Data breach. Who would have thought that two simple words could instil so much fear into boards and executives worldwide. Yet here we are in 2023, and these two simple words have us on edge. The worst part, no one is immune to a data breach, and it effects every industry. Just look at websites such as Webber Insurance Services, The Complete List of Data Breaches in Australia for 2018-2022. Lists like this gives me goosebumps. Partly because of the magnitude of breaches Australia has suffered in just four years, and partly because I use or engage personally with some of the providers whose name appears on the extensive list. This leads me to ask the question, how much of my data is available on the dark web and did these providers do everything they could to protect my data before it was swept away and capitalised?
Anyone following cyber news in the last few weeks will undoubtably have heard of a recent spate of cyber-attacks against law firms via two strains of malicious software (malware), GootLoader and FakeUpdates. Threat actors compromised legitimate websites which lawyers and business professionals were lured to when searching for certain types of legal and business information. In doing so, visitors to the websites would unknowingly download malware instead of the contract or agreement templates they had searched for. On the sneaky scale, this hits the extreme end. As a practicing lawyer or business professional with limited cybersecurity training, there is no possible way that you could know that this simple action, an action that in the past has been safe and held no risk, now threatens the very existence of your organisation.
A little dramatic I know, but the malware that was being delivered included ransomware and Cobalt Strike, a post-exploitation agent that allows a threat actor to sit in your organisation’s environment quietly for a long period of time. The use of Cobalt Strike suggests to cybersecurity professionals that rather than straight up financial gain, the threat actors were into espionage. Add this to the plethora of other cyber-risks faced by organisations, including the multitude of phishing email variations such as spear-phishing, business-email compromise, whaling, vishing and smishing (I know who comes up with these names) man-in-the-middle attacks, zero-day exploits and a whole heap of other cyber-attacks which make no sense at the best of times, and things are looking fairly grim. Or are they?
Just as the law profession has its own language, so does cybersecurity. Most organisations hire professionals when it comes to legal advice, the same way they hire professional when it comes to cybersecurity. But how do you know that your cybersecurity professionals are doing everything they can to protect your organisation the same way you, as lawyers, work hard for your clients? The answer, it’s not straightforward. But if you know the right questions to ask, you are one step closer to ensure that your organisation is doing the best it can to protect the safety of your client’s personal information and their intellectual property.
Having worked with several law firms over the years, below are five questions I encourage you to ask your cybersecurity professionals as a starting point to ensure that your organisation is on the right path to becoming secure.
Is Multi-Factory Authentication (MFA) turned on for everything? And if not, what compensating controls do we have in place?
MFA refers to how a user authenticates. Usually, we would have a username and an associated password. MFA adds a second factor that goes beyond password, and this is generally “something you have”. This could be a one-time code, which you see in MFA apps like Microsoft Authenticator or Google Authenticator. Or it could be biometric, like FaceID you see on iPhones. By using MFA, if your password is exposed or stolen, someone cannot log in to your account without also having that physical item, be it your phone with your one-time codes, or your face. MFA should be switched on for everything, including social media accounts. If something, you are using does not support MFA then you need to put in compensating controls. These are extra controls that reduce your risk. For example, placing an application behind your company’s single sign-on portal which does use MFA. Passwords are no longer enough. MFA adds an extra layer of security blocking most account hacks.
I was recently performing open-source intelligence (the practice of collecting and analysing publicly available information for intelligence purposes) on a law firm and I stumbled upon a password belonging to one of the partners. The password was an eight-letter word all lower case. The partner was informed of the discovery, and we recommended they update their password to a more secure combination of letters, numbers, and symbols (complexity). The organisation’s password policy was also updated to incorporate ten characters with complexity. A few weeks later I was completing my work for the organisation when a new password popped up for the same partner, he had capitalised the password and added a 1 and ! to the end of it. Threat actors know that people are lazy when it comes to passwords and will try different combinations of discovered passwords by using cracking programs. MFA prevents threat actors from guessing or regurgitating breached passwords. It is a second line of defence.
Do we apply the principle of least privilege regarding access to our sensitive information?
This is a fancy way of stating that users should only ever have access to information that they need i.e. the least amount or privilege possible. If you have a client folder and ever person in your firm has access to that folder, then you need to be asking the question why? Security is all about reducing what we call your attack surface. The larger the attack surface, the more possible ways you can be attacked and compromised. The question you should be asking is who has access to what information, and do they need access to this information?
A few years ago, a law firm I was working with had a major breach after a disgruntled employee attempted to copy all the firm’s client folders onto an external drive. The firm was alerted to the event but by the time they were able to action the alert, most of the client folders had been copied. The lawyer was a junior associate who had only ever worked on two clients previously, yet they could access every client folder!
How are we educating our employees on security awareness topics?
It is imperative that organisations have an ongoing security awareness program that caters to the various people within your organisation. A learning management system (LMS), where you complete computer-based training, is simply not enough. Face-to-face training, employee onboarding, regular security bulletins, making a big deal out of cyber week in October and privacy awareness week in May, all help to drive home the point that security is a top priority for your firm. Don’t just reserve training for staff. Get your senior executives and board involved as well and demonstrate a strong commitment from the top. You want to build a cyber-aware culture across the whole business.
I recently engaged with a firm that had set the tone from the top with regards to cybersecurity. The engagement I received and the commitment by staff to protect their client data was second to none. When I asked staff to explain where this motivation stemmed from, they all told me it was a priority of the firm’s set by upper management.
Do we know where all our sensitive data is being held?
To protect your confidential and sensitive data you need to know where it is held. Undertaking yearly information security risk assessments and asking staff how they are receiving, storing, and sending confidential and sensitive information between your organisation and clients, can help you track where data is being stored and identify any bad habits employees may have adopted. Once you have identified where your data is being stored, the next step is to document this in an information security asset register.
During COVID, I received a phone call from a stressed client. One of their staff had been sending confidential information on a USB key over regular mail and the mail had been intercepted and the client’s customer had received an empty envelope. There was no way to tell what the intentions of the thief were regarding the USB key, and as it contained highly sensitive personal information, the theft constituted a notifiable data breach under the Privacy Act.
Do we have an incident response policy and procedure in place, and has it been tested?
If your organisation does suffer a cyber incident, it is imperative that you have in place an incident response policy and procedure that has been tested with the IT team and the executive team and board, so that everyone knows their role and responsibilities in the event of an incident. This should include where the incident is initially reported to, when to escalate the incident to the response team, when to escalate to the executive team and board, who will be the spokesperson for the organisation if a public statement is required and any regulatory, contractual, or legal reporting obligations.
We have had several major breaches in Australia in the last twelve months and the way the public and customers have responded to each breach has a lot to do with how management dealt with the incident in the eyes of the media and the public. It is obvious which organisations were following an incident response procedure that had been developed, tested, and rehearsed.
Implementing the five cybersecurity principles above are the first steps in ensuring your organisation has adequate protection against threat actors. But security is a journey that never stops, which means your organisation should be continuing to review the threat landscape and implement controls commensurate with your organisation’s current cyber-risks.
Find out how you can secure your world with Morrisec.
