You've been hacked - you just don't know it yet

Personal information is the most valuable commodity on the globe, argues Nick Podd. Here he considers the issues around cybersecurity and outlines how law firms can take responsibility for the security of their clients' data.

Cyber security graphics over man's head

Misha Glenny, British journalist and author, specialising in crime and cyber crime, is unequivocal on hacking: "There are two types of companies in the world: those that know they've been hacked, and those that don't."

Like Schrödinger's cat, the truth is not known until either an examination is performed or, in the case of many cybersecurity breaches, the news is leaked by the perpetrator. So, the inherent concern when faced with the very real and very constant threat to personal data being shared or stored online is understandable.

A business has the added weight of considering the serious responsibility of dealing with client information in such a way that the clients themselves have no reason to distrust the company with their data. 

This information can simply be personal data, such as name, address, date of birth and so on, but even that is a valuable asset to anyone wishing to create new identities or apply for a line of credit. For obvious reasons, the addition of financial data into a client database will then make for a more sensitive filing system.

More valuable than gold

I believe, without any shadow of doubt, that personal information (along with demographic information) is the most valuable commodity on the Earth right now, and that is only set to increase. 

Tangible assets do not come close to the revenue that collected data can turn over year on year and, with the Internet of Things (IoT) set to grow at an alarming rate over the next four years, the collection of data will be easier for corporations and the storage of that data will be vast. 

Google, now a subsidiary company of Alphabet, started out as a humble search engine. However, Google is the third richest company in the world right now (source: article by Verne Kopytoff) and that doesn't happen by being a search engine. 

It is famous for managing data in order to personalise users' web browsing experiences. Microsoft has also taken a leaf out of Google's book and is now collecting personal data through its new operating system, and users are unable to opt-out. It's a big business.

Nothing is ever truly secure

The Internet of Things (IoT) is the term given by the information technology world to the connected world - the world of connected devices that we all live in. 

I'm sure many reading this will be able to rattle off most of the connected devices in their homes: smartphones, PCs and laptops, tablets, games consoles, newer televisions, WiFi routers, the list goes on. 

But the IoT goes so much further than these things. Does your car have Bluetooth? Bluetooth is a type of network and acts as a port into your car's management system. As a result it can be used to hack your car. 

I visited the University of Warwick in 2015 where they are working on a project looking at automotive hacking. This is not a reason to panic, as only a few cases have been reported and all have been under experimental conditions by cyber professionals. The point is that any network can be exploited. Connect one device to another via an unprotected highway of information and it can be exploited. There are even driverless quarry earth movers that are connected and have been subject to hacking.

A connected planet

At my last estimate there were around 10 billion connected devices on the planet. That equates to around 1.5 devices to every head of population. 

On speaking with senior police officers at the House of Commons in October last year, I was told that the estimated number by 2020 is around the 50 billion mark. 

How accurate this figure proves to be will remain to be seen, but I would make a conservative estimate at around 30-35 billion devices; an increase of at least 20 billion in the next four years. That is truly astonishing growth.

In 2013, I travelled on a Boeing 787 Dreamliner for the first time from Doha to Heathrow and was pleasantly surprised to see that we had WiFi on board. Last year's news was full of the professional hacker in the US who was met at his destination by the FBI having tweeted that he had found a way into the systems of the Boeing 737/800 aircraft that he was travelling on. 

Clearly very poor decisions, both the breach and the tweet, and, while he protested that it was just a joke and bragged that his seized equipment was encrypted, the authorities made his life very difficult for some time. You don't mess with any aviation these days, least of all in the US.

Wide-scale concerns

In a survey carried out in 2015, of the 83 responding companies from a variety of sectors, 62 per cent of respondents indicated that they "were concerned about both direct political risks to their business and the impact of political instability on the broader security environment. Respondents rated political and security instability considerably higher than macroeconomic volatility". Political and security instability (including cybersecurity) was the biggest concern by far, the next highest considered risk scored 39.4 per cent. Virtually 70 per cent of the responding companies in the survey were of European origin 

Download the survey - The State of the Enterprise Resilience: Resilience Survey 2015 conducted by Control Risks (PDF) 

Keep it safe

We all need to take responsibility for our own personal online security and there are many ways to do this. 

As law firms, it is imperative that client data is kept secure and that clients are reassured that this is the case. 

Law firms deal with people for the most part, not products. They are selling services; very complex and often drawn-out services that require large amounts of data storage and this data needs to be dealt with in a secure manner. Anything sensitive needs the appropriate level of security for storage (whether that be on site or in a cloud), transferring and sharing among parties. 

All companies in the UK are bound by the Data Protection Act 1998, but firms need to keep up-to-date security policies and procedures to ensure that the risk of a breach or compromise is kept to an absolute minimum. 

Only then can you be assured of peace of mind and allow partners and staff to concentrate their time on supporting their clients, rather than worry about the unknown: whether the cat is still alive, or indeed, dead.

Maximise your Law Society membership with My LS