You are here:
  1. Home
  2. News
  3. Blog
  4. Cybersecurity: What the Panama Papers can teach all law firms

Cybersecurity: What the Panama Papers can teach all law firms

02 February 2017

The Panama Papers leak exposed the most common weakest link in law firms' cybersecurity: its people. Mark Leiser looks at what firms can learn from the scandal.

What image comes into your head when you think of a computer hacker? An isolated and lonely, hoodie-wearing teen living in their mother's basement, peering frantically into a wall of computer monitors? This is an image the media has given us, but it's never been true. Hacking is highly organised and professionalised, and happens for a multitude of reasons, from crime to ethical. 'white' hacking – though it's safe to say that almost none of the high-profile attacks on law firms’ networks have had anything to do with the latter.

There is no great mystery as to why law firms are attractive targets to hackers. First, law firms hoover up data. It’s their job to collect it. They have access to, store, control and process a disproportionate amount of data compared to other businesses of similar size. Second, law firms act as conduits of information: the profession exists to analyse and provide opinions about the risks and consequences of very sensitive data. Third, law firms are facilitators of large cash transactions – the press is full of stories of hackers attempting to intercept funds in legal transactions, especially where property is involved. Finally, law firms may be seen as guilty by association: if a firm works with an unsavoury or unpopular character / organisation, the firm may become a target for hackers looking to gain access to information that would be harmful to the client or their reputation.

You might think that the most important thing you can do is have the best possible software, firewall and so on. And, indeed, cybersecurity experts normally focus on the security of a law firm’s network and its infrastructure. But according to Verizon, the great majority – nearly 90% – of successful cyber-attacks succeed for another reason entirely: human error. Law firm partners and managers don't appreciate the fact that the organisation's people are its weakest link, so firms are generally understaffed and undertrained in cybersecurity. There are plenty of examples to make this point: a fake email from a law firm's managing partner leading the finance manager to pay funds to a hacker; the admin support team falling for a fake phone call and gives out the firm's wireless password; the sysadmin for the firm’s network failing to download the latest add-ons...

All of the above are variants on 'social engineering' as a means of cyber-attack. But probably the most famous – or infamous – was the so-called Panama Papers – the release of 11.5 million confidential documents and 2.6 terabytes of data from the law firm, Mossack Fonseca. What cause was attributed to the breach? The firm operated its online presence on a WordPress-based website which operated a vulnerable version of a plugin called ‘Revolution Slider’, that enabled a hacker to exploit a well-known bug, gaining access to its mail servers hosted on the same IP network. A well-known exploit published back in October 2014 had been widely circulated among the hacker community, yet the person responsible for the network never updated the plug-in. Human error.

Lessons to learn

What can be learned from the Mossack breach? Well, there are some harsh realities for law firms to get their head around.

Stop complaining about the web’s anonymity, and embrace the fact that anonymity is a feature, not a bug of cyberspace. Walled gardens, classified networks, and corporate-only servers all offer opportunities for businesses, so why don’t more law firms use them?

Don't rely on passive defences sold by traditional cybersecurity firms. Beware of anyone peddling a solution which is limited to technical protection in scope. Cybersecurity is much more than firewalls, patches, and antivirus software. Even the strongest network defence only works when the offensive party limits its strategy to attacking those defences. A law firm that relies on passive defences is doomed. Instead, the 21st century law firm should invest in active defences, which include technologies that detect attacks and trace the attacks to their source.

Identify the staff members in your firm who are most likely to be the target of hackers, most likely to be seen as the weakest link, and get them trained in cybersecurity.

Finally, prioritise security among your business partners (and anyone undertaking agency work). Make it an integral part of any IT contracting, and a requirement among your business partners.

Knowledge is no longer power. Information is power. And this makes solicitors and law firms far more powerful than they realise, especially as we move to 100% digitisation and cloud-based storage. The internet has no boundaries – and neither do hackers.

The Law Society is developing partnerships with a range of cybersecurity partners to help law firms to prevent cyber attacks and handle them if they do occur. Keep an eye on our cybersecurity pages for new content and new products and services to help you with your firm's cybersecurity concerns.

Tags: business | cyber security | IT | technology

About the author

Mark Leiser lectures in IT, intellectual property and company law at the University of Strathclyde, and teaches cyberlaw at the London School of Economics. He is a PhD candidate at the University of Strathclyde/London School of Economics focussing on behavioural based regulation of the online environment.
Follow Mark on Twitter

  • Share this page:

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt Oliver | Matthew Still | Max Rossiter | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nikki Alderson | Oz Alashe | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney