When it comes to cyber security, in general, organizations across all sectors still tend to emphasize protection over response and recovery. Whilst in the last few years cyber insurance has become more commonplace, many organizations have still not considered how they would respond to a major attack at all. A true cyber resilience approach blends protection, detection, response and recovery to form an organization-wide, collaborative strategy. In order to protect from cyber threats, a business must first be able to recognize its risks (combining threats and vulnerabilities) and go on to define solutions to help manage those risks. Response and recovery plans may then take many differing forms but should always have the aim of enabling the organization to rally with minimal financial or reputational damage.
There is still much work to be done in order to bring many businesses to a point where they can feel confident in their cyber resilience policies. However, it is worth observing that there have been some recent notable entries to the market, with professional services firms marketing their ability to identify and anticipate specific cyber threats in order to contain the associated reputational damage before the incident even occurs. That these services are now able to find a foothold in the UK market demonstrates that awareness is growing and change is afoot.
Within the UK legal vertical, however, the issues are more pronounced:
- The risks are acute and escalating
- The appetite for change is low
- There is little or no governance that requires significant or immediate Certain sectors of the market are under extreme financial strain and the notion of increased security spending, despite the recognition of an increased risk, is sometimes rejected before the process has even begun.
Simply put many UK law firms (particularly those outside the top 100) and barristers’ chambers trail significantly behind other sectors, such as finance and healthcare, when it comes to cyber anything.
2 Why is cyber resilience essential?
To many observers this may seem a silly question but it’s one that surfaces regularly. The following brief list should not require a long-winded explanation but, all too often, the industry enters a mode of objection that hinders an understanding of the problem and the adoption of a best-practice approach to it:
- The risks are acute and escalating
- The appetite for change is low
- There is little or no governance that requires significant or immediate change. Certain sectors of the market are under extreme financial strain and the notion of increased security spending, despite the recognition of an increased risk, is sometimes rejected before the process has even begun.
Cybercrime is the ‘new normal’ and now the most common offence in the UK. Its inclusion in the calculation of the national crime rate would see the overall rate soar by 40%.1 The Internet has evolved since the 1990s into a truly worldwide resource but, regrettably, cyber awareness, mitigation, threat protection and responsive measures have not evolved at the same pace within the legal landscape. That disparity creates a very clear and present threat: bluntly, the legal world must stop downplaying security concerns or pretending that they somehow do not apply to it.
The critically sensitive nature of much data held and processed by law firms steeply increases the interest in that data from others. Often, there may be significant financial or reputational gains for the recipient of that data. Conversely, those gains are likely to manifest as major losses for the organization that suffers the breach.
Historically, the legal industry has been slow to adopt new technology and is still relatively reliant on paper material. There is, however, a big drive towards the delivery of online legal services. Naturally, this brings huge opportunities but also considerable challenges coupled with multiple new threats, and those threats are constantly evolving. New malware is released as often as every four seconds, according to
the G DATA Security Labs Malware Report.2 To contextualize that, 4.1 million new malware strains were discovered in the second half of 2014 alone. Any firm that believes they can safely survive on an old fashioned basis of cyclical IT investment, without consistently focusing on ongoing improvements, expert assistance and a robust cyber resilience strategy, should be urged to think again.
In recent years there has been an explosion in bring your own device (BYOD) and choose your own device (CYOD) practices, not only in legal but across all sectors. This drive and desire to work from anywhere has led to a complete de-perimeterization of the network so that the corporate firewall, in one sense, now has less relevance. Put simply, data and an employee’s access to it, is now rarely contained entirely behind the corporate firewall, as it once was. Instead, it is everywhere: the train, plane, home, beach, ski slope or coffee shop. This clamour for improved connectivity and mobile working technology has played a significant role in the increase of cyber threats. However, one thing remains constant across the potentially limitless locations and devices: the user. The human factor is both your greatest vulnerability and your most effective first line of defence.
- THE VULNERABILITIES AND THE SKILLS GAP
The UK legal sector is built on tradition, reputation, ethics and hard work. Its example is envied and emulated around the globe and it has played an integral role in the development of UK society. However, it is also a market that can be seen as technophobic, resistant to change and, with regard to technology, difficult to govern.
