- Isn’t cyber security just data protection?
- What’s a cyber attack?
- What are the most common types of attack?
- What are the biggest causes of a cyber attack?
- What are the main laws covering cyber attacks?
- Will our PII cover us if anything happens?
- We have cyber insurance, so we can stop worrying and relax?
- We are only a small firm, surely we won’t be targeted?
- Who are we at risk from? We aren’t a target for hackers
- Should we encrypt our website?
- Do we need to encrypt email?
- How do you spot a phishing email?
- Does phishing only happen on email?
- What is blagging?
- Is it safe to use public WIFI?
- What steps should be taken when working outside the office?
- Is it safe to work from home?
- Do I have to be careful where I plug in my mobile device to charge?
- Is it safer to use USB flash drives?
- Are there any platforms that we should avoid using?
- We use Apple products so none of this applies to us, right?
- How often should we be changing passwords?
- What is the ideal password make-up?
- When are we most at risk?
- Do we need to password protect our Wi-Fi?
- Why do some people cover their webcams – what is the risk?
- What is two-factor identification and should we use it on our systems?
- We encourage our staff to share content on social media to promote the business – is this a problem?
- Apart from our IT system, are there any other systems or infrastructure we need to consider and protect?
- What’s the worst that could happen?
Peter Wright, managing director of Digital Law and chair of the Law Society Technology and Law Reference Group, answers common questions about cyber security for law firms. (Updated 2 March 2020)
1. Isn’t cyber security just data protection?
Data protection involves the security of personal data – anything that identifies an individual such as an email address, name, date of birth, national insurance number, bank sort code and account number, medical records, a photo, video footage or audio recording.
Cyber security is far broader. It covers anything from confidential information to commercially-sensitive data or any other type of information, as opposed to just personal data.
Cyber security involves the security of information at rest in a server or hard drive, all the way to the storage, transmission and retention of data.
2. What’s a cyber attack?
A cyber attack involves data that is owned by an individual or a legal person such as a corporation being compromised by an unauthorised third party. This could include data on a server, or information being transmitted on an email or on messaging services and social media such as WhatsApp. A cyber attack could include anything from personal data to commercial, commercially-sensitive or confidential data being accessed and/or stolen by a third party.
A cyber attack could also involve an intruder gaining access to an account. The attacker then impersonates the owner of the account: for example, sending out emails in an attempt to elicit information that is not rightfully theirs.
3. What are the most common types of attack?
- Phishing. Phishing involves an email or instant message being sent with the aim of getting the recipient to compromise their data. For example, a phishing email that appears to be from the recipient’s bank might include a link to a fake bank website, where the recipient is asked to enter account details and passwords.
- Malware. Malware, or malicious software, can be installed on a user’s machine as a result of them clicking on or accessing content online. In its most vanilla form, malware can cause the machine to run slowly and have poor performance. Aggressive malware may actually lock the user out from being able to access the systems on the device and may indeed request a ransom in the form of a Bitcoin payment (otherwise known as ‘ransomware’).
- Denial of Service. A Denial of Service or ‘DoS’ attack involves an email or website server being overwhelmed. For example, hundreds of thousands or millions of emails are sent to a single email address. Once the server has collapsed under the weight of demand, weaknesses can be exploited by a knowledgeable hacker to access other content on that server. For this reason, it is never a good idea to have email or websites hosted on a server where business critical or personal data is stored.
- Insider threat. A malicious insider may knowingly acquire confidential, commercially-sensitive or personal data from an employer for the purposes of furthering their career after they have left an organisation. Equally, an innocent insider may end up inadvertently being responsible for a breach of personal or confidential data – for example, by sending information to the wrong recipient or via an insecure means. While those listed above are the most common, there are many different types of cyber attack that can exploit a system. Hackers are finding new and devious ways of compromising systems all the time.
4. What are the biggest causes of a cyber attack?
Phishing emails continue to be a particularly pressing concern, particularly for professional services organisations such as law firms.
Phishing emails can be sent to the clients of your firm, attempting to impersonate the firm to the clients, in order to make them hand over personal data or business critical information.
Firms also frequently receive phishing emails that purport to be from third parties such as suppliers, attempting to elicit payment for non-existent services.
Some phishing emails can be received from purported new clients, inviting the firm to undertake a transaction and potentially to become involved in illicit activities such as money laundering (should the firm fail to carry out the appropriate mandatory identity checks). Your firm should never provide services to an individual who only contacts you through email and is never spoken to on the phone, in person or otherwise.
The treat from malware and in particular ransomware remains a massive risk to organisations of all shapes and sizes. Some of the world's largest organisations – including car manufacturers, global law firms and the NHS – have all fallen victim to ransomware attacks. These exploited vulnerabilities on systems that in many instances had not been correctly patched and/or updated, or in some instances were old legacy systems that were no longer properly supported.
It must also be remembered that a very significant cause of cyber attacks is the acquisition of data by disaffected employees who acquire data and take it with them to further their careers once they have left the firm.
5. What are the main laws covering cyber attacks?
As well as the European General Data Protection Regulation (‘GDPR’) as enacted into UK law via the Data Protection Act 2018, covering personal data, there are other laws to be aware of.
The new European e-Privacy regulation will be replacing the existing e-Privacy directive. This regulation will relate to all electronic communications, whether they contain personal data or not. When the e-Privacy regulation becomes law in Europe it will continue to apply to any UK organisation that is processing communications or information relating to EU citizens. Fines under the e-Privacy regulation reflect the same structure as is used under GDPR (4% of global turnover or 20 million euros – whichever is greater).
Other relevant legislation includes the Computer Misuse Act. Individual professions are also subject to their own regulations. In addition, requirements on companies and company directors are imposed by the Companies Act with regards to the safe storage and transmission of data.
6. Will our PII cover us if anything happens?
Professional indemnity insurance may be able to cover all or part of a loss incurred as a result of a cyber attack. For example, if a law firm client account was hacked and client money was stolen as a result, this might be recompensed through a claim on the professional indemnity insurance.
However, PII is unlikely to cover the firm for any regulatory fines that could be imposed by a regulator such as the Solicitor’s Regulatory Authority (SRA) or the Information Commissioner’s Office (ICO). The ‘Minimum Terms’ for such insurance excludes fines and penalties, whereas a cyber policy is likely to cover fines to the extent permitted by law.
Furthermore, there could be additional losses associated with a cyber attack, such as a class action by affected data subjects whose data is compromised. There could also be the associated costs in relation to investigating the attack and then purchasing and creating a new secure IT system to defend against a future cyber attack. These additional expenses may not be covered by the terms of professional indemnity insurance cover.
In terms of financial exposure, privacy breaches tend to be the biggest area of concern. All PII cover will vary. It is important to read the policy wording to identify the specific cover and the specific occasions when an insurer is required to make any payment. Speak to your insurer, to ensure that you understand exactly what is covered.
7. We have cyber insurance, so we can stop worrying and relax?
A dedicated cyber policy is likely to give your firm immediate access to ‘critical incident response’, providing a level of expertise that could not be achieved internally. The policy should also cover the first party costs necessary to actually respond to the privacy breach.
However, cyber insurance, like PII, will only cover an organisation for a certain amount of liability. This may not include regulatory fines and liabilities in relation to class actions, IT costs and other associated losses. Furthermore, the liabilities from a cyber attack can be so significant that they exceed the maximum limit of cover under an insurance policy (which might only be £500,000). A fine under GDPR, or claims in a large civil class action, might run into millions of pounds.
Bear in mind that not all cyber liability policies are the same. Two different policies may do very different things even if they are both called ‘cyber insurance’, and the detail of a policy might run to 25 pages. So talk to your insurance broker, or directly to the insurer, about anything that you are uncertain about.
If any policy wording is particularly complex, consider using a specialist insurance lawyer to review the wording and to ensure that the appropriate cover is selected.
8. We are only a small firm, surely we won’t be targeted?
A cyber attack does not have to be specifically targeted to an individual. In 2017 there were widespread attacks on organisations across Europe as a result of the ‘WannaCry’ ransomware attack. This attack originated from North Korea and ended up compromising systems using old and unsupported versions of Windows.
In the UK, the NHS in particular fell victim to this ransomware as did the Renault Nissan company. These organisations were not specifically targeted by the attackers, who were looking to exploit any systems using the old and poorly supported versions of Windows. So cyber attacks can be totally indiscriminate, affecting any organisation whose systems meet the appropriate criteria. How would your firm operate if it was locked out of its IT systems?
9. Who are we at risk from? We aren’t a target for hackers
Not all hackers are individual cyber hackers looking to compromise a system to acquire money. Some hackers are motivated by political or philosophical motives. They target organisations such as financial services, professional services or political institutions to prove a point. They may just wish to destroy a system, its website or its infrastructure.
Meanwhile, other sources of cyber attacks include individual nation states. North Korea is an example of a nation state that has made significant investments in being able to carry out cyber attacks internationally. Such attacks can be indiscriminate, rather than specifically target individual organisations. Malware attacks unleased like this on the internet are often referred to as “wild viruses”.
10. Should we encrypt our website?
It is certainly worth encrypting your website. This could be done comparatively cheaply through the purchase of a secure socket layer “SSL” (or equivalent) certificate and ensuring this is on the website. This ensures the visitor to the website is greeted by a URL that makes it clear it is a secure website (bears the legend https rather than just http in the browser, alongside a secure padlock icon). Sites that do not have a security certificate in place are flagged up as “Not secure” by Chrome and by some other web browsers.
11. Do we need to encrypt email?
It is certainly a good idea to encrypt the email at rest in its server, so that if the server is compromised the individual emails cannot be read. You do not necessarily need to encrypt your email ‘end-to-end’. End-to-end encryption should only really be invested in if you are sending large volumes of commercially-sensitive data or personal data via email on a regular basis. Otherwise, if you are sending such material via email it would be a good idea to just encrypt the individual attachments. A better investment may be in a secure data room or portal that will allow important and potentially large files to be securely accessed by recipients, rather than sending them via email.
12. How do you spot a phishing email?
A phishing email can be quite difficult to spot. Sometimes they purport to have been sent by a bank or financial services institution. Others will impersonate document-sharing sites such as Dropbox, inviting the recipient to click a link. After clicking the link, the recipient may be taken to a third party site where they could be induced to enter personal data. Or they may end up clicking on several links and giving a third party access to the recipient’s device.
Always check the address that an email has been received from. If it has been purportedly sent by a bank, is the bank actually a bank that you have any practical transactions or relationship with? If it is, respond using the legitimate contact information that you already have for the bank to check that is a legitimate verified communication.
If you do receive an email that you think is suspicious, do not click on any links or use any of the communication information that the email might contain. Always remember what happened to the US Democratic National Committee in 2016. Hilary Clinton’s campaign manager received what he thought was an email from Gmail about his email account. By clicking on the links contained in the email, he ended up giving access to his email account to Russian hackers.
13. Does phishing only happen on email?
No, phishing can also be carried out via any other form of instant messaging such as social media or on texting apps such as WhatsApp or Telegram.
You should never connect on social media with anyone you have not actually met and cannot verify in real life. Be wary of contacts on LinkedIn who connect with you and then send messages. It may be a good idea to carry out a check as to whether the profile on LinkedIn is legitimate by doing a Google image search of the image on the profile.
14. What is blagging?
Blagging is an attempt to elicit confidential, commercially-sensitive or personal data from an organisation. Professional service organisations and financial service organisations are often targeted. For example, someone might contact a bank trying to find out about transactions associated with a specific bank sort code and account number by pretending to be the customer, or might call a doctors surgery trying to obtain medical records.
When an individual contacts you requesting such information, it is always important to verify the individual making the enquiry to ensure that the request is genuine and should indeed be answered.
15. Is it safe to use public WIFI?
Free public Wi-Fi should never really be used for business purposes. Employees should also always be strongly discouraged from carrying out business-related activities on free public Wi-Fi such as the Wi-Fi found in cafes, bars, airports, train stations and hotels.
Always be very wary of free public Wi-Fi. The majority of public Wi-Fi is often compromised, as individuals can use it to carry out surveillance on other users of the Wi-Fi network. If possible and cost-effective, consider giving staff their own mobile devices such as phones with a 4G data connection and a mobile hotspot, allowing them to work securely through an encrypted 4G connection rather than relying on free public Wi-Fi.
Wi-Fi should only be used if the network is verified as being secure. For example, in a business organisation with which you have trusted verified connections, or in a home location where the broadband is being supplied through a router that the individual has themselves set up.
