Cybercrime has dominated the global headlines over recent years, with the NHS suffering a huge ransomware attack, allegations of Russian hacking affecting the American elections and the confidential data of 143 million people being breached after credit ratings company Equifax was hacked. According to Lloyd’s of London a “serious” cyberattack could cost the global economy almost £100 billion.
With the spectre of GDPR looming, law firms will be increasingly called upon by their clients to help them grapple with data protection compliance and understand their obligations surrounding cybersecurity. But legal practices will also need to ensure their own IT infrastructure is secure; as they often hold valuable and sensitive client data, firms can pose a target for cybercriminals. So what are the main types of cyberattack for which firms should be prepared, and how can these be prevented?
Common types of cyberattack
The methods used in cybercrime are extremely varied but they generally fall into two categories: (i) technical hacks which aim to break into a computer system using software and (ii) social engineering which manipulates humans to access data. Some of the most common cyberattacks include:
DDoS. Distributed Denial of Services (DDoS) attacks seek to cause disruption to websites and online services. Multiple compromised computer systems – often infected by a Trojan – will essentially overwhelm a website with traffic. During a DDoS attack, servers are flooded with messages, connection requests or malformed packets, causing network services to slow down or even crash and shut down entirely.
Brute force cracking. Cybercriminals attempting to gain access to encrypted data sometimes use software programs which make continued efforts to find the correct password. This trial and error technique methodically proceeds through all possible combinations of characters in sequence until it succeeds. In general, the longer and more complex a password, the more time consuming it will be for a brute force crack to succeed.
Phishing. Most people have encountered phishing while checking their email. Emanating from the classic “Nigerian Prince“ email scam of the late 90s, phishing attacks generally attempt to extract financial or security information from unsuspecting individuals, or to install malware on their computers. In order to appear legitimate, emails dress themselves up in the livery of a trusted company or bank and attempt to disguise their originating email address. Phishing exercises generally cast the net wide (just like fishing) and hope to capture only a tiny fraction of the recipients. A much more targeted variant is spear phishing, where an individual or select group is sent far more personalised emails purporting to come from a known individual (such as a friend or colleague).
Insider threats and social engineering. Even with the most sophisticated technical security protection in place, companies are still full of soft targets – their staff. Social media presents ways for hackers to trick, manipulate or blackmail employees into releasing company security details or sensitive data. Furthermore, disgruntled employees may decide to leak data or sell it on the Dark Web.
Malware, spyware and ransomware. Malware is the umbrella term for malicious software which unsuspectingly comes to be installed on a computer system or device (eg via phishing). The NHS cyberattack in 2017 was a result of ransomware (a type of malware) which locked up computers which had not been patched and demanded payment to unlock them. Occasionally malware hides itself as spyware and, rather than locking up a device, it collects sensitive data (eg passwords via keylogging software).
Legal consequences of cyberattacks
The main risks of becoming a victim of hacking concern breach of data. This has several legal implications, including:
DPA fines. The fifth principle of the Data Protection Act (DPA) requires that data controllers take “appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” – this includes taking steps to avoid a cyberattack which results in a data breach. The ICO can currently fine companies which fail to comply with the DPA up to £500,000.
GDPR fines. The General Data Protection Regulation (GDPR) comes into force across the EU from 25th May 2018. It increases maximum fines for data breaches to €20 million or 4 per cent of annual global turnover, dwarfing the current fines under the DPA.
ICO investigation. As well as being fined, businesses which suffer a data breach will potentially be investigated by the Information Commissioner’s Office (ICO).
SRA enforcement action. As well as the data protection rules which apply to all businesses, law firms also have an obligation to keep client information confidential (Rule 4 of the SRA handbook). Failure to implement sufficient cybersecurity measures can open them up to enforcement action from the Solicitors Regulation Authority (SRA).
As well as the legal consequences of failure to protect client data, firms which fall victim to cybercrime will also suffer damage to their reputation, potential loss of clients and future business. Furthermore, any damage to IT infrastructure can cause significant disruption and loss to productivity, particularly for firms which have adopted agile working.
Preventing cyberattacks
Preventing IT systems being compromised is largely down to awareness of risks and using common sense to avoid devices becoming exposed to unauthorised access. Some of the key measures include:
Auditing. Assessing your data security and detecting potential vulnerabilities is the first step.
Applying patches. Basic cybersecurity hygiene can avoid many potential cyberattacks. Updating systems and applying patches can often prevent malware entering the network – as was demonstrated by the NHS attack.
Encrypting data. Data which has been encrypted is automatically less at risk of being breached as a result of a system hack. GDPR acknowledges the benefits of pseudonymous data (such as data which has been encrypted) by relaxing the rules in respect of this data.
Cloud infrastructure. Moving away from legacy in-house IT systems to a cloud provider can enhance security in several ways:
- The cloud provider will be responsible for automatically updating software and applying the latest security patches.
- Providing staff with access to a collaborative cloud computing environment means that employees can avoid transferring sensitive files and data via email or USB sticks.
- Any potential insider threats can be better monitored with the use of auditing software; individual logins track access to sensitive files and other activity.
Training staff. One of the biggest threats to IT security lies in “soft targets” – employees and contractors with access to key systems. Comprehensive and regularly updated cybersecurity and data protection training should be provided to all internal and external staff.
Further reading
Cyber Training 365: The Big Cyber Threats Breakdown
TechTarget: Network security
Infolaw: GDPR – beyond the panic
LexisNexis: Cyber-security and cybercrime – overview
NAO: Investigation: WannaCry cyber attack and the NHS
Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email alex@legalwords.co.uk. Twitter @alexheshmaty.
Image: Data security breach cc by Blogtrepreneur on Flickr.