Protecting Client Engagements from Cyber Threats

Leading on from my last post, so what should Law Firms or any professional service organisation for that matter such as financial advisor, accountant or bank, be doing now they are finding themselves under the Cyber Security microscope following the ‘Panama Papers’ expose?

With no exceptions senior partners and key stakeholders should be demanding clear visibility of their Firms current baseline Cyber Security posture. This should be coming from an external source and one that can span the dynamics of technical, operational and strategic inter-dependencies in an organisation. The output should be an organisational baseline assessment of operational resilience to Cyber threats.

Common areas that Law firms should be considering include the following:

1. Encrypting EVERYTHING – If there was one single measure that all these practices should embody that most do not and would mitigate the risk, it is ENCRYPTION. It is not a silver bullet but demonstrates a true intent and best practice. Why? In simple terms, if data is encrypted the common hacker’s infiltration technique of escalating privileges to Administrator would be limited in its fallout potential. Whilst an Administrator account may be all powerful across IT systems its purpose is to Administer the systems. This does not require access to data, and in fact should not. In such a scenario a hacker could make life very unpleasant and degrade services or even hold systems to Ransom by applying their own encryption. The fact is the currency they seek – the Data – is protected. For assuming the organisation is practicing the basics of any business continuity and disaster recovery plan, they will have backups that would allow the business to recover its system and get up and running without succumbing to Ransoms. A secondary key benefit of encryption is that the Hacker does not have access to the data so in a Ransomware scenario they cannot escalate their threats and demands with blackmail. Common in Ransomware cases where a business may have their data backed up and can recover systems without paying the Ransom, the hackers will threaten to release the data to the media or publish it themselves. However, if the organisation exercises its own data encryption then the Hacker escalation threat is thwarted.The process is well tried and tested, and works. It’s called Information Rights Management . Just about everyone who is online today will have experienced this in some shape or form as a class of this practice is the backbone of digital media protection used by the music and film industry. It is what forces you to use iTunes to play music bought form the Apple store, BBC iPlayer to watch BBC programs and many others. The digital media, be it a film, audiobook, book or music is encrypted, and signed with a Certificate that says only the buyer can consume the media. This means you have to authenticate with the relevant software to consume your digital media. ‘Digital Rights Management’  it’s called, and most of us don’t even know we are using it because it is that seamless. So WHY have companies failed to adopt the same practice to protect their customers
2. Two (2) Factor Authentication – User accounts should be subject to two factor authentication EVERYWHERE. This is so simple to implement today that there should be no excuse. This should go for client access to shared systems or client portals as well. If the system does not support it then get a new system, the risk simply is not worth it. A single downgraded system without 2 factor authentication can be the open door for hackers to breach environments.
3. Constrain eMail – Data transacted through email is retained in email servers which by their very nature have to be exposed to a public network. Email servers are software and the industry average for software errors is about 15 – 50 errors per 1,000 lines of delivered code . It is these errors that hackers leverage to hack email servers. Once hacked email exposes everything, after all companies, especially law firms have a bad habit of retaining years of communication records. So it does not matter how secure their internal Document Management system is if all most of the documents will also reside as attachments in email servers for years.eMail is the attack vector of choice and THE principle way that hackers execute social engineering and get malware into organisations. Followed closely by Web browsers. The only reason for email to persist is for legacy support as organisations wean themselves of this archaic toolset. eMail systems should:
   1. Disable ALL email attachment capabilities.
   2. Disable ALL embedded hyperlink capabilities.
   3. eMail should be locked down to Plain Text format only.
   4. On the Mail server if your eMail server team are not doing this already sack them and go to point e. The following is by no means exhaustive but a minimum:
      • Configure mail relay options carefully to avoid being an Open Relay.
      • Activate Reverse DNS to block bogus senders.
      • Activate SPF to prevent spoofed sources, Sender Policy Framework (SPF) is a method used to prevent spoofed sender addresses.
      • Set up SMTP authentication to control user access.
      • Enable SURBL to verify message content. SURBL (Spam URI Real-time Block Lists) detects unwanted email based on invalid or malicious links within a message.
   5. Seriously consider Outsourcing the management of your email server. Microsoft Exchange is the most popular Enterprise mail server and Microsoft provide their own hosted service (Microsoft Office 365) which offers complete parity of functionality and levels of availability, reliability, scalability and security (including rich audit and legal hold functionality) few organisations can afford to provide themselves. It is bizarre that organisations continue to host their own Microsoft Exchange mail servers thinking they can do a better job than the specialists themselves.
4. Use Secure Workspaces – Instead of email, organisations should be using secure workspaces like Yammer and or collaboration environments such as SharePoint, the Enterprise Workgroup Environments operate in a very similar way to social media but they are by invitation only and support a much richer set of document sharing and visualisation tools. When you consider that most legitimate email correspondence will be with individuals you already have exchange details with, then using a secure online Enterprise Workspace and or Document Collaboration Platform instead is a no brainer. These secure environments are 2 factor authentication ready and are not exposed to spam or third party unwanted attention.
5. Data Retention – Exercise strict discipline and only retain data you have to, destroying in a secure and auditable fashion any that does not need to be retained. The trouble is with cheap storage, everything is getting retained. Organisations are building up their own pressure vessel of problems as legacy data often falls out with the bounds of new practices and processes. Furthermore, data backups are rarely purged efficiently providing backdoors into legacy data.
6. Identity & Access Controls – Audit these in real time. All authentication tokens should be policed in real time against a set of organisational tailored policies. Deviations from the policies should be immediately investigated. Hackers require user accounts to compromise systems, so police them!
7. Do the IT Basics – Patch known security holes in systems IMMEDIATELY. Any data loss due to a breach of ANY organisations IT that is found to be due to an existing know security hole that a vendor has released a fix for should be classed as ‘the failure to exercise that degree of care that, in the circumstances, is required for the protection of other persons or those interests of other persons that may be injuriously affected by the want of such care’ – NEGLIGENCE.
8. eDiscovery & Legal Hold – Make sure you have a proper eDiscovery and Legal Hold process in place and its not just a bolt on to marketing or a litigators role. If you ever have a dispute with a Law firm, you must have the comfort that the data that will be key in the pursuit of that dispute is managed in a disciplined and accountable way. In fact, this is a question that should be on every employee’s questionnaire. When employees leave a company, the fact that their information may be subject to a litigation hold is likely the last thing on their minds. Organisations need a process to ensure that departing employees’ data remains protected. Otherwise, they may be unable to comply with their discovery obligations and could face draconian sanctions.
9. Legal Industry Specialist Tools – Then there are specialist firms such as Litera Corp who specialise in Secure Document Lifecycle Management solutions specifically for the Legal sector worth taking into account for specific case management and enhanced contract collaborative functions.

This is basic joining the dots IT implementation. None of what I have stated above is new cutting edge or rocket science. To give you an example, it took 1 week to deploy the above technology for a 20 person professional services organisation. What was accomplished in a subsequent 4-weeks included data migration of legacy email and documents and implementation of new user policies, process and practices. The user awareness program and end user training was minimal because of the use of existing technologies that meant user interfaces were on the whole familiar. A solution that provided cash backed guaranteed Service Levels of 99.99% AND disaster recovery and business continuity.

The capabilities are in the market, the toolsets are not expensive for what you’re getting, the excuses for not going into action are inexcusable.