Cyber Security for Legal Sector?

By :  Atul Juvle
Update: 2021-10-23 06:30 GMT
trueasdfstory

CYBER SECURITY FOR LEGAL SECTOR? Some awareness, regular updation, following the outlined processes, continuous monitoring of cyber security practices at regular intervals, can be useful to avoid major cyber-threats Legal sector was taken aback, during May-2020, with the news of the ransomeware cyber attack, on well known law firm that provides legal services to entertainment and media...

CYBER SECURITY FOR LEGAL SECTOR?

Some awareness, regular updation, following the outlined processes, continuous monitoring of cyber security practices at regular intervals, can be useful to avoid major cyber-threats

Legal sector was taken aback, during May-2020, with the news of the ransomeware cyber attack, on well known law firm that provides legal services to entertainment and media industry in USA. This one example, vividly illustrates the need for cyber-awareness and cyber-security for legal sector. The attack was rumored to involve a hacking group that previously obtained, huge ransom amount using their REvil ransomware. The hacking group stole 756 gigabytes of sensitive data which included emails, contracts, nondisclosure agreements, phone numbers and email addresses. (1 gigabyte equals approximately 60k+ word pages). The worst form of cyber-attacks is ransomware because it blocks access to an organization's computer systems until a ransom is paid. Meanwhile, the hackers can continue to grab data, which they can threaten to release if the ransom demand isn't met.


With widespread mobile applications and usage becoming more common for all the activities including business applications, cyber security's importance can't be overstressed. The lifeline of the legal sector is in data base, which is the base to draft / defend / file / fight or execute the business deals and many times it is critical and sensitive too. The digital transformation plans will always introduce some element of cyber-risks and this will go on. No one can offer 100% sure cyber-security, but awareness and conscious efforts can reduce major bad surprises.

Post May-2018, GDPR / Data privacy legislations covered the law firms as data controllers because they process and store large volumes of confidential client data. This commercially sensitive information makes them an attractive target for malicious cyber-attacks. It can be used to pressure firms into paying large ransoms or to sell on the dark web and example cited above confirms the possibility. The cyber-breaches can have an irreparable impact on law firms with a risk of reputational damage coupled with heavy penalties under GDPR.

The pandemic environment led to forced multifold increase in digital mode usage which increazed cyber-security's importance further. The majority businesses were constrained to adopt digitized mode of working and legal sector could not remain aloof. Legal sector was vulnerable to cyber-threats generally. But with more than 90% of legal activities moving on digital platform, made it more vulnerable. Before the pandemic, law firms had the luxury of taking time to carefully consider the implications of new working practices and also had an option of personal meetings / in-person conferences. These options were closed during pandemic. Further, when the governments announced lockdown in March-2020, law firms were forced to quickly overcome these working obstacles. Ready or not, they were faced with a sudden remote working test run. Due to the scale and speed of this change, many legal firms have unknowingly introduced critical vulnerabilities into their systems. Majority rushed to maintain 'business as usual' during pandemic, while missing to update cybersecurity or protection.

This transformation of working mode from office to work-from-home added to the vulnerability. Unfortunately, hackers are aware of this sudden spike in lax security measures, creating opportunities for them to exploit. Due to pandemic, luckily, we didn't find major breaches in legal sector, but the past may not guarantee future safety, as we have one big cyber-attack as mentioned above.

All this necessitated to be aware of cyber-threats and cyber-security. One doesn't require to be cyber-expert but everyone needs to be cyber-aware.

The vulnerability points normally are data storage, online research activities, data transfer, data accessibility / portability and innocent silly process misses. The vulnerable modes are work-from-home scenario, technological platforms, Intermediaries, storage method, facilities managements. Out of this, the work-from-home needs more attention and training, as vulnerability is more. The mitigation options could be anti-virus locks, encryption, use of VPN, access control etc. along with regular continuous training and monitoring.

The new digital working options not only provided advantage of working at each one's pace, but also considerably reduced the cost and time loss in traveling. The new options adopted during pandemic, proved more flexible with other advantages, and hence appreciated as better options to previous ones. As the lockdown begins to lift across the globe, the activities returning to normal level / mode, law firms need to act swiftly in order to remain cyber resilient. This should involve eliminating security gaps, designing and deploying advanced security solutions, and proactively and genuinely identifying critical vulnerabilities, scaling up training & monitoring activities. It's a known fact that, whatever we do, its not possible to have a 100% bullet-proof strategy but one can at least wear a bullet-proof jacket to be safe from majority risks.

All these transformations, have made it obligatory for each legal professional to know and also to understand cyber-security to prevent a taste of fire. Generally, one is expected to be at least aware of - ABCDE

Always properly log out of online working platform and also to lock the laptop/desktop, when not in work mode. Good number of violations, not from legal sector, but from industries proved that, not logging out from the internet can expose system to third party, for monitoring your activities, stealing or even manipulating the data. Hacking becomes easy when systems are open and no one is working actively on the same.

Be careful when you click, as its your consent to risk or reward. So unless one is sure about the source of attachment or the site / new link, one should not click. Please do check the url or source, while going through forwarded information. The ransome attack mentioned in the beginning was a result of spam email. Good number of malware or cyber attack are introduced in system, through phishing emails. The phishing emails is one of the biggest cyber threats. One has to be very careful, while handling emails and attachments from unknown senders.

Cyber security aware and updated. Not the expertise, but basic awareness with knowledge of threats can help to reduce risks considerably. Constant communicaiton at regular intervals can be impactful.

Data security / storage / transfer. Conscious efforts to ensure care and concern while storing / transferring / processing the data. Data access should be restricted on the basis of needs as well as authority basis. Confidential / senstive data handling processes have to be followed religiously without any exception.

Extra attention, while using unknown network or public network. Even un-protected home wifi is subject to vulnerability of breach. Extra care is basic need while using the public network. One must check and confirm the security of network at home.

Some awareness, regular updation, following the outlined processes, continuous monitoring of cyber security practices at regular intervals, can be useful to avoid major cyber-threats.

Disclaimer – The views expressed in this article are the personal views of the author and are purely informative in nature.

Tags:    

By - Atul Juvle

Atul Juvle General Counsel, Compliance Officer and Company Secretary, Schindler India & South Asia. Working with the Company since 2014, he is a qualified lawyer, banker and did his post-graduation in Commerce and obtained a Masters’ in Financial Management. He is a Certified Fraud Examiner (the United States), a CFPCM (the United Sates), MCiARB, UK and a Mediator. He has three decades of experience spanning five varied sectors - banking, exports, life insurance, agro-based industry and vertical transportation.

Atul is a member of the Advisory Board of the ICFAI Business School, Mumbai (2021-2023), Advisory Council of ACFE, US (2022), Member of CII Regulatory Committee (2018-2022) and ASSOCHAM’s National IPR Committee (2021-2022).

He continues to be part of Forbes India GC-Power list - for two consecutive years - 2020 & 2021. Since 2016, his name has been featured in the Top 100 Powerful General Counsels of India. (The lists are published by different organisations).

Similar News

White-Collar Crimes – India
Cyber Security