Low buy-in and slow take-up levels are compounded when you consider the relatively small size of many law firms. Small firms simply cannot afford to employ their own suitably skilled staff in order to approach any reasonable level of cyber resilience. Nowhere is this lack of expertise more apparent than in barristers’ chambers. Many such organizations manage their IT ‘in-house’ using clerical rather than technical staff and, because of the structure of these organizations, there is often no control over the endpoints (desktop computers, smartphones and tablets) that access their network and data.
There’s a notable irony in the fact that barristers adopted BYOD long before the term existed. Despite having access to a conventional, shared and centralized computer network, many barristers will still provide and use their own computers and mobile devices and act as local administrators of those machines. This is, at least partly, explained by the self-employed status of most barristers, but irony quickly turns to alarm, however, when one considers the Avecto Microsoft Vulnerabilities Report 2014, which supports the following points3:
Control the critical: 97% of all critical vulnerabilities documented in the report can be mitigated by removing admin rights vs 92% in 2013.
Power of admin rights: 80% of all Microsoft Vulnerabilities reported in 2014 could be mitigated by removing admin rights vs 60% in 2013.
Closing the door to IE threats: 99.5% of vulnerabilities affecting Internet Explorer could be mitigated by removing admin rights.
When you stop to consider the simplicity of this mitigation, it makes it all the more concerning that many organizations storing and processing critically sensitive data still insist on maintaining local administrator rights.
In a jaw-dropping section of the Verizon Data Breach Report 20154, their team notes that 99.9% of exploited vulnerabilities in 2014 were disclosed and given a CVE number (unique, common identifiers for publicly known information security vulnerabilities in publicly released software packages) more than a year prior. Simple application and operating system patch management controls would go a long way to eradicating these older risks.
Despite law firms’ awareness that they are the custodians of highly sensitive data, it is less usual (especially with smaller firms) for them to admit they may be the least defended path to that data. Highly sensitive government, medical, personal or financial data that is zealously guarded by the original owner is often also stored on the networks and endpoints of law firms and, perhaps more significantly, that same data may be managed by under-skilled IT teams and cyber-unaware end users.
‘They’ll never find me’ is not an uncommon claim from under-skilled IT administrators when asked to explain why it is fine to open firewall ports directly to the Internet. Wrong. With a single machine, a modicum of knowledge and some easily accessible software, your open port is quickly discoverable amongst all the machines on the Internet. And not just by highly skilled hackers determined to steal valuable data, but sometimes simply a group of youngsters, mischievously motivated to see how much disruption they can cause.
2.2 LACK OF STRICTLY ENFORCED RULES FROM GOVERNING BODIES
The UK, when compared with our European neighbours, appears to perform favourably in some data security matters. We have the highest percentage of encrypted company laptops (62% compared with 36% in France and 56% in Germany) and also report the highest percentage of encrypted company mobiles (41% compared with 21% in France and 32% in Germany) according to a Computer Weekly study.5 But are those statistics reflected in the legal sector?
Our solicitors and barristers answer to a number of organizations when it comes to, amongst other things, data security. The Information Commissioner’s Office (ICO), Solicitors Regulation Authority
(SRA), Bar Council and Law Society act as regulators, advisers and promoters of professional excellence. However, the Law Society’s published guide for Information Security was last updated in 2011 and the Bar Council’s review in 2014 notably favours the term ‘should’ over ‘must’ and thereby leaves much wriggle room for non-compliance. By contrast, the Financial Conduct Authority (FCA) adopts ‘enforce’ rather than ‘guide’ and ‘makes it clear that there are real and meaningful consequences for firms or individuals that don’t play by the rules’.
Back in legal, the IT element of the resurgent Bar Standards Board Audit process is clearly well intentioned and the ICO, set up to uphold information rights, is on record as signalling its intent to crack down on data security breaches in the legal sector. Following 17 reported data breaches during only three months in 2014, Information Commissioner Christopher Graham warned legal professionals about the potential consequences of lost data: “It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial
and reputational damage of a serious data breach”6 Graham said. This statement is to be welcomed when one considers the ICO’s published monetary penalties, decision notices and undertakings in which the legal marketplace is still virtually absent, despite a plethora of reported breaches in the SRA Risk Outlook 2015/16 Report which states7:
According to the most recent published ICO figures, reported data breaches increased by nine percent between the third and fourth quarters of 2014. Solicitors and barristers were the fourth most frequent subjects, ahead of charities and the housing sector and behind only local government, healthcare and education.
The Information Commissioner’s comments are hopefully indicative of a turning tide and, in addition, the incoming EU General Data Protection Regulation, once adopted, will add significant force to the weight of regulatory compliance and enforcement that can be brought to bear.
2.3 THE HUMAN CHALLENGE
Security professionals, in fact anyone who works at any level of IT, know that there is no single product, or even suite of products, that will provide complete cyber security. Furthermore, they know that the weakest link in their armour is frequently their own colleagues. People click links in emails, they are intrigued by ‘click-bait’ and many will pop a USB stick they found in the car park into their PC just to
see if there is anything interesting on it. Human error is involved in more than 95% of security incidents, according to the IBMs ‘2014 Cyber Security Intelligence Index’ report.8
Even those lawyers and clerical staff who have followed the often dull and repetitive security awareness training that year, still pose a significant risk. As well as keeping the technology up to date and performing all manner of network, application and operating system-hardening, more time and investment must be spent on hardening our own behaviours. Just imagine every person in your organization acting sensibly with routine caution and best-practice, with even the briefest pause before clicking that link or talking to that ‘representative from the bank’. These behavioural changes,
encouraged through innovative, bite-sized and regular cyber security awareness training programmes, will form the new backbone of organizational cyber awareness. Cyber resilience is not just the responsibility of the IT department. It must be embedded in, and run throughout, an organization’s entire structure including, of course, it’s most valuable resource: its people.
Naturally, it is the responsibility of the IT department to develop easy to use topologies which serve to protect the business as well as to enhance productivity and capabilities. However, other departments and the users within them must shoulder an equal level of responsibility in order to guard against Shadow IT (information technology systems and solutions built and used inside organizations without explicit approval) and Stealth IT (solutions specified and deployed by departments other than the IT department). Both these phenomena can quickly lead to inconsistent approaches within the same business, higher risks of data loss/leaks and breach of governance often relating to data storage jurisdiction. The IT department must quickly identify the weaknesses within its own ambit, that caused the need for Shadow/Stealth IT in the first instance. However, all areas of the business must also take responsibility to re-establish their relationships with IT and cement the IT department as the guardian of technology within the business.
A squeeze on budgets in the industry and a general reluctance to modernize mean that cyber security awareness training is simply not present in many organizational budgets. Where training is delivered it is not always mandatory and is often treated as a tick box exercise in order to gain a few precious continuing professional development points. For these reasons the training’s overall impact on behavioural change may be negligible.
As Bruce Schneier has noted ‘Only amateurs attack machines; professionals target people’9. Quite simply, the notion of ‘the human firewall’ should be at the forefront of any cyber resilience strategy.
2.4 MAIN ATTACK VECTORS
Email and web-based infections remain the most prevalent and successful forms of attack. Whilst distributed denial of service (DDoS) attacks, which can be simply and cheaply purchased online, regularly make the headlines, it is the human nature of email and web infection tactics that make them so successful.
77.3% of malware attack vectors are by email, either Attachment or URL and targeted phishing campaigns have unbelievable click rate success: 23% of recipients open phishing messages and 11% open attachments, according to the Verizon Data Breach Report 2015.10 A campaign of just ten emails yields a greater than 90% chance that at least one person will become the criminal’s prey, according to the same report. The use of malicious links in email is on the rise, whereas malicious attachments are
a falling trend. As the world has got better at scanning documents, the URL that delivers the malicious payload is better able to persuade the untrained user to click.
