It’s the natural – and arguably overdue – outcome for an industry that’s increasingly coming to terms with cyber-attacks as a fact of life and business.
When the Government’s National Cyber-Security Centre published a security guide for businesses earlier this year, it started from this premise: “It’s no longer a question of if your company will be breached, or even when – it’s likely to have happened already. The real question is whether you will know – and are you prepared?”
We’ve been getting to this point for some time. In 2016, the Central Bank took a similar tack: “Firms should assume that they will be subject to a successful cyber-attack or business interruption.”
It was in this context that the BSI International Cyber-Resilience Exchange 2019 took place. The day-long conference featured leading international and Irish security experts discussing global cybercrime trends – and how to deal with them. By 2021, industry figures estimate the cost of cybercrime damage will exceed €5 trillion globally.
The event’s keynote speaker, Brian Krebs, is one of the foremost investigative journalists covering cybercrime.
A New York Times bestselling author, Krebs mapped out the current security landscape for the 250 in attendance. He described the growing frequency of cyber-security incidents in recent years.
As someone who regularly breaks new security stories on his blog, Krebs spoke of the “depressing reality” that everything gets hacked. In February alone, there were 621 million accounts compromised from 16 different hacked websites, Krebs said. “It has become a daily occurrence that companies announce that cybercriminals have stolen intellectual property or customer data. We’re talking about hundreds of millions of data points.”
In a nod to the conference theme, Krebs said that companies needed to get better at detecting incidents faster, and at rehearsing their response procedures: “Getting breached is okay – I hope the stigma is coming off. It’s not okay if you don’t detect it in a short period of time, which is when the problem starts. How we get to [resilience] is only with practice, to stop a cut from metastasising to an infection of the entire body.”
Krebs’ next point may have made any commercial lawyers in the room sit up and take notice. From his extensive reporting, he has noticed a strong correlation between M&A activity and data breaches.
For example, the Marriott Hotel group disclosed a major data breach in late 2018, which leaked personal details of an estimated 500 million guests. The company subsequently traced its breach back to when it acquired the Starwood Network, which itself suffered an intrusion in 2014.
Krebs also spotted breaches at several other organisations around the time when they acquired or sold stock in other companies.
Adding the important caveat that correlation is not causation, Krebs nevertheless said: “There seems to be a connection, and the takeaway is, it’s important that there be due diligence when there are acquisitions, but attention [to security] should not slacken after that due-diligence process.”
Data breaches happen for a very simple reason: information is valuable to the right people. “Most of us have failed to fully grasp how much of our data is for sale,” Krebs said.
From researching underground criminal forums on the internet, he has seen how cybercriminals take the usernames and passwords from one breached database and try those combinations on dozens of other websites.
“Every time there is a breach at one of these websites, it exponentially increases the amount of attacks against other websites,” he said.
Law firms are a natural target for cybercriminals by nature of the files they handle and the sensitive nature of cases and clients, said Dr Jessica Barker, co-founder of Cygenta, a cybersecurity consultancy.
Speaking to the Gazette, she said: “Most organisations will be targeted by financially motivated cybercriminals and ‘script kiddies’ – and they’re probably the biggest threat group for most organisations – but when you’re looking at law firms, they may be more likely to be targeted by ‘hacktivists’ than other organisations, or by nation states, depending on the clients or areas that they’re working in.”
Barker specialises in the human side of cybersecurity, which is a major risk factor for many organisations, because attackers often use social-engineering techniques to lure or trick people into downloading a harmful file or giving away sensitive information without realising it. It’s an element that many firms overlook, she said.
“We’ve seen organisations spending a lot of money on the technical defences – the cybersecurity industry is very focused on technical measures to defend against cybercrime. So the attackers have moved, of course, to targeting the human element, because this is what we haven’t really concentrated on.
"So we’re seeing a lot of law firms being targeted with spear-phishing emails that may look like they come from a client, from a supplier, or from someone else in the organisation – such as from a partner to an administrative assistant – asking for a particular file or to transfer funds. So that’s a big issue for law firms to be aware of,” she said.
Although there are technical measures to help protect against this sort of attack, one of the most effective tactics is for organisations to raise awareness about security among their staff.
In order to have the right impact, these campaigns must be engaging and interesting, because security is such an abstract concept for many people, which makes it hard to understand the risks to themselves or their data.
“We often talk about cybersecurity in the theoretical sense, and if you’ve never seen behind the scenes of what happens when someone clicks on a link in a phishing email, then it kind of sounds like magic; it feels very intangible,” Barker said.
Security awareness training needs to focus on the individual and clearly communicate the reason why they need to protect themselves – and, by extension, their firm. Showing ‘safe’ demonstrations of what can happen in an attack can be a powerful way to communicate a message about positive security behaviour.
“It really helps people to understand how this operates and, as much as you can, gives people the experience of ‘this is what happens’ in a safe space, without actually hacking them,” Barker said.
In the past, she has conducted exercises to draw attention to the human risks in security. “That’s looking at all of the open-source intelligence information that’s out there on board members, whether it’s at a bank or a law firm, and saying to the executives, ‘we found all this information about you, and if we were cybercriminals, we would be looking to do a spear phish’,” she said.
“An organisation needs to try and look at itself through the attacker’s eyes and ask, what is the information that, if we lost it or didn’t have access to it, would do us harm or stop our business?
But also, what is the information that would be really valuable to a competitor or to cybercriminals?
“It’s important to make sure that everyone in the legal sector is aware that they are a target: they are handling sensitive information, and they need to be wary of the links that they’re clicking on,” Barker said.
Helping everyone in an organisation to understand cybersecurity risks feeds directly into the concept of resilience. Siân John (Microsoft’s EMEA chief security advisor) gave the example a recent high-profile security incident to show the value of practising response plans.
Norsk Hydro, one of the world’s largest producers of aluminium, suffered a severe ransomware attack in March, but was able to maintain operations thanks to its recovery plan.
This enabled the company to avoid paying the ransom and to give regular public updates about its operations during the incident.
Norsk Hydro’s approach drew widespread praise in the security industry – but that may have been because it’s still far from common practice.
Stephen O’Boyle (global head of professional services at BSI’s cybersecurity and information resilience division) said that advance preparation is a key part of incident response.
That means conducting regular drills to test the plan, and this needs to involve all levels of a business beyond the technical team.
For the incident response plan to be truly effective, senior management involvement is critical, O’Boyle said. “We are seeing people do mock incidents and run-throughs. And people often see how unprepared they are.”
In other words, there’s no magic bullet for a firm to become resilient – it needs resources, commitment, and time.