Lawyer Monthly Magazine - February 2019 Edition
FEB 2019 19 ITC Secure www. lawyer-monthly .com can quickly be undermined if it is connected to a third party with weaker security. The holy grail for cybercriminals would be to obtain access to a valuable client’s financial information, or other confidential information that can be sold on to other criminals or used to conduct other attacks such as social engineering or blackmail. As demonstrated by the infamous Panama Papers incident in 2015, firms may also be targeted as part of “hacktivism” campaigns to expose believed wrongdoing among their clients. M&A activity is another area of business that is both attractive to cybercriminals and highly vulnerable to interference. Any level of data breach can easily scupper a deal, and I’m aware of one instance where a major M&A agreement collapsed because a third party connected to one of the two companies was breached. While serious breaches are always costly, law firms have more to lose than most because they trade on their ability to protect their clients’ confidentiality. Mossack Fonseca, the firm at the heart of the Panama Papers scandal, closed its operations earlier in 2018, citing the reputational damage as the main reason. What should a firm’s cyber priorities be? We often find firms have attempted to address security issues at an individual level, buying in individual tools and widgets such as VPNs and password managers. Investing in separate solutions will only provide a false sense of security if the firm has not taken a much broader, root and branch, approach to security. In the digital age, firms must evolve to put cyber security at the heart of their operations. The first step to better cyber security is to conduct a thorough risk assessment of the entire firm, the data it holds, and the third parties it connects with. Firms need to develop a strong understanding of what their risk profile looks like, starting with what assets pose the biggest risk and what the impact would be if they were breached. The assessment should also look at how attractive they are as a target to cybercriminals; a small family practice would have a significantly lower risk profile than a multi-national firm that routinely deals with powerful and influential people. Finally, the firm should assess what its potential security weaknesses are. It’s important that this assessment includes the firm’s people, processes and technology, and also that of any third-party connections. Once the risk level has been determined, the firm will need to decide if it can live with the risk or will take action to manage it. The outcomes will depend on the specific firmand its risk profile, but may include budgeting for additional staff awareness and training, implementing new controls and processes or taking on a CISO or other security head to build a more comprehensive strategy. Firms should aim to develop ‘strength-in-depth’ with a multi- layered approach to security. It should be accepted that defences are very likely to be penetrated at some point, and there must be controls and processes in place to mitigate thedamageof abreach. Relying on a hardened perimeter based around a firewall will leave the firm extremely vulnerable if an attacker gets into the network. With the volume and sophistication of cyber threats increasing and the legal sector sitting exposed as one of the prime targets, law firms must act swiftly to improve their security. Those firms that can evolve their approach to technology and security will continue to thrive, while those that lag behind risk going the way of Mossack Fonseca and many others. LM ABOUT MALCOLM TAYLOR Malcolm is Director of Cyber Advisory at ITC Secure. He provides strategic cyber security and communications security advice to senior corporate and private clients. Prior to joining ITC, Malcolm had a distinguished career with the UK intelligence services, including tours in Iraq, Pakistan and more recently in Afghanistan leading counter terrorism cyber security teams. Malcolm is a recognised expert in cyber security, communications security and intelligence. He leads ITC’s Cyber Thought Leadership and is a regular commentator on the BBC and in the mainstream and specialist media. MALCOLM TAYLOR Director, Cyber Advisory ITC Secure www.itcsecure.com
Made with FlippingBook
RkJQdWJsaXNoZXIy Mjk3Mzkz