Law firms provide new lucrative data target for cyber criminals

The Wall Street Journal in the US has reported a significant rise in cyber threats being dealt with in the legal sector.  The allure of law firms to criminals is especially attractive given the highly sensitive nature of the data held by them.

But are we just talking about some underworld cyber guys ransoming data?  Apparently not – some of the recent targets have also included the suspicion of attempts at insider trading deals (now allegedly the subject of investigations by the FBI).

Phishing attempts in law firms continue to feature highly in the latest reports.  Stephen Tester, partner at London law firm CMS which brokers cyber insurance commented to the BBC: “We’ve seen examples of emails [at client law firms] that purport to come from a managing partner to a more junior lawyer directing them to make payments to an account or to send certain information to an address… they can look very much like a regular message.”

However, it’s the accounts of alarmingly insidious new ways that cyber criminals are trying to access systems that should put everybody on their guard.  Would you have considered your video-conferencing systems or telephony to be vulnerable?  Well apparently so. “There are ways in which people can go into video-based conferencing facilities and literally listen in on meetings” Mr Tester said.  Telephone systems these days are delivered via VoIP, in essence translating analogue to digital then back to analogue. Not many organisations even consider this to be another attack surface.”

The rise and variety of attack reflects both the cunning and sheer determination of attackers looking for any infrastructure loopholes and sometimes striking gold through wifi settings and unsecured networks.  Ally that to unsuspecting staff (93% of data protection breaches reported to be caused by human error”) source ICO report 2015 and you have a Tsunami of potential threat on the horizon with today’s cyber vultures circling.

Questions for you
•         Can you afford to sit back and either your organisation is not a target?
•         Can your company afford to lose trust?
•         Can your company afford to pay the financial penalties if you are found to have mishandled EU resident’s data – this could be a fine of up to Euro 20 milllion or 4% of global turnover (EU GDPR).

You have a duty to your employees, customers and shareholders to know that you are can protect the data you are holding.

So what can firms do to avoid having cyber criminals musing over yours or your client’s data for their financial gain?  Well certainly an audit with cyber security experts is a good start.  Reviewing data security policies is a natural follow on – and identifying and keeping up to date what your plan is in the event of a cyber breach.  Finally, with phishing, this is an opportunity for companies to raise everyone up by prioritising education around data security and cyber threats amongst staff.   Better to pick over your own bones that have it done to you!

448bbd010e93bd0d21e13a354a3cd82b

Does your company include “cyber” on the Board agenda every month?

Amicus ITS has long been an exponent of the merit of having an IT expert on a company Board.  Indeed ‘cyber’ has been on Amicus ITS’ own Board’s monthly agenda for the past 18 months.

As we continue to convey this good practice recommendation with our customers, this message is now being endorsed by HM Gov’s Treasury department in a direct appeal to the major UK banks.

As reported in The Sunday Times (240116), Andrew Tyrie, Treasury committee chairman and Tory MP for Chichester, wrote to the major financial institutions over the weekend demanding that they take urgent steps to thwart hacking and data theft.  “Bank IT systems don’t appear to be up to the job”, he said.  “Every few months we have yet another IT failure at a major bank.  These IT weaknesses are exposing millions of people to uncertainty, disruption and sometimes distress.  Businesses suffer too.  We can’t carry on like this”.

The remedy is no magic potion.  The Treasury MP is advocating hard investment in computer systems and that banks answer to a new group within the financial regulator, the Prudential Regulation Authority.

No banks are immune.  Barclays, HSBC, Lloyds and the UK tax payer’s own bank Royal Bank of Scotland (RBS) have all suffered outtages.  Most recently, HSBC suffered a two day failure in its online banking services in January 2016. This follows last August’s dropout when a glitch prevented salaries being paid ahead of the August Bank Holiday.  Other banking failures have included mortgage and pension payments. RBS which has experienced many problems was fined £56 million in 2015 for an IT glitch in 2012 that left millions of customers unable to access their accounts.

The Deputy Governor of the Bank of England, Andrew Bailey is expected to head up a new specialist IT unit within the Bank of England’s Prudential Regulation Authority to ‘ensure lendors are investing enough in their systems’.  We wait to see whether this specialist financial regulator post has the teeth and influence to create the necessary change and improvements required – and soon.  If our banking blog of 31st January 2014 is anything to go by, it could be a very long wait.  Could this MPs plea be one of hope more than expectation?

Irrespective of business sector, it is a timely reminder for companies not to put off updating infrastructures or reinforcing vital firewalls by holding on to unspent, shored up profits post recession.  In our technically challenging world, businesses cannot afford NOT to maintain and future-protect their IT systems, let alone ignore recommendations to invest in protecting against increasingly sophisticated and cynical cyber threats facing every organisation.
• 80% of cyber attacks in 2014 were preventable (source:   Ponemon Institute)
• Only 21% of companies say their Board gets comprehensive information about cyber threat*.
• Only 17% of Board members believe they have a full understanding of the risks*.

Action – do a cyber health check review of your company after today:

• Re-evaluate the crown jewels of YOUR organisation (key information and data assets)
• Review risk from 3rd party suppliers (get into active compliance).
• Be pro-active and transparent about risk – your customers will thank you.
• Arrange for a cyber threat ‘pen test’ and get in shape for 2016.

In the constantly evolving world of cyber security, the wise understand that there is no panacea against cyber attack, it is just a matter of when – however, those best armed against the enemy will be the ones best prepared for attack, understanding and prompt response.

UK SMBs fail to tool up on security

US security software specialists Trend Micro have published their latest survey results on 500 UK business owners.  This survey was an interesting mix of factual gathering as well as attitudes.  Trend Micro found that 50% of small to medium-sized businesses (SMBs) are not using any internet security tools to protect themselves from hacking and other threats.

In addition:
• Only 44% confirmed they knew how to check if a computer or mobile device was infected by malware
• Around 66% had no knowledge of the final penalties of an online security breach.
• Only 24% of respondents said they believed online threats are too complex to deal with.

With only 18% believing their data was worth stealing this may explain their lethargy in taking a more enterprise approach to security risk management.

The difficulty is, that cyber criminals have for the last few years, increasingly targeted SMBs precisely for their more relaxed view around data security.

Now a precision tooling company in Bristol for example, may not perceive it is in any way a likely target for cyber crime.  However, let’s drill into the risk a little further….   This company’s Accounts department will necessarily hold valuable data assets. These will include:  financial details (including bank accounts and sort codes of customers and suppliers), credit check information on customers, plus private contact details for other organisations that are not in the public domain.  So, they alone may provide fruit off the tree to the cyber criminal, but added to this, they will provide an increasingly valuable inroad into other, larger organisations with whom they do business.  So it’s not just them putting themselves at risk, but indeed the whole supply chain and customer relationships including trust which become jeopardized.

The London skyline