Importantly, any form or type of attack requires the defending organization to be able to effectively respond and recover in the event that the attack is successful. Consider, for a moment, how your organization would respond to a successful DDoS attack that took your corporate website and document sharing portal offline for an extended period. Are you aware of your organizational response to a data breach incident where sensitive client data has been leaked?
3 How do we build cyber resilience?
3.1 PROTECT AND DETECT – DESIGN AND MANAGE A CYBER RESILIENCE STRATEGY
A cyber resilience strategy that is suitable for one organization may not fit another. Cyber resilience should be a target for all organizations, irrespective of type and size, and any such strategy should cover at least the following areas:
1. Assess and identify
In order to properly protect against a cyber incident, it is first necessary to identify your most valuable and sensitive assets, assess your existing capabilities, strengths and weaknesses and then identify the potential threats and vulnerabilities in order to ascertain what the risks are.
2. Risk management
Determine your organization’s attitude to risk and its tolerance to a cyber incident. Design your technical and process strategies from a documented risk management register.
3. Third parties
Include third parties in your assessments and training. Often, they are granted rights to your network, data or processes and so must not be left out of a comprehensive cyber resilience strategy.
4. Make everyone accountable
All departments and staff hold a level of accountability that, at the point of the human firewall, is shared equally. Implement processes that promote habitual security through good practice, sensible behaviours and centralized controls.
5. Test and audit
There are many areas that will require testing such as perimeter defences and staff awareness. Test all defences, including your human firewall, regularly. It is cheap, easy and effective to use a social engineer toolkit to create test phishing emails. Quite simply, those that click or provide the requested
information, fail the test. Those actions represent a failure of the human firewall and retraining should be undertaken immediately.
6. Incident response escalations and priorities
Your organization must understand who needs to know about a stolen (even if encrypted) USB drive and, conversely, who should be involved when you suffer a major data leak. Those who need to know may include external parties such as the ICO or law enforcement agencies, for example.
7. Incident response teams
Create incident response teams that are responsible for technical, internal, client and public relations communications and control.
Understand what liabilities you may incur as a result of a cyber incident. You may consider insuring the risk.
A cyber resilience strategy should be under constant review at a micro level, as new threats evolve constantly. From a macro point of view: test, review and update regularly.
3.2 RESPOND AND RECOVER
A critical element of a successful cyber resilience strategy is to predetermine how a business will respond in the face of an attack and/or a breach. Of equal importance is to plan how the organization will recover from the incident. The specifics will vary from business to business, but remember, the ultimate objective is to respond and recover with minimal financial or reputational loss. From a UK legal perspective, organizations should be closely considering the impact an incident may have on their clients, whose data they hold. The following critical elements should always form part of that plan:
1.Mobilize incident response teams
Early and accurate communication, both internal and external, is critical during the earliest stages of a breach or attack.
Where possible contain and isolate the threat and/or engage business continuity systems.
Ensure that log files (e.g. system, application and firewall) remain intact/stored for later forensic use. Where possible safeguard all affected assets and establish a chain of custody.
Identify the threat source and remove the weakness or vulnerability, permanently if possible.
Return your systems back to normal service, as soon as is practicable.
Carefully review the threat vector and test new systems, processes or technology as required, to ensure mitigation.
Take care to review your cyber resilience strategy in its totality.
Throughout the response and recovery stages, communication is vital. We have seen many high profile incidents where poor communication from the breached company has led to confusion amongst both clients and staff. Ultimately, the most significant cost of a poor communication strategy is likely to be borne by the business itself. Poor communication throughout the incident teams, both internally and externally, can easily lead to additional and unnecessary technical work, data loss, loss of productivity and client goodwill and, ultimately, a public relations disaster.
4 The next steps
For any reader who is considering cyber resilience implementation, act now. The mind-set of the country is changing and the legal industry must surely follow. Investment in Virtual-CISO services can help smaller organizations to buy-in the required skill-sets in order to define and implement a suitable cyber resilience strategy. The adoption of best-practice in cyber resilience can be leveraged as a marketing
tool, in order to attract the best business and to reassure your clients, both current and potential.
