This article was originally published by Today's General Counsel
At the tail end of 2016, seven law firms discovered that their systems had been hacked. The result? Insider trading deals that amounted to more than $4 million in profits, carried out by three Chinese nationals who, through installed malware, accessed the emails of notable law firm partners working on prominent mergers and acquisitions.
Among the deals exposed, the hackers made trades involving Pitney Bowes Inc. and Intel Corp. While the US indicted these individuals with federal fraud charges, the damage'insider trading along with conspiracy and intrusion'had been done. Furthermore, the hacking incidents have left a black mark on the reputations of the individual law firms involved.
It goes without saying that legal professionals guard some of the most valuable pieces of information for companies. This recent hack, where basic malware was able to infiltrate some of the most well guarded firms, is a serious wake up call for all companies to take another look at their security practices.
Here are the things you need to know about in the wake of the Chinese hacking scandal, and ways to better protect, and prevent, a similar event from occurring within your organization.
Under-the-Radar Risks In Your OrganizationAccording to the Ponemon Institute's State of Malware Detection & Prevention study, companies are lacking in ability to prevent and handle malware and other advanced threats. 'Only 39 percent of respondents rate their ability to detect a cyber attack as highly effective, and similarly only 30 percent rate their ability to prevent cyber attacks as highly effective.'
While the latest technologies and safeguards can protect against certain advanced threats like denial of service (DoS), cross-site scripting (XSS), SQL injection attacks, man in the middle attacks, malware and more, there are fundamental under-the-radar risks that can be just as costly if successfully executed.
Internal LeakCompanies spend millions guarding against external threats, leaving internal ones vulnerable. At times, internal threats can be more devastating, especially if there is malicious intent. Make sure to set up policies and permissions for each employee in the company, from the C-suite down to contract workers.
In addition, don't forget that third party vendors and outside partners have access to incredibly powerful pieces of data, and sit outside of company firewalls. Have security teams monitor for suspicious behaviors from all access points and set protocols in place to prevent and/or quickly mitigate any leaks that occur.
Human ErrorHackers aren't the only ones behind cyber attacks. In fact, many recent studies have cited both human error and lost/stolen mobile devices as the leading causes of data breaches. As more and more employees work remotely and from their own devices'particularly senior-level executives who travel frequently'it's essential to create or update policies that cater to the modern, mobile legal workforce. This should include the basics like using a protected Wi-Fi and using a secure collaboration portal to share/review documents.
Further, we are seeing more and more that the insecure work habits of executives in particular are putting companies at risk. Diligent recently examined the use of free email service providers (ESPs) for business purposes. The research revealed that among the enterprise elite'US board members'more than 30% of are using a free ESP to conduct board-level business. A breakdown of the most frequently used ESPs includes:
- Google ' 44%
- AOL ' 17%
- Yahoo! ' 9%
- Comcast ' 7%
- Others ' 23%
Best Practices to Secure the Organization
1) Survey, Educate and RewardTo guard against human error, employees must be aware of and held accountable for company protocols. This is particularly important in areas outside of legal/finance, security and IT, where employees are further removed from security strategy and implementation. In order to understand potential gaps in knowledge, it is important to survey employees through town halls, conduct impromptu check-ins and evaluate their success in performance reviews. Through these assessments, managers can determine if there are disconnects, where additional education needs to be provided, and how to best allocate budgets to prepare for points of vulnerability.
Ongoing education and training is critical to ensuring all employees understand the policies required to uphold the organization's security standards. In an age where hackers will try anything to gain access to private systems and confidential data, one-time or infrequent trainings on a company's security protocols and procedures is highly ineffective. Often times, companies will review security best practices as part of a new hire orientation, or hand out written policies via an employee manual, and then never follow up.
Any company that seeks to have a strong security culture must not only offer robust trainings to all employees'including the c-suite and directors'but also encourage professional development opportunities tailored to employees' unique focus areas. In addition, consider having mandatory quarterly trainings for all employees. This enables your security team to share the latest best practices, discuss evolving threats that the business could face and how to respond, and provide refreshers on the basics.
Lastly, it is important to incentivize employees, keeping them motivated to follow protocols and hold their teams/peers accountable for doing the same. For example, while the executive/finance teams may be more motivated by a company's financial performance or brand reputation, first year attorneys and those on the front-line of defense, may be motivated by career advancement or new job responsibilities. In this case, rewarding security-minded actions as part of one's performance review could be one solution that both encourages participation, as well as reduces real security vulnerabilities the business faces.
2) Establish IoT and Mobile ProtocolsTop tech giants have recently predicted massive adoption for IoT and workplace mobility. 'Intel claims that the number of connected devices could surge to 200 billion by 2020, up from 15 billion in 2015. Cisco and Microsoft have both predicted 50 billion devices will be connected to the Internet by 2020.'
This influx of devices could lead to an exponential risk for firms, especially as the average digital user today owns about 3.64 connected devices. In this case, companies must consider a few factors:
- Keep in mind the variety of devices out there and guard for as many as possible, starting with the most popular. No longer are employees only using smartphones or tablets, but today, smart TVs, watches, cars, as well as biometric systems and intelligence sensors are increasingly being used for work purposes.
- Since employees are bound to use personal devices for work purposes, establish the proper protocols via refreshed BYOD policies to address it. Be extremely clear on what devices/actions are allowed, what is prohibited and clearly outline consequences should an employee violate the policy.
- Lastly, perform due diligence checks on device/product manufacturers to ensure they align with your organization's security posture. If the manufacturer is not up to standard, do not allow employees to use them for work purposes. Modern malware such as Mirai, which brought down Dyn, specifically and successfully targeted IoT devices running Linux, turning them into controlled 'bots' that were then used for larger network attacks.
3) Follow the Letter of the LawA past ALM Legal Intelligence report found that almost 33 percent of law firms have not performed formal privacy, security and information assessments. In addition, about 33 percent of firms surveyed do not hold cyber liability insurance policies. This not only raises the stakes should a firm face a breach or hacking incident, but could severely impact their ability to remain compliant with industry regulations, such as:
- Financial data and PCI DSS ' The Payment Card Industry Data Security Standard sets security requirements for businesses that