Apple, Sony, eBay, Dropbox: all influence how we live, shop, communicate and do business – all have been the targets of cyber attacks. And it’s our data they are holding.
Indeed, there is hardly a week that goes by when the media does not report a major cyber breach. Last week we learned that US Democratic Party emails were hacked, it appears, by Russian spies. Yahoo announced the week before that a billion of its customer accounts had been compromised.
In short, if you have an IT system, even at home, you’re a target.
A recent survey of managing partners of law firms identified cybersecurity as their top concern. Similar results are obtained if you ask in-house counsel or CEOs.
And don’t think this is only about big business. Small and medium enterprise has the least understanding of this most modern problem, and so the SME sector is the least prepared.
The added difficulty for lawyers is our ethical obligation to protect a client’s privilege. Solicitor-client privilege is a significant right established in law and reflected in our conduct rules. Anything you say to your lawyer is privileged and cannot be published unless you, as a client, choose to waive the privilege, such as giving evidence in a court. Thus, as sworn officers of the court, we take the obligation at its highest, which exacerbates the gravity of cyber attacks on our information systems.
A cyber attack can come in a variety of forms, the most common of which is a ransomware attack. In simple terms your digital data system is hacked, information is stolen or frozen subject to the payment of a ransom. Anti-ransomware software offers some, but not complete, protection. Faced with such a threat, the risk of the loss of privileged information looms large.
That, however, is only the beginning. There is no end to the variants of cyber crime and cyber espionage. Some theorists predict that the next world war could begin by cyber attack. It is plain, having placed all our stock in the digital data world, that the issue of cyber security has become paramount.
McAfee, which has long been in the business of protecting conumsers against digital attacks, estimates cyber crime cost the world economy US$454 billion in 2014. The average cost to each business attacked is estimated at $276,000.
It is no wonder then that law firm managing partners are sweating on this unstoppable phenomenon. Ransomware often comes in the form of an innocent-looking email requesting what appears to be an innocuous payment of an attached bill or a delivery notification. The industry term for this type of attack is “spear phishing”. The moment the attachment is opened the infiltration of your digital data commences. Scarily, victims often don’t even know they have been hit until weeks or months later. On average a resolution following an attack takes 23 days.
In this day and age cyber crime is more lucrative to criminals than the illegal drug trade.
…covering up a cyber breach is not an option. It is squarely about our professional conduct in a time when paper is no more, digital is everything and crime is virtual.
What then are lawyers and others supposed to do about such a threat? For the past 12 months the Law Council of Australia has been working on a tool kit and accompanying advice for the use of the Australian legal profession. It was launched last week by Law Council president Stuart Clark and Minister Assisting the Prime Minister on Cybersecurity Dan Tehan. Tehan singled out the Law Council in his remarks for leading the charge in this area and expressed hope that other professions and industry groups would follow our example.
What our work in this area has demonstrated is that awareness of the problem and basic digital “hygiene” goes a long way. Because a lot of these attacks succeed due to psychological vulnerability, knowledge and information is the most effective tool with which to counter the problem (other than having decent anti-ransomware and anti-virus software). Managers need to be fully aware of the nature, risk and likelihood of an attack. Other firm members must be regularly reminded to fight the “inclination to trust” and combat curiosity or naivety in opening and dealing with digital information. All of this is aimed at combating the common feature of cyber attacks which is what the Law Council refers to as “social engineering”. We are so accustomed or “socially engineered” to opening an email and then its attachment, for example, that we do it without thought to consequence.
Sadly, the time for such a lackadaisical approach has come and now must go if we are to survive this new era of increasingly frequent cyber crime and digital sabotage.
There are other basics for businesses to observe and adhere to in this fight:
1. Insist on secure passwords and do not share them.
2. Don’t trust public wifi or hyperlinks if they are unverified.
3. Protect cloud data, remembering that off-shore-hosted cloud data storage cannot possibly be guaranteed the same protection as is offered in the Commonwealth of Australia with our far tougher laws and absence of government interference. Added to that is the need to know where your back-up site is hosted and by whose law it is governed, as the same issues may be at play.
4. Ignore the lure of free software products like Dropbox, which plainly constitute a breach of solicitor privilege if it is used to share privileged information, in that the material is provided to a third-party provider which, pursuant to its license conditions, then owns the data – an obvious if inadvertent waiver of privilege.
5. Use encryption of data instead and talk to clients about these risks so that they have a proper understanding as well.
6. Create a culture that encourages staff to report rather than hide a breach, embarrassing as it may be.
The most sophisticated anti-malware and anti-virus software is useless if the security veil is voluntarily lifted and the attacker is invited across the cyber hearth. Human vulnerability is our biggest weakness. Conversely, bolstering human awareness and understanding is our greatest weapon. As with other aspects of successful businesses it is all about culture, in this case a culture of awareness, understanding and readiness for what has become, quite simply, the inevitability of cyber attack.
Cyber security, warns the Law Council, can’t just be a tick-and-flick exercise. Unless everyone in your organisation is properly prepared, the weakest of the links will be the one to fail, bringing everyone tumbling down in the process. As Law Council president Clark said at the launch of our cyber security campaign, “consideration of cyber risks should evolve beyond seeing them as an IT issue”.
Lawyers need to understand that ultimately this may amount to a question of professional conduct. Any dereliction of our client obligations to protect privileged material is bound, at some point, to end up before a conduct commissioner, where we will be asked whether, in this digital age, we have done all we can to adhere to our professional obligations. When looked at in that light, the question is by no means one of concern purely for the IT manager. And covering up a cyber breach is not an option. It is squarely about our professional conduct in a time when paper is no more, digital is everything and crime is virtual.
Author and journalist Art Wittman said recently: “As we’ve come to realise, the idea that security starts and ends with the purchase of a pre-packaged firewall is simply misguided.”
In the case of lawyers it may ultimately get worse with adverse conduct findings for failing to recognise and address our professional obligations in this area, and loss of clients if sensitive competitive commercial material, for example, is surrendered to cyber criminals.
Whilst there are some unique features in the question of cyber security for the legal profession, it is fair to say that the work of the Law Council of Australia is a lesson for all industries. Don’t ignore the threat. Businesses will be brought down by such criminality and that, sadly, is not being alarmist. We are all under threat unless we act in concert to confront the new reality of cyber crime.
Morry Bailes is the managing partner at Tindall Gask Bentley Lawyers, treasurer of the Law Council of Australia and is a past president of the Law Society of SA. The opinions expressed in this column are his own.
We value local independent journalism. We hope you do too.
InDaily provides valuable, local independent journalism in South Australia. As a news organisation it offers an alternative to The Advertiser, a different voice and a closer look at what is happening in our city and state for free. Any contribution to help fund our work is appreciated. Please click below to become an InDaily supporter.