At the time of writing the number of coronavirus cases globally had reached over 2 million, with nearly 127,000 deaths. Nearly a third of all countries are under some sort of restriction, with the majority on lockdown. Across the globe “non-essential” businesses, including the legal industry, are being told to work from home.
The coronavirus outbreak has already had a major impact on how law firms are working in most developed countries. The Chief Information Security officers in firms are being confronted with a new reality where remote working is par for the course, not for the select few, but for everyone. This dramatic change clearly presents new opportunities for hacktivists, criminal gangs and state actors to get their hands on the abundance of highly sensitive information now being exchanged between home based lawyers.
Highly skilled adversaries see the fact that more home working allows them to focus on many of the individual less secure (home) environments, as an easier way to initially infiltrate a legal firm’s network.
While many larger law firms have quite sophisticated technology and IT systems which allow them to securely work remotely there are certain cyber security gaps in these systems which hackers will inevitably target. The ICO has made it clear that companies should consider the same level of security measures they implement for home working that they would use in normal circumstances in the workplace.
What are the dangers posed to law firms and their clients during this time?
1. Unprotected Personal Devices
Typically, larger law firms provide a laptop with a “golden build” which has the latest VPN and anti-malware software. However, for some law firms with a traditional legal model, getting licencing and hardware for users to work remotely will present some issues. In these case employees will be using their own personal devices and communication equipment (such as: laptops, tablets and mobile devices) which are unlikely to have the same security measures as law firm devices. With the increasing reliance on third-party applications and services, it is of greater importance that employees implement similar security measures at home in order to protect sensitive client data. For example, when using personal devices at home, networks usually are not as secure as in the workplace creating a clear opportunity for a sophisticated attacker. With more and more employees accessing the organization’s network via unsecured networks, the ability to log and monitor capabilities diminishes and so it is important that employees are very cautious of the networks and systems they deploy onto their devices from home.
2. Transferring Sensitive Matter Related Information
In order to effectively work from home lawyers need access to clients and matter information in various ways to allow them to maximize productivity. Some manual backup and storage methods to ensure the most effective output for the client pose great risks of exposing the safety of confidential and sensitive data. For example, some employees may send emails to personal accounts with sensitive data attached or may upload data to a personal cloud-storage account. This clearly increases the risk of theft or external exposure which puts confidential client data at risk. Critical documents must be secured no matter where they are being accessed. While it may seem convenient to have client information saved to personal devices or personal accounts, the risk associated with doing so is not worth it. The exposure of documents and files related to a sensitive matter can have a massive impact on a law firm.
3. Phishing Attacks
Hackers are very aware that a wide number of employees are working from home, without peers or information security officers around to remind them that a seemingly friendly email could be a trap designed to lure them into forfeiting data or personal information. Cybercriminals are going to use phishing attacks as their main method of compromising systems over the next couple of months. They send emails purporting to contain important organisation updates or policies associated with the outbreak, requesting the employees to validate their credentials or asking them to install a software. Once the target does either of these, the cyber criminals have the ability to infiltrate an organisation’s network and system to steal confidential files, documents or even obstruct communications between the two parties. Richard Rosensweig, a director in the litigation group at Goulston and Storrs claims that on average he receives between 30 and 40 emails a day with updates about the coronavirus. Therefore, it would be very easy for a phishing email to slip through and infect all systems and networks. And so, employees must be proactively more vigilant than ever against coronavirus-related phishing emails.
4. Smart Devices
Leading London law firm, Mishcon de Reya LLP, released an article highlighting that employee confidential phone calls with clients are now at risk of being heard by their smart home devices, such as Amazon’s Alexa or Google voice assistant and especially cheap knock off devices. It is suggested that staff must mute or shut off the listening devices altogether in order to ensure that these devices do not listen in on these conversations. Joe Hancock stated: “perhaps we are being slightly paranoid but we need to have a lot of trust in these organisations and devices. We’d rather not take the risks.”
Both Amazon and Google say their devices are designed to record and store audio only after they detect a word to wake them up. However, recent testing by Northeastern University and Imperial College London have found that these devices can activate inadvertently between 1.5 and 19 times per day. This therefore poses a security risk for law firms, especially as very highly confidential data and client communications run the risk of being easily compromised by these two companies. With more and more employees working from home, law firms heavily rely on video conferencing to conduct face to face meetings with clients, as well as phone calls so they must do all they can to avoid any information being obtained by cybercriminals.
How to protect client information and communications at this time?
- Remind employees of the types of information that is their duty to safeguard. Such as: trade secrets, confidential business information, customer information or protected intellectual property.
- Encrypt sensitive information that is stored on or sent from remote devices.
- Train employees on how to detect and handle phishing attacks or other forms of social engineering.
- Virtual Private Networks (VPNs) ensure that internet traffic is encrypted.
- Prompt employees to use strong passwords, especially if multifactor authentication is not implemented for remote network access.
- Advise against the use of public or insecure networks.
- Dedicate resources for targeted monitoring and detection of cyberattacks (including review of logs that might reveal anomalous activity from outside connections).
- Use a compliant secure communications platform for private lawyer-client and lawyer-lawyer interactions
Law firms possess large amounts of confidential data and now working remotely, it is important to communicate such information in a safe and secure way. By investing in a closed communications platform, such as Salt Communications, law firms are able to protect information and client communications against cybercriminals. Salt Communications works with law firms globally providing a secure and safe haven for law firms to communicate confidential and sensitive information about critical events in real time through their award winning secure communications solution. The Salt Communications platform can also be used to communicate securely with clients in regards to the legal matter at hand, on any network across the globe, while working remotely.
For more information on this article, or to talk to a member of the Salt Communcations team, please contact info@saltcommunications.com.
About Salt Communications
Salt Communications, ranked in the top half in the Cybersecurity 500, provides a fully enterprise-managed software solution that enables absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. The Salt Communications Desktop and Mobile apps are intuitive and easy to install and use. The Salt Communications Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance. Salt Communications is headquartered in Belfast, Ireland, for more information visit saltcommunications.com.