Those firms that actively engage in cyber awareness should lobby governing bodies to adopt best practice, to reward those that comply and to throw down significant financial penalties to those that choose to remain part of the problem, rather than become part of the solution
Back in 2013, McAfee reported 200 new cyber threats per minute and IT security breaches are now at their highest ever rate in the UK. With such a rapidly changing landscape, a sensible multi- layered approach must be employed. The UK legal sector must take its head out of the sand now.
Network-hardening layers will include firewalls, anti-virus, patching, application control and privilege management. But, whilst a network can be hardened, it is likely that the human within will always remain ‘soft’. Cyber security awareness training and the invocation of the human firewall, combined with a hardened network, will vastly improve defences. The knowledge and ability to effectively respond to and recover from an attack or a breach, forms a crucial final layer.
The appetite for this type of change is beginning to rise but the current take-up rates are extremely low. Those organizations responsible for governing and regulating the legal sector must accept their top-down responsibility and use it to mandate sensible, proactive and best-practice controls. For those that do not comply, the fines should be steep and consistent.
Regulatory bodies must evolve to enforce best-practice and punish those that wilfully ignore their governance requirements and, ultimately, the law. Continuing on the current path of ‘soft touch’, incomplete and conflicting advice coupled with an apparent a laissez-faire attitude towards data security governance, is a worrying but very real possibility.
Will best-practice and a change in attitude completely prevent all future data breaches? Of course not. No organization is completely cyber proof and the people within them will always make mistakes. But we all have a duty, surely, to make the very best attempts to safeguard our data for the good of our clients, our businesses and our reputations.
‘We are what we repeatedly do. Excellence, then, is not an act but a habit.’
So let’s make good cyber resilience in the legal world a habit; adopting global best-practice that is normal, practicable and which demonstrates a market-wide drive towards excellence.
- http://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/bulletins/crimeinenglandandwales/yearendingseptember2015 [accessed 03 March 2016] .See also: http://www.cityam.com/227419/talktalk-cyber-attack-cybercrime-uks-single-most-common-offence [accessed 21 March 2016]
- https://public.gdatasofcom/Presse/Publikationen/Malware_Reports/GData_PCMWR_H2_2014_EN_v1.pdf [accessed 03 March
- https://www.avecto.com/resources/reports/2014-microsoft-vulnerabilities-report [accessed 03 March 2016]
- http://www.verizonenterprise.com/uk/DBIR/2015/ [accessed 03 March 2016]
- http://www.computerweekly.com/news/2240231892/European-firms-far-from-ready-for-new-data-protection-rules-study-shows [accessed
03 March 2016]
breaches-within-the-legal-profession/ [accessed 03 March 2016]
- https://www.sra.org.uk/risk/outlook/risk-outlook-2015-2016.page [accessed 03 March 2016]
- http://www-03.ibm.com/security/services/2014-cyber-security-intelligence-index-infographic/index.html [accessed 03 March 2016]
- https://www.schneier.com/blog/archives/2013/03/phishing_has_go.html [accessed 03 March 2016]
- http://www.verizonenterprise.com/uk/DBIR/2015/ [accessed 03 March 2016]
- http://www.securitymagazine.com/articles/85324-mcafee-reports-200-new-computer-attacks-per-minute-in-2013 [accessed 03 March
About the author
Matt Torrens is a legal IT veteran and entrepreneur, providing secure,innovative, outsourced IT services to professional service firms. He is a Managing Director and co-owner of SproutIT, specialists in the legal industry and now the leading supplier of IT strategy and service to barristers’ chambers.
Reviewer: Frank White, former Global IT Director, Ince & Co, currently Subject Matter Expert, iManage EMEA.
AXELOS is a joint venture company, created by the Cabinet Office on behalf of Her Majesty’s Government (HMG) in the United Kingdom and Capita plc to run the Global Best Practice portfolio. It boasts an already enviable track record and an unmatched portfolio of products, including ITIL®, PRINCE2® and RESILIA™. RESILIA is the new Cyber Resilience Best Practice portfolio.