Cyber Crime

When Hackers Rummage Through The Files: Cyber Security
For The Legal Practice

Cyber Crime has increased dramatically internationally. For some time now, authorities have seen a shift of crime to the internet. The target of the attacks are primarily companies and hence also corporate legal departments and law firms. Since attacks do not only come from the outside, but on the contrary most of the time from within, decision-makers should actively deal with these risks, says Thomas Brox (Managing Director of networker, solutions GmbH).

Mr. Brox, industrial espionage is behind many cyber attacks and primarily affects research and development of companies. Are cyber attacks even relevant for corporate law firms or corporate legal departments?

Brox: Well, when I think about best way to get into a company as a hacker, I use the weakest points. That, for instance, applies to law firms which are connected to their clients via networks in relation to transactions. If this law firm then has weaknesses in its IT structure, the hacker comes to its client through that back door.

Which weaknesses do you mean?

Brox: Routers are popular barn doors. For example, via the portal Shodan you can locate routers or other devices that do not have a password. So you can use it to search in a targeted manner for devices that do not have a password despite software updates. By entering these devices, the hacker can then virtually penetrate the law firm.

Does that not attract attention?

Brox: That’s exactly the problem in practice. Attacks are often not detected at all or far too late. This requires so-called intrusion detection systems, which use heuristics to detect whether someone is on the system and then reports suspicious movements. Forensic scientists then check whether there has actually been an attack and what needs to be done. Unfortunately, hackers have also become smarter in the meantime and move quite carefully in the systems. Especially if so-called legacy systems are available, the hacker has an easy time.

Thomas Brox

What can happen if the hacker has entered the law firm or legal department via the router?

Brox: Hackers can look around undisturbed in the database, in the digital files of the law firm and can also inspect the email server and retrieve client data. They can paralyze digital business operations, block access and delete data. Once the data has been extracted, it is encrypted thereafter. In order to decrypt the data again, you have to pay ransom. In addition, you also have to pay ransom to avoid that the data will be published in the darknet. This is called double extortion. As a proof, some confidential information is disclosed via the internet. Hacker attacks can therefore cost not only money, but also reputation.

But you can protect yourself against attacks through firewalls and external service providers…

Brox: If you use intrusion detection  systems or data loss prevention systems, this is certainly a good protection. However you have to know about those tools and whether your own service provider makes use of it. In addition, more than 60 percent of attacks do not come from the outsider, but from the inside of the network. And then the best firewall is useless.

What does it mean from the inside?

Brox: An attack from the inside can happen consciously or not. That’s exactly the point. Not consciously are attacks where the employee is used as a gateway to the company, e.g. by clicking on a  contaminated attachment of an email or by asking for login credentials (e.g. M365) on a phishing site. Conscious outflow happens if an employee intends to harm the company or engage in factory espionage.

What is recommendable in such cases?

Brox: In general, also corporate law firms and legal departments should introduce clear rules and procedures in regards of cyber security. This also includes training of employees, restrictions on permissions, secure passwords via policy, multi-factor authentication, especially for administrator accounts, regular installation of security updates.

Can you give some examples of such rules?

Brox: Hard drives should generally be encrypted, because targeted thefts of laptops on public transport are not uncommon. And if the hard drive is not encrypted, an attacker will have the data from the hard drive within two minutes even if the account is password protected. Privacy filters (privacy screen protection) should be used in public areas, otherwise there is a risk of data leakage by so-called shoulder surfers. Additionally as a law firm manager or general counsel, I have to make sure through a so-called incident response that the systems can be decrypted again and to have an emergency plan which defines what needs to be done in the event of an attack. This can be covered by a Governance Risk Compliance or Incident Response Readiness consulting.

You surely refer to the management’s duty of care in the event of a data leak…

Brox: Exactly. According to the General Data Protection Regulation, personal data breaches must be reported to the authorities without undue delay and at the latest within 72 hours after the breach came to knowledge. To do this, however, the data breach must first be recognized. And if no precautions have been taken, gross negligence is not far away.

What can corporate law firms and legal departments do?

Brox: The cheapest way is to make backups that are protected against attackers access and to test whether a restore works. In addition, a contingency plan should be established on how to handle the backup. On the HR side, awareness trainings and a clear set of rules are essential. For example, most of the employees do not know how to deal with suspicious emails while about 80% of successful attacks are carried out via email. Last but not least, precaution and proactive education are a good first step towards more cyber security.