Cybersecurity basics for law firms
The legal profession is built on the foundation of security (confidentiality, integrity and availability) of client secrets. You are right to say all professionals have a responsibility to keep their client’s secrets secret.
How can a lawyer in Uganda with a team of paralegals and other likeminded staff each with a laptop / computer interconnected on the same network keep customers’ secrets on their computers secret?
Put yourself in the shoes of a typical client of a law firm.
You are a manager. You work in a department with other professionals. On 16th May 2017, you were asked to travel abroad for training for three weeks. You deliberately left your IT department shared workstation with an auto command program to provide you a backdoor for remote access to your shared workstation while you are away. You gained remote access and transferred money from a specific large customer account to that of your accomplice. Immediately the money was withdrawn. Three days later, during normal account reviews, the branch manager noticed suspicious transactions on previously idle account and that is how they noticed multiple withdrawals of Ugx 800,000 from various ATMs by hooded men over three nights. In total, they discovered Ugx. 300,000,000 or US $84,000 missing.
On further scrutiny, preliminary internal investigators noticed that the money had been transferred from the large client account in five equal installments. They also noticed that your domain controller username had been used. On further scrutiny, the shared IT workstation had been identified as the possible machine which could have initiated the transactions based on the available logs.
On that basis, Internal Audit is asked to conduct an inquest into the matter. Due to limited expertise, they decided to interview all known users of the shared IT workstation that was identified as the one used by the fraudsters. You are called in for an interview to explain how your username and password were used in the fraudulent transfer of the money. You explain that since you had travelled, you were not physically present at the bank, and for that reason, you cannot be the person who made the fraudulent transactions. You further state that it is possible someone could have stolen your passwords since the password policy is reluctantly enforced at the bank. After your interview, the Internal Auditors calls in your colleagues and explains how they could not have been involved in the fraud. Without finding all the facts, Internal Audit decides to write a draft report of investigations (sic) for management review, recommending for a thorough professional investigation by a competent firm like Summit Consulting Ltd forensic investigation services. Since this is an investigation, and the Summit Consulting forensic investigators know from experience that all forensic investigations will end up in court, they decide to advise the bank to report the fraud to police and open a police file. On this basis, they commence the investigation.
Aware of this development, you decide to seek legal advice. You head to a law firm for legal representation. Your defense counsel being a good one, demand to know all the truth and you decide to come clean. He documents all these revelations of your admission of wrong doing and how you were able to connect remotely, how you backtracked and cleaned most of the incriminating logs, including the one showing remote server access to execute the malicious codes. You further state that you also logged in as different user using your colleagues’ username and password you had stolen prior. And that they cannot pin point who did it. You speak with confidence and explain to your lawyer to help protect you. The lawyer then saves this information on the law firm computers and goes to play golf.
Will it be the law council or the clients must demand to see cyber security practices prior to giving jobs?
The question is: how is your confession to your lawyer safe?
And that is the reason for this article.
Lawyers, like all professionals, must invest in cyber security. Once it is in a digital form, it is exposed to cybercrime. Security breaches are on the rise.
In a recent Wall Street Journal article, it was reported how hackers broke into computers of most large law firms in the US. Hackers know that lawyers keep high value secrets and that is why they are paid handsomely.
To this end, large companies now are requiring their professional advisers e.g. lawyers, doctors, engineers, etc to provide proof of technical and operation strategies to protect confidential information from unintentional disclosures especially by hackers. Most of these measures include providing proof for having undergone a rigorous white box and black box penetration testing. Based on the vulnerabilities found and exploited, the law firm can then implement strong security measures like data encryption (both in storage and transit across multiple storage platforms), cyber security over network and database, cyber liability insurance cover, ISO 27000 for cyber security assurance as well as compulsory cyber security reporting. All serious law firms must now adopt best practices like information protection and security controls, here http://www.acc.com/advocacy/upload/Model-Information-Protection-and-Security-Controls-for-Outside-Counsel-Jan2017.pdf?_ga=2.18008698.2105555974.1496154508-4598426.1496154508 to improve the state of cyber security and cyber hygiene.
Who will regulate law firms to improve their cyber security practices? Will it be the law council or the clients must demand to see cyber security practices prior to giving jobs? All professional bodies that exist to protect clients and the general public, must wake up to the new reality of cybercrime. Now is the time. Countries are investing in cyber weaponry and cyber war fare for both defensive and offensive capabilities and now lawyers must gain skills to prosecute criminals involved in terrorism acts using cyber weaponry. Such weapons are sophisticated as they are remotely executed. To partake in such high level cases, counsel must come when their house is very clear and beyond breach. That calls for on-going cyber security investment and training.
Are you ready for tomorrow?