and now involve much more than just email; they merge emails, calls and sometimes physical visits to a target firm’s office- this is truly hacking for the masses. A number of hacking tools are now available for anyone to download, along with all the information they need to manipulate employees into performing actions or divulging confidential information – a key hacking term known as ‘social engineering’.
This will no doubt add to the cybersecurity hysteria that is running rampant across many different sectors, including both legal and professional services. However, the truth is that the security systems that are needed to protect the majority of firms from the majority of hacks are probably already in place.
What does this mean for the legal sector?
In the US alone, the FBI has reported that between October 2013 and August 2015, $750 million was lost across 7000 victim companies through targeted email attacks – an average of $100,000 per attack. In one high profile incident, Ubiquitii Networks lost an incredible $46 million. Most recently, a new report analysed Cryptowall 3.0 ransomware attacks in the US and found that it has cost victims $325 million, with that entire sum potentially going to a single source.
These attacks aren’t conducted at random; they are aimed specifically at certain firms, particularly within the legal market. At a legal roundtable event last month, it was surprising to see how many law firms are being actively targeted. Other sectors have obviously struggled with this same issue, but to nowhere near the same degree.
Law firms have always been a prime target for email attackers due to the large amount of monetary transfers they process, and it appears that the criminals have now realised this too. These attacks show a concerted effort to merge online and offline methods of extracting funds from law firms, to the extent that offices are actually being visited by attackers to gain further information about a firm.
How do you spot risks and threats via email?
It can be difficult, but there are several ways to combat this threat, including watching out for domain names that aren’t quite right, and looking out for language use and spelling mistakes. But these change on a daily basis. As a result, if they are developed properly, targeted emails can get past most, if not all, IT systems.
A firm’s greatest weakness – and greatest protection – therefore lies with its employees. Understanding which emails are suspicious will require training throughout the firm – and that means every firm. It’s a serious mistake to think: ‘but we have bright employees, so it’s not an issue for us’. Firms cannot make any assumptions when it comes to security; they will need to check, assign controls and systems, and check again.
How can businesses avoid succumbing to these attacks?
In security terms, the human factor will always be a firm’s weakest link. This comes down to employee training, from support staff, to trainees to managing partners –anyone who picks up an email, answers the door, or takes a call.
Firms that train their employees well and keep them informed of any security threats will be on the right track. By showing employees how easy it can be to succumb to an attack, firms can help to sharpen their defences dramatically. However, it’s important to ‘make the threat real’ – talk and text just won’t cut it.
Training staff on IT security is also key. Don’t take shortcuts with this – take staff into seminar-based training and explain the risks. Giving them real world examples will help reinforce the training. It’s crucial that employees understand that the whole firm is in this together, with a duty to protect both the firm’s and clients’ interests.
Of course, SPAM filtering, anti-virus software and firewalls will already be a part most firms’ arsenals against these sniper-like attacks. However, it is still imperative to devise internal controls and systems that dictate when and how staff can release confidential information, financial information and funds. Think passwords, phone-out verification, electronic signatures, encryption and secure portals. This might seem like overkill, but implementing at least one or two of these steps will help to ensure that only the right people have access to sensitive information, whether it’s the firm’s data or a client’s.
The ISO 27001 standard
When we are talking about IT security, we are basically talking about the threat to assets. An asset can be a PC, a server or even a member of staff. The largest assets that a law firm possesses are its reputation and its brand. The most effective way of protecting these assets will be to train the user base on how to identify suspicious behaviour, how to report it, and how the firm takes responsibility for review and remediation.
The ISO 27001 standard is, without a doubt, the best way for a firm’s leadership to understand at a high level what the security risks are and the likelihood of an attack, in addition to the impact that a breach would have on the firm.
As such, all law firms should look into implementing the ISO 27001 standard, as this actually takes much of the thought out of the process. It’s not difficult, and certification can normally be achieved for the price of a holiday for two. This is a vital first step for a firm that wants to focus on improving revenue and profit, rather than never knowing for certain if it is secure.