The Wall Street Journal in the US has reported a significant rise in cyber threats being dealt with in the legal sector. The allure of law firms to criminals is especially attractive given the highly sensitive nature of the data held by them.
But are we just talking about some underworld cyber guys ransoming data? Apparently not – some of the recent targets have also included the suspicion of attempts at insider trading deals (now allegedly the subject of investigations by the FBI).
Phishing attempts in law firms continue to feature highly in the latest reports. Stephen Tester, partner at London law firm CMS which brokers cyber insurance commented to the BBC: “We’ve seen examples of emails [at client law firms] that purport to come from a managing partner to a more junior lawyer directing them to make payments to an account or to send certain information to an address… they can look very much like a regular message.”
However, it’s the accounts of alarmingly insidious new ways that cyber criminals are trying to access systems that should put everybody on their guard. Would you have considered your video-conferencing systems or telephony to be vulnerable? Well apparently so. “There are ways in which people can go into video-based conferencing facilities and literally listen in on meetings” Mr Tester said. Telephone systems these days are delivered via VoIP, in essence translating analogue to digital then back to analogue. Not many organisations even consider this to be another attack surface.”
The rise and variety of attack reflects both the cunning and sheer determination of attackers looking for any infrastructure loopholes and sometimes striking gold through wifi settings and unsecured networks. Ally that to unsuspecting staff (“93% of data protection breaches reported to be caused by human error”) source ICO report 2015 and you have a Tsunami of potential threat on the horizon with today’s cyber vultures circling.
Questions for you
• Can you afford to sit back and either your organisation is not a target?
• Can your company afford to lose trust?
• Can your company afford to pay the financial penalties if you are found to have mishandled EU resident’s data – this could be a fine of up to Euro 20 milllion or 4% of global turnover (EU GDPR).
You have a duty to your employees, customers and shareholders to know that you are can protect the data you are holding.
So what can firms do to avoid having cyber criminals musing over yours or your client’s data for their financial gain? Well certainly an audit with cyber security experts is a good start. Reviewing data security policies is a natural follow on – and identifying and keeping up to date what your plan is in the event of a cyber breach. Finally, with phishing, this is an opportunity for companies to raise everyone up by prioritising education around data security and cyber threats amongst staff. Better to pick over your own bones that have it done to you!