The Panama Papers leak exposed the most common weakest link in law firms' cybersecurity: its people. Mark Leiser looks at what firms can learn from the scandal.
What image comes into your head when you think of a computer hacker? An isolated and lonely, hoodie-wearing teen living in their mother's basement, peering frantically into a wall of computer monitors? This is an image the media has given us, but it's never been true. Hacking is highly organised and professionalised, and happens for a multitude of reasons, from crime to ethical. 'white' hacking – though it's safe to say that almost none of the high-profile attacks on law firms’ networks have had anything to do with the latter.
There is no great mystery as to why law firms are attractive targets to hackers. First, law firms hoover up data. It’s their job to collect it. They have access to, store, control and process a disproportionate amount of data compared to other businesses of similar size. Second, law firms act as conduits of information: the profession exists to analyse and provide opinions about the risks and consequences of very sensitive data. Third, law firms are facilitators of large cash transactions – the press is full of stories of hackers attempting to intercept funds in legal transactions, especially where property is involved. Finally, law firms may be seen as guilty by association: if a firm works with an unsavoury or unpopular character / organisation, the firm may become a target for hackers looking to gain access to information that would be harmful to the client or their reputation.
You might think that the most important thing you can do is have the best possible software, firewall and so on. And, indeed, cybersecurity experts normally focus on the security of a law firm’s network and its infrastructure. But according to Verizon, the great majority – nearly 90% – of successful cyber-attacks succeed for another reason entirely: human error. Law firm partners and managers don't appreciate the fact that the organisation's people are its weakest link, so firms are generally understaffed and undertrained in cybersecurity. There are plenty of examples to make this point: a fake email from a law firm's managing partner leading the finance manager to pay funds to a hacker; the admin support team falling for a fake phone call and gives out the firm's wireless password; the sysadmin for the firm’s network failing to download the latest add-ons...
All of the above are variants on 'social engineering' as a means of cyber-attack. But probably the most famous – or infamous – was the so-called Panama Papers – the release of 11.5 million confidential documents and 2.6 terabytes of data from the law firm, Mossack Fonseca. What cause was attributed to the breach? The firm operated its online presence on a WordPress-based website which operated a vulnerable version of a plugin called ‘Revolution Slider’, that enabled a hacker to exploit a well-known bug, gaining access to its mail servers hosted on the same IP network. A well-known exploit published back in October 2014 had been widely circulated among the hacker community, yet the person responsible for the network never updated the plug-in. Human error.
Lessons to learn
What can be learned from the Mossack breach? Well, there are some harsh realities for law firms to get their head around.
Stop complaining about the web’s anonymity, and embrace the fact that anonymity is a feature, not a bug of cyberspace. Walled gardens, classified networks, and corporate-only servers all offer opportunities for businesses, so why don’t more law firms use them?
Don't rely on passive defences sold by traditional cybersecurity firms. Beware of anyone peddling a solution which is limited to technical protection in scope. Cybersecurity is much more than firewalls, patches, and antivirus software. Even the strongest network defence only works when the offensive party limits its strategy to attacking those defences. A law firm that relies on passive defences is doomed. Instead, the 21st century law firm should invest in active defences, which include technologies that detect attacks and trace the attacks to their source.
Identify the staff members in your firm who are most likely to be the target of hackers, most likely to be seen as the weakest link, and get them trained in cybersecurity.
Finally, prioritise security among your business partners (and anyone undertaking agency work). Make it an integral part of any IT contracting, and a requirement among your business partners.
Knowledge is no longer power. Information is power. And this makes solicitors and law firms far more powerful than they realise, especially as we move to 100% digitisation and cloud-based storage. The internet has no boundaries – and neither do hackers.
The Law Society is developing partnerships with a range of cybersecurity partners to help law firms to prevent cyber attacks and handle them if they do occur. Keep an eye on our cybersecurity pages for new content and new products and services to help you with your firm's cybersecurity concerns.