The legal profession as a whole is still playing catch up with other industries when it comes to cyber security, according to an expert from an international law firm.
Speaking to Lawyers Weekly on his recent trip to Australia, K&L Gates director of security and information management, Dave Coughanour (pictured), identified key trends in relation to the legal profession and cyber security.
Throughout his career, Mr Coughanour has worked at a large Pittsburgh-headquartered financial institution, where he ran the full suite of their cyber operations programs. He began his role at K&L Gates after being given an opportunity from the firm’s CIO at the time to take over all of both the physical and information security operations for the firm globally.
This, coupled with his work at the financial institution, gave him a key insight into the risk that cyber threats play on organisations of all sizes and areas of expertise.
“Within the legal sector, the absolute biggest trend is – this isn’t meant to sound too negative – but it’s basically playing catch up with other industries,” Mr Coughanour said.
“There hasn’t been a lot of cyber security pressure or regulation in the legal space that I can tell from the last five to 10 years. What we’re seeing now is almost, for lack of a better term, trickled down regulation within the large law firms where let’s say you have a large number of financial clients, the financial clients are now required to have security measures by their auditors and regulators. They’re required to comply with some fairly stringent security practices and policies. They’re also required to assess their third-party suppliers and vendors.
“It was pretty interesting when I came over from a bank to work at a law firm. The actual regulations just seemed to immediately follow me because the banks were taking what they were required to do, and basically modifying it slightly and passing it directly onto their outside counsel. So the client demands are really incentivising the firms to really up their security game, and in the long run, I believe that will be healthy for everyone.”
On a global scale, Mr Coughanour noted that because law firms have had to play catch up with other industries, they are often privy to cyber crime, more so than other client-facing services.
“We’re seeing many other sectors becoming just much faster fish. It’s harder to hack into a bank, it’s harder to hack into a defence-contractor or critical infrastructure company, so hackers are shifting their focus to what they perceive to be the weaker link in the chain, which is why law firms need to ensure their cyber security systems are keeping up with other industries,” he said.
“The trend, which really started in March of last year and has been happening off and on since, has been the targeting of merger and acquisition data held at law firms. That’s information that is very easy to monetise, it can be quite lucrative, and I see that trend continuing for firms that are heavily known for M&A work.”
Other practice areas at risk are any that involve intellectual property, Mr Coughanour said.
“Anyone who has information that could be worth millions or tens of millions of dollars,” he said.
Futhermore, Mr Coughanour said that as the criminal market continues to climb, there will be new challenges law firms need to be wary of.
“Broadly speaking, most of the cyber security issues we’ve seen since at least 2012 have been online crime, basically defrauding people of their money. The actual techniques that are used haven’t really changed significantly in at least the last five years. I’d go as far to say that they’ve been the same for the last decade,” he said.
“While the countermeasures are starting to catch up, and it’s getting harder and harder to run those older scams, there will be a shift to new methods to separate people from their money.
“One of the interesting things that I’ve been noticing is they almost have gotten too good at compromising credit card numbers and personal information; and the bank controls to prevent traditional types of online fraud, like carding and those types of operations, have become less productive. You actually see the cost per record of a breached credit card just plummet.”
Mr Coughanour noted that it’s essential for the profession to “follow the underground economy to get a sense of what is coming after you next”.
“The big thing for 2016, and I guarantee this will go on for 2017 to 2018, is the uptick in ransomware. That’s not going anywhere anytime soon,” he said.
“With that in mind, the biggest risk to the legal sector is really criminal groups becoming hungrier and having to find different targets – and law firms are within that bubble, within that scope, especially with ransomware.
“If you do not have good controls around ransomware, it could be incredibly disruptive to a law firm. It could lead to reputational damage, you could miss filings, and you could lose clients over those types of delays very quickly.”
Mr Coughanour said K&L Gates has combatted the risk of cyber threats by installing a standardised security platform globally.
“Therefore, the security of our Australian offices is exactly on par with our US offices and EU offices,” he explained.
He advised other firms to place value on their cyber security measures to avoid any negative repercussions that come with not having a key strategy in place to mitigate the threats.
“This is a little bit anecdotal for obvious reasons because understandably law firms are not that keen to disclose their actual security posture, but I would say as a general trend, larger firms are more secure even though they have a greater surface area, and they have more operations that might come under attack. They have the resources to deploy teams that can actually guard against it,” he said.
“There’s no way that, let’s say a firm of 50 lawyers, would ever be able to field a cyber security team that can match what a bank or a Fortune500 company has.”
When asked what should those at risk be doing to decrease their chances of being subject to cyber crime, Mr Coughanour said “That really depends on what their focus area is, their size and what resources they can bring to the table.”
“The first thing to do is really understand your business and understand who might come after it,” he said.
“There’s no way that you can defend against every possible threat, every possible scenario, unless you have a little bit of context around who might actually try to interfere with your operations.”