Breaking the Law – 80% of biggest 100 Law firms Hacked

It was only a matter of time before Legal Practices followed Hospitals and Public Sector organisations to hit the headlines and join the ranks of the great humbled. The frightening thing being that this is not the end of the journey but just a taste of what is still to come across many other professions and businesses that are built on trust and confidence. The ‘Panama Papers’ as it has now become known as sees the largest ‘known’ breach of legal confidence on record. Over 11.5 million documents and emails numbering in excess of 2,600,000 pages if all 2.6TB of stolen data were printed out.

For Trust and Confidence are the ultimate gambling chips in ALL of the hacks we have seen to-date. Yes, the data is the objective, that unvalued asset and life blood of businesses propping up every balance sheet, but as currency. For it is the Trust and Confidence bargaining chips that the stolen data, or rather what that data relevels and can compromise, buys the hacker. So when the hacker leaves the gambling table they can be sure to have cashed in. For the stakes cannot be greater, data can be recovered, restored or re-created but Trust and confidence?

Trust – You will not find this on the balance sheet, in the asset register or sitting proudly in a display case for all to see, it is not bought but won. It can only be gifted not demanded. Trust is the most fragile of transparent assets that organisations posses. Trust puts magnetism in a brand, greases the wheels of relationships, makes customers proud to be associated, drives down valued employee churn and underpins top line potential and the loyalty that motivates a maximum bottom line margin. Fundamentally trust embodies an organisation and or brand with a sense of capability, reliability, truth and competence.

Like a mirror once cracked it will never reflect the same again, similarly a breach of Trust will be blighted by doubt and a loss of Confidence. An unpredictable factor that will have revealed how fickle it can be to neglect to anyone who has been through or orchestrated even the most cordial of merger and or acquisition.

Confidence – Is something that most of us don’t realise we have until we lose it. That is the frightening thing. It is a human condition that supports us getting up in the morning through to skydiving, rock climbing or standing up in front of an audience to speak amongst other more daily norms. When it goes it can be inconsequential or life debilitating. When we lose this in others it is a natural instinct to look at alternatives and feel disappointed/let down. When Talk Talk was hacked their net loss of customers topped 150,000. In a high volume low margin commodity service business like Talk Talk, the impact may not be quiet so disastrous, but in the high margin discreet customer volume personal environment like a Law firm where Trust goes to the heart of the relationship, then the impact risks disaster.

In the past Law firms have chosen to hide breaches and any incompetence. With the recent revelations from the ‘Panama Paper’ Law Practices the world over are coming under the microscope and it appears that a number of prestigious firms have experienced breaches of varying degree’s and NOT publicly disclosed these. At least 80% of the biggest 100 law firms have had some sort of breach according to Peter Tyrrell (chief operating officer) of a data security software company Digital Guardian. Stewart Baker, a partner at Steptoe & Johnson LLP, said the number may be even higher. In an interview he recounted what an agent from the Federal Bureau of Investigation told him: Virtually all of the biggest firms have faced some sort of data breach, including:

• Two US high-profile firms had ‘limited breaches’ that exposed valuable information – Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP.
• Toronto-area law firm lost “a large six figure” sum over the holidays after a virus gave hackers backdoor access to its bookkeeper’s computer. The virus copied bank account passwords as she typed them.

This option of hiding the crime will no longer be an option. For many organisations the transparency of digital compromise will no longer be an option but compulsory. Regulation will dictate that organisations will have to disclose data beaches or face fines up to 5% of global turnover. At last the Trust customers place in organisations to preserve and protect their confidence is being put to the test and organisations can no longer play fast and lose without risking their own credibility. I cannot think of a single Law firm, Chartered Accountants or Chartered Surveyors Practice who will wish to find their names on public registers of the named and shamed for not taking every reasonable step to protect the client’s confidence.

For truth be told, whilst most of the partners in the Law firms that have been hacked will believe they have taken all reasonable steps they simply have not. They will have drawn their line of risk mitigation in the wrong place, financially influenced and often based on a poor understanding of the true threat landscape they are operating in. The truth is that even the best and most diligent IT teams get subjected to prioritisation that will never allow them to provide the same level of focus and insight of external specialists in the field of Cyber Security. Internal IT teams are like Swiss arm knives, highly competent, versatile and adaptive within their tool set, but you would not take one to a sword fight.

Most law firms are using communication tools and document management systems that if invented today would NOT be deployed or adopted in a more operationally cyber resilient way that they are. Firms have slept walked into practices that are themselves the enemy. Email is perhaps the biggest felon of them all. But what would we do without email? Well in fact you can do everything you do with email in more efficient, effective, resilient and secure ways. The problem is, the users and industry is stuck in a rut with certain practices. See a separate missive on what Law Firms could be using to reduce their exposure and that of their clients.

Anyone using a Law Firm on a regular basis should be asking the following questions which intimate what measures firms should be engaging:

1. Is my data encrypted at all times, at rest and in communication, and only accessible by authorised personnel?
2. Do you enforce strict 2 factor authentication for your user access to systems that hold or could provide access to my data?
3. Do you classify client data for minimum retention periods in conjunction with clients and have an accountable process for data destruction?
4. Do you provide a secure client workspace or document collaboration portal through which document and information can be exchanged?
5. Is my Data held within the European Union? (replace your region of choice). If it is not, then you would be wise to drill into the why’s and wider protection you need to ensure are in place to preserver your data to the same standards as your home region data laws.
6. How does your firm handle eDiscovery? The process, technology, costs etc?

If a Law Firm, or any professional service engagement for that matter, such as financial advisor, accountant or bank uses email for sensitive information, attachment of documents or exchange of advice then customers should think twice about using their services. Email IS NOT SECURE and its use as a proxy form of collaboration is irresponsible in today’s Cyber Threat Environment unless the emails and their content are encrypted (not just the transmission phase). Read ‘eMail and browsers, the Blind side of Security’ for a more detail.

Reflect on this, eMail servers are software and the industry average for software errors is about 15 – 50 errors per 1,000 lines of delivered code. It is these errors that hackers leverage to hack systems. eMail servers by default have to be connected to a public network with ‘ports’ open to receive external trusted and unknown data. They are therefore visible and accessible to hackers. Once hacked email servers expose by the very nature of the rich variety of data is transacted over email, expose almost everything. After all companies, especially law firms have a bad habit of retaining years of communication records. So it does not matter how secure their internal Document Management system is if all or most of the documents and associated data will also reside as attachments and body text in email servers for years.

If the current spate of hacks does not energise Law Firms to dust off their traditional approaches, then it falls to the clients to motivate an attitude shift. In a more IT savvy world which is growing in its sensitivity to data abuse and prioritisation of privacy concerns firms can try and run but they will find they cannot hide anymore.