16. What steps should be taken when working outside the office?
Any remote connection to a firm’s intranet, even when using a company laptop, should be done using a virtual private network (‘VPN’) connection. This allows users to send and receive data securely and as if connected locally.
Any remote connection that can be achieved on devices other than those issued by the company, for example if email can be accessed via a web browser, should carry additional security, such as two factor authentication (see 27, below).
Many cyber attacks are carried out following surveillance of employees either on social media or sometimes face-to-face in the public realm.
So employees should be discouraged from working on business-related activities on mobile devices in public locations such as on the train or in a cafe, in particular when using free public Wi-Fi. Where this is unavoidable (for example, if individuals make it clear that they wish to work while commuting to and from the office) they should be supplied with a privacy screen. This makes it very difficult for a neighbour to see what activity is taking place on the mobile device’s screen.
17. Is it safe to work from home?
It is safe to work from home provided that the home broadband connection is password-protected to ensure that there is no unauthorised access to the network.
It should also be considered who else has access to the network. This won’t be a problem if only close family members have access to the network. However, some homes can be busy with teenage children and extended friends of friends who may also have asked for access to the network for gaming and social media. Any such users may be highly proficient in using the network and could inadvertently obtain access to business-related content on a business mobile device.
It may be prudent to consider having two Wi-Fi networks at home, a personal network and a guest network for visitors to the property if this is a frequent occurrence. Most home Wi-Fi routers are now fitted with the capacity to provide this.
18. Do I have to be careful where I plug in my mobile device to charge?
When plugging in a mobile device to be charged, as well as electricity entering the device there will also be data running down the cable. If the device is being plugged into a normal plug socket, this should not usually be too much of a problem. But if it is being plugged into another device, such as a laptop or desktop PC, it is possible that the user of that device may gain access to the mobile device and could access data that is stored on it.
Be cautious in high-traffic areas such as airport departure lounges. Plug sockets can be fitted with devices that will try to put malware or ransomware onto any mobile device that is plugged in, without the user being aware of it.
Mobile devices should not be charged from such publicly-available charging points. A better solution is to carry around a small mobile power pack, or a cable that ensures there is no direct link between the power source and the mobile device which might allow data to be added or abstracted from the device.
19. Is it safer to use USB flash drives?
USB flash drives can also be used to compromise a system if there is malicious software on the USB device. Just placing a USB flash drive into a mobile device such as a laptop could be sufficient to compromise the laptop – and indeed the entire network if it is connected.
Flash drives should not be encouraged for day-to-day business use.
20. Are there any platforms that we should avoid using?
Businesses should avoid using freely-available cloud-sharing apps such as Dropbox. The free personal version of Dropbox is entirely unencrypted and could be easily compromised. Free systems such as Google documents should also be avoided for similar reasons.
Free messaging apps such as WhatsApp should not be used for business-related purposes, particularly for the sharing of personal data. While systems such as WhatsApp and Telegram are encrypted between devices, it is not unknown for them to be compromised by hackers. They could also be used as a vehicle for phishing attacks that could lead to the installation of malware or ransomware onto a device.
You should also avoid conversations over LinkedIn messenger for business purposes. Any approaches made by a contact on LinkedIn should be moved to secure business email communications as soon as possible.
21. We use Apple products so none of this applies to us, right?
Many years ago this statement may have been true, as the Apple platforms were usually not as heavily-compromised as Windows-based platforms. However, in recent years many cyber attacks have been carried out on Apple-based systems as well. As a result, the use of an Apple-based phone, tablet, laptop or desktop is not a guarantee of avoiding being compromised by a cyber attack.
22. How often should we be changing passwords?
It is a good idea to change passwords for individual users every two to three months or so. Some organisations have systems that mandate that a password is changed after every 100 logins, for example. Many systems can be automatically set to prompt a user to change their password, and to ensure that when it is changed it does not duplicate any of the six or more previous passwords that have been used.
The regular changing of passwords can be a useful habit, bearing in mind that the password does not necessarily have to be entirely changed. Changing whether some characters are upper or lowercase and adding on additional numbers or non-alphanumerical characters can ensure a good range of variation.
Using different passwords for different log-ins is recommended.
