The latter include attacks against such systems, spread of malware, and hacking to steal sensitive, personal, or industry data. Our series on cybercrime will focus on the last category of offences. Unfortunately, solicitors’ client accounts and the confidential information that solicitors hold can prove all too enticing for attackers.

Irish law firms have been the victims of increasingly sophisticated and complex cyberattacks in recent years and, unfortunately, these can have an extremely serious impact on client relationships, the firm’s reputation and, indeed, the firm’s finances.

It is heartening to know, however, that not every attempted attack will be successful. Cyberattacks can be warded off through a combination of technical and organisational measures that law firms can take to stay safe. While technical measures focus on IT infrastructure and software components, organisational measures range from good management to business continuity planning and observing safe behaviours.

Our aim is to help firms evaluate their approach to cybersecurity. Our series will cover topics such as carrying out a risk assessment of your firm’s threat defences, safe banking transactions, and successful breach management. The good news is that many of the preventative measures do not require much financial investment.

Human error

Human error is still a major gateway for cyberattacks but, thankfully, this means that each staff member can positively contribute to keeping the law firm safe. Using the internet (browsing, social media, or emails) provides a possible point of entry for cyberattacks.

All solicitors and staff with access to the internet should be trained to recognise suspicious emails and attachments, especially if their professional details are displayed on the firm’s website or on a social-media platform.

Training should also be provided to ensure appropriate use and installation of USB drives and/or all other portable devices – if these are permitted. Staff training is a cybersecurity policy requirement, so practice managers would kill two birds with one stone.

One way to provide effective training, for example, is by showing examples of suspicious emails, since these are becoming increasingly sophisticated in how they look and feel. Training providers frequently request staff to complete tests by spotting genuine versus fake emails as part of the training programme.

Common threats

There are a number of common threats:

Ransomware blocks access to a firm’s computer system, or threatens to publish confidential information unless the firm pays a ransom. This usually occurs due to an unsuspecting staff member clicking on a corrupt attachment to an email or a hijacked hyperlink. Daily back-up procedures for these files will mitigate the effects of such malware attacks.

Viruses are activated by opening infected files, such as attachments. Once activated, they may delete or alter files, leaving staff with little or no access to certain parts of their computer or computer system.

Trojans, as the name suggests, download onto a computer disguised as proper and legitimate programs. These can cause considerable damage before staff become aware of what has occurred. A trojan can often ‘monitor’ a computer keyboard and gather information before installing additional malware. Staff may only notice that something is amiss when computer settings have been changed.

Malvertising is a relatively new cyberattack that can be quite difficult to detect. Online advertising is used to spread and install malware or redirects traffic. Spyware is often installed using this method in order to steal financial data or bank-card details. Malvertising can be hard to detect and, worryingly, does not require any user action except by visiting a malicious website or clicking on an advert.

Impersonation is a common method for attackers who wish to gain access to a firm’s data through a firm’s unsuspecting and unwary employees – whether solicitors or support staff. Emails or social-media messages can impersonate other employees within the firm, or prospective clients, in order to seek confidential information. For example, bad agents are increasingly using LinkedIn as a way of building a personal relationship with staff members and obtaining their contact details. Once they have both, they may send a corrupt email, which is opened by the staff member on the basis of a recent chat on LinkedIn. This type of social engineering is becoming more common as threats become more complex in nature. 

Protections available

Besides technical protections, such as efficient firewalls (more on that in a later article), one of the most efficient ways to protect against a cyberattack is to have all staff within the practice fully trained to ensure that everyone becomes vigilant and able to ‘think twice’ before taking any action. The primary focus should be on understanding the threats.

Firms that engage in regular security awareness and training suffer fewer successful security attacks. The main aim, therefore, is to prevent risk from human error. The implementation of some simple tips can yield effective results.

Corrupt emails often contain the following errors:

• Hyperlinks may seem legitimate, but something is wrong with them. For example, ‘linkedin.com’ may be misspelled as ‘linkdin.com’,
• Sender addresses may similarly contain spelling errors,
• Consider the request received. If it sounds suspicious, then it usually is! All staff members should be actively encouraged to develop a healthy sense of suspicion and practice authentication through a different channel other than that through which the request was sent. For instance, any instruction to transfer funds to a different account should be verified via a telephone call to a legitimate and trusted telephone number of the organisation. (A future article will deal with safe ways to transfer moneys in a solicitor’s practice.)

