Stuart McKenzie, one of our Senior Consultants presented on 'targeted attacks and the legal sector' at Securing the Law Firm on the 29th January.
To provide further insight into our discussions on the day, please find a short abstract below written by Rob Sloan, Head of Response:
No sector has been immune from the targeted attacks which have changed the IT security threat landscape over the last few years. Cyber criminals have certainly become more sophisticated, but the main threat of stealthy, high impact attacks against governments and businesses has come from foreign states seeking to gain a political, economic, commercial or intelligence advantage over their competitors. However, these attacks have often been less stealthy than their operators and political taskmasters would have preferred. At the same time, the cyber security sector has matured and increased its detection and knowledge of the sophisticated threats across the business world.
The legal sector is frequently targeted for sensitive data belonging to the firms themselves; but more often for data belonging to their clients. Few firms have been named publicly as having been compromised, but many others have also been affected. And while some of these companies are made aware of these incidents through their own investigations or through industry outreach programs run by governments, other still remain in the dark.
The legal sector has perhaps been slower than others to address the threats posed and there are a number of factors behind that. Firstly, law firms have not traditionally been seen as high value targets. While client data is undoubtedly of value, very few attackers other than states are interested in exploiting it, which has led to a general under-appreciation of the risks and under-resourcing of security, compared to the banking, defence or high technology sectors, for example. And while government agencies have good liaison relationships with the industries that form the critical national infrastructure, giving them a channel to pass threat information, legal firms largely fall outside this. Finally, as organisations have hardened their network defences, law firms and other data aggregators have become more appealing targets. Another factor is that law firms often make reconnaissance easy for attackers by advertising their key clients, the projects they are working on and email addresses of Partners likely to have access to key data.
IT security managers rarely get all of the human or financial resources they require, but the legal sector tends to be one of the industries where the security team is most stretched. Most larger firms do the security basics such as penetration testing very well and some do more proactive detection of threats, which anti-virus and other traditional security products don’t find. But how does an IT department better understand what data is most attractive to an attacker and protect it? Having global networks makes this challenge even harder, as does distributed security teams. How should firms translate the IT security risks and threats into changes in business process?
The way ahead is through the creation and implementation of a cyber-security strategy, which involves stakeholders from across the business rather than solely the IT department. The issue is having a strategy which the business must own and is accepted and actioned by those operating at the highest levels.
The article will expand on these issues and explore how to make strategy a reality and get the support needed to make a difference. Targeted attacks are not an easy problem to tackle, but nor are they impossible to mitigate.
To read the article in full please click here to download a soft copy.