23. What is the ideal password make-up?
Ideally a password should be more than six characters long and contain a mixture of upper and lowercase characters, numbers and a non-alphanumerical character such as a hashtag or an exclamation mark.
However, it is also important that a password can be comparatively easy for the user to remember so they don’t have to resort to having the password written on a note attached to the mobile device, negating the purpose of the password in the first place. Many individuals use long passwords that are easy to remember, such as the titles to movies or well-known phrases.
Organisations should not get too hung up on the minimum length or makeup of a password. Instead they should ensure that individuals can use them in an efficient and effective manner, and that passwords are not easy to crack (such as old favourites like “password” or “letmein”). Ensuring variation makes passwords overall more difficult for potential hackers to crack.
24. When are we most at risk?
- Notice period. Individuals may intentionally take confidential, commercially-sensitive or personal data with them to a new role. They may also be inadvertently responsible for a cyber breach due to a lack of care and attention while working a long notice period.
- New IT system. A new IT system may inadvertently not be properly secure and could be open to being easily compromised.
- New starter. New starters to an organisation might be unaware of the cyber security policies, procedures and governance within an organisation. As a result, a new starter might inadvertently be responsible for a breach of personal data or failing to follow internal security standards. This can be the case for up to three or six months after they have joined an organisation, because they have simply not received adequate training. It is important that all new starters receive cyber security and data protection training as part of their induction.
- Old IT system. Old IT systems are often based on legacy operating systems, such as old, unsupported versions of Windows. Such operating systems will no longer be receiving the appropriate patches and upgrades from the supplier or directly from Microsoft. As a result, there can be glaring vulnerabilities that can be exploited by hackers through malware and ransomware attacks.
- Migrating data. In 2018, TSB Bank showed the risks inherent in migrating data from an old system to a new IT system. In this instance, data from the old legacy Lloyds bank system was migrated to a new purpose-built IT infrastructure that regrettably crashed soon after being launched. Not only were customers unable to access their bank account records, but many customers accessed records relating to other customers. This widespread breach of third party personal data led to a significant liability, as well as a loss of reputation and goodwill and an ongoing loss of customers.
25. Do we need to password protect our Wi-Fi?
Yes, it is a good idea to password protect Wi-Fi to ensure that there is no unauthorised access by third parties. So always change the password from the default password issued with the router. Change the Wi-Fi password on a regular basis, to ensure that employees who have left the organisation are no longer able to access the network.
(It is also important to keep router firmware up to date with the latest patch, just like any other software. For simple, store-bought routers, this can include periodically rebooting them, to prompt the update protocols.)
26. Why do some people cover their webcams – what is the risk?
Many people have covers over their webcams that can be easily slid open when the webcam actually needs to be used, which is often very rarely. This is because if an intruder gains command and control access to a system, they can also access the webcam and could potentially see what a user is doing – even seeing into the user’s home and personal private life.
27. What is two-factor identification and should we use it on our systems?
Two-factor identification means that in addition to a login such as an email address and password, a second factor also has to be entered in order to confirm identification. For example, the online banking systems now in operation in most high street banks use a key fob or key reader that supplies a unique code which has to be entered within 60 seconds when logging in. Other systems, such as HMRC, ask the user to supply a secure phone number to which a text message is sent with a unique additional login code.
Two-factor identification is an extra belt-and-braces way of ensuring that the right authorised user is gaining access to a system. Where it is available on your system and network it should be enabled, particularly if users often work from outside the office.
The UK National Cyber Security Centre strongly recommends the use of multifactor identification where available on all business systems. This includes business social media accounts and any cloud-based storage systems.
28. We encourage our staff to share content on social media to promote the business – is this a problem?
Sharing content on social media can cause a problem if more information is shared than was originally intended. Some organisations have found that sensitive information has inadvertently been shared by employees through posts on social media such as Facebook or Instagram.
Photographs taken and shared from within the office environment could contain confidential, commercially-sensitive or personal data. Photographs could also contain details of security measures such as location of locks, keys, the use of key fobs, location of burglar alarm panels, location of security cameras or security entry points. Posts from within the workplace can also confirm the identities of other colleagues, information related to customers or other items of personal data.
Staff should always be given clear guidance on what content should or should not be shared from the workplace, in either a business or personal capacity. Many organisations operate prohibitions on the use of social media in the workplace, and specifically prohibit posting any material that could identify individuals or customers from within the workplace.
29. Apart from our IT system, are there any other systems or infrastructure we need to consider and protect?
- CCTV. Your CCTV system will contain personal data of staff and potentially of customers and visitors to your site. Ideally, you should ensure that any stored CCTV footage is encrypted. You should also ensure that any recordings can only be accessed by the appropriate individuals. Be aware that many CCTV cameras are now Internet of Things (IoT) enabled, so you need to ensure that access to any footage being shared on the CCTV network is properly limited.
- IoT. Many devices are IoT-enabled, such as TVs, fridges, toasters, kettles and even children’s toys. Many such IoT-enabled devices can be easily accessed via Wi-Fi or Bluetooth, and if the method of access is not secure it could be possible for a passer-by or neighbour to gain access. This might allow them to see what is going on in an individual’s home or workplace, or even use an IoT-enabled device to speak to a child without the parent knowing. Make sure you know whether there are any IoT-enabled devices in your workplace or home.
- Hearing loop. Some businesses have hearing loops fitted in order to assist the hard of hearing. Many hearing loops allow for meetings to be recorded. This could mean that personal data, confidential data or commercially-sensitive information could end up being recorded. In such a scenario, ensure that you know what is happening to any recording and that it is being kept safely and securely.
- Voicemail /call recording. Voicemails and mobile phone calls can contain confidential, commercially-sensitive or personal data. You need to ensure that such material is kept safely and securely. Some digital phone systems record all phone calls by default due to their factory settings – it is not unknown for an organisation to have all their phone calls recorded and backed up into the cloud without being aware. Always check with your communications supplier.
30. What’s the worst that could happen?
It will vary. There are many potential liabilities as a result of a cyber attack.
There can be regulatory fines if there is a breach of personal data under GDPR or the UK Data Protection Act 2018. There could also be liabilities from data subjects whose data had been breached or compromised. Such a liability could exceed the value of a regulatory fine quite easily.
There can be ongoing losses of turnover and profitability as a result of a high profile cyber attack. There can also be IT costs associated with identifying the scope of a cyber attack, dealing with the fallout and upgrading to deal with any security risks. There can also be increases in insurance premiums, such as professional indemnity insurance or cyber liability insurance, after a claim. Staff may choose to pursue their career elsewhere after the negative publicity from a cyber attack. Directors or partners may choose to leave, taking teams or clients with them.
ACS Law in 2011 remains a striking example of what can happen should the worst come to pass. This one-man firm failed to seek professional advice when setting up systems, hosted sensitive personal data on a hosting service aimed at home users, and failed to install a firewall. Following a data breach it was the ongoing loss of turnover, the high costs associated with the replacement of the IT system, and the increased insurance costs that rapidly led to the firm becoming insolvent. Had ACS Law remained solvent, it would have faced the £200,000 fine announced by the Information Commissioner, who stated that the firm should have known the requirements of the Data Protection Act 1998 and ensured that personal data was being kept safely and securely.
DLA Piper fell victim to a large-scale ransomware attack in 2017. Like the NHS WannaCry attack, the ransomware originated from a foreign state undertaking cyber warfare and did not specifically target DLA Piper’s systems. But this did not stop the ransomware getting on to their servers and their network and business being severely disabled. If it can happen to one of the world's largest law firms, no one is really safe and we all need to take appropriate measures to protect ourselves.
A cyber attack can be a terminal blow on a firm if not effectively managed. One of the first things to do is to talk to your insurer immediately in the breach response process, as the insurer will have more experience of dealing with such breaches. If you involved your insurer when you put your breach response plans together and tested them, this should put you in a better position still.
- Cyber attack – lessons for law firms from a veteran, by Peter Wright
- Webinar: Cyber security for the modern law firm (44 mins), by Peter Wright
- Cyber fraud – is your law firm prepared?, from Lloyds Bank
- The cyber threat to UK legal industry, a 19-page July 2018 report from the National Cyber Security Centre explaining how UK law firms can protect themselves.
- Cybersecurity: what should your firm be prioritising after GDPR?, a post by Peter Wright of Digital Law on the Law Society website’s practice management section.