One way to identify unsafe websites is by checking to see whether they are missing a ‘lock’ symbol in the browser address bar. This symbol signifies that the URL contains the ‘https’ protocol. ‘HTTP’ is a method to transfer data over the internet – the ‘s’ stands for ‘secure’, which means that it uses a secure encryption. Any attacker would only see a string of seemingly random characters, instead of useful information.

• Encourage staff to create strong unique passwords with a mixture of letters, numbers and characters. The website of the Data Protection Commission has useful guidance on building strong passwords.
• Ensure staff understand the dangers of logging into practice systems using a public Wi-Fi network They should also receive training on the physical care and security of laptops and other equipment belonging to the practice while out and about, for example, when visiting a client or working in a local courthouse. Privacy screens can be obtained to limit a third person from viewing information on a laptop – and staff should also remain aware of simple loss and theft.
• Ensure staff are aware of the dangers of ‘juice jacking’ and the risks associated with charging a company phone/computer at a public charging station at hotels/airports, etc. Charging a device at a public station can open the pathway for a cybercriminal to access company information. Staff should be aware that public USB ports may be compromised.
• Consider hosting a cyber-awareness week in the office. In addition, strategically placed posters and stickers are a constant reminder to staff to warn them to remain vigilant, always. Make the language on cybersecurity posts clear, relatable, and understandable – ensuring that staff can personally relate to the dangers.
• Teach employees to be suspicious. The new or sudden appearance of a suspicious app or programme on a computer or laptop should prompt the staff member to report it immediately. Another useful indicator is the device becoming slower than usual. Encourage staff members to report anything suspicious, without delay. (This series of articles will provide information on how to report suspected or attempted cybersecurity attacks.)

Changing behaviour

More than anything, staff training should be behaviour changing. Many security attacks or cybercrimes can effectively be prevented by simply reducing the instances of human error. Helping employees to understand the importance of cybersecurity by assisting them to identify potential threats and harm could prevent a major cyberattack on a firm’s software and, ultimately, the firm’s bank account. Remaining secure against cyber-threats ought to be a major aim for any practice throughout 2023.

Next month, we will discuss the differences between ‘phishing’, ‘smishing’ and ‘vishing’. We will talk through useful technical measures and what safety precautions to consider when enlisting third-party services.

CYBERSECURITY CHECKLIST

1. Train employees on email and internet-security best practices,
2. Limit personal use of business email and browsers,
3. Create strong passwords and change these regularly,
4. Handle portable memory devices carefully,
5. Follow safe practices when working on the go,
6. Avoid open, public Wi-Fi,
7. Log out.

Useful resources

CYBERSECURITY AND YOUR PRACTICE

The Law Society of Ireland provides its members with some very useful guidance on cybersecurity at: www.lawsociety.ie/Solicitors/business-career-resources/Cybersecurity. This section covers the following topics: 

• ‘Cybersecurity fundamentals’
• ‘Preventing an attack’
• ‘Responding to an attack’, and
• ‘Other resources’, including: ‘Reporting an issue’, ‘Data protection and cyber attacks’, and ‘Useful contacts and resources’.

The best defence against the possibility of a cyberattack is to stand collectively together. The Law Society maintains a dedicated reporting channel, cybersecurity@lawsociety.ie, where members can report a potential cybersecurity issue. Confirmed attacks can, in turn, be reported anonymously on the website, to protect fellow members.

Members are also invited to ask questions of the Law Society’s Technology Committee, which will make every effort to provide assistance.

DEPARTMENT OF JUSTICE

• ‘Cybercrime’ (20 September 2022)

DATA PROTECTION COMMISSION

• ‘Protecting personal data when working remotely‘ (Data Protection Commission, 12 March 2020)
• ‘Data protection: the basics – know your obligations’ (July 2019; see section ‘4.1 Access authentication – passwords/passphrases’ under the ‘Access control’ heading

Tanya Moeller is in-house counsel with ServiceNow and vice-chair of the Law Society’s Technology Committee. Nicola Kiely is a partner in Comyn Kelleher Tobin LLP and a member of the Technology Committee. Deborah Leonard is secretary to the Conveyancing Committee.

Read and print a PDF of this article here.