WHY ARE HACKERS TARGETING LAW FIRMS?
In simple terms, because Law firms typically hold valuable information, though there is a little more to it than that……
When a Hacker or a Nation State Threat Actor looks to acquire valuable information from a large multi-national or a Bank, finding a way in can take a long time. Once inside such an organisation, locating the information and gaining access to said data, is also a lengthy process. Having obtained it, the assailant then needs to exfiltrate the information. While it is next to impossible to stop Hackers getting on your organisations network, the odds move in favour of the defender, assuming the appropriate protections are in place, once they are on your network.
Hacking is big business now and Hackers, like any business need to be efficient and the results cost effective. That’s why hackers tend to think much like a house burglar, insomuch as they look for a path of least resistance.
Where a burglar might avoid the front door and look to come around the side or the back of a property, even decide to break into the house next door because it has no alarm system. Hackers may decide that trying to break in directly to an organisation is just too hard, time consuming and costly. Given the increasing integration of networks, platforms and data between organisations Hackers have now identified the opportunity to either obtain the information from a business partner or supplier, or use that Third-Party to actually gain access to the larger organisations environment.
Is Your Firm’s Security A Weak Link?
As I stated earlier, Law firms store and have access to a great deal of valuable information, acting as a critical link in an extended enterprise known as the “cyber supply chain”. Be it sensitive commercial information about mergers and acquisitions that could affect Share Prices, Brand and Reputation of a client, or large amounts of personal or financial information about your clients and their customers.
In comparison to multi-nationals and financial organisations, Law firms are relatively easy targets, with typically fewer skilled resources and smaller information security budgets. So, if your Law firm has clients who rely on you to provide services relating to sensitive information, chances are you are already being targeted.
While I’m sure many Law firms have excellent IT Security monitoring and detection functionality in place, it is frequently the simple, repetitive things that tend to get forgotten.
Two keys areas of particular focus for Hackers are Patch Management and Access Control.
Patch Management is much akin to painting the Forth Rail Bridge. There are a never-ending stream of patches and upgrades released by vendors every week. Assessing, understanding and applying these patches in a timely manner, is a time consuming but very necessary task. The area that most organisations fall down in respect of patching is consistency. There will always be a series of projects that take higher priority, or that someone is shouting louder for.
While we could discuss the complexities of Access Control systems, Two-Factor authentication and Single Sign On, etc….keeping it simple and looking at it from a Joiners, Movers and Leavers workflow process point of view often provides the best results. Most organisations, regardless of sector are usually pretty good at onboarding a new member of staff. Moving teams, departments or offices frequently results in an employee gaining additional access privileges, without existing access privileges begin reviewed and removed. The Leavers process is usually the primary weak point, with user IDs and passwords remaining well beyond the term of employment.
How Can You Improve Your Anti-Hacking Security Today?
Patch Management and Access Control are the two most common failings we encounter in an organisation’s cyber supply chain on a daily basis. Incredibly, they are usually some of the easiest and cheapest things to fix.
We have found that organisations large or small need to focus the mind of the person or individuals responsible for patching. Success it typically reached here by tying the objective to the employees’ contract or employment and/or benefits package. Defining and agreeing patching levels and measuring and reporting against these objectives, makes achieving them very public. Having a bonus linked to patch management objectives, will result in a much higher level of security for your organisation.
When it comes to Access Control, working with Human Resources to identify the appropriate workflows, define policies and processes and implementing robust audit checks will go a long way to alleviating these immediate risks. As with any process, identify who is responsible in each department, provide clear and concise instructions in terms of policy and process and undertake periodic audit checks to ensure compliance by department. If you struggle to gain traction or buy in, consider publishing a league table as no one will want to be at bottom of the league!
As with most things in life it’s about getting the basics right, taking a Hacker’s eye-view of the world and working hard to make sure you and your own Third Parties are not weak links in your cyber supply chain.
IF you’d like to learn more about understanding the security risks in your cyber supply chain contact me on 0161 476 8700 or visit www.dvvs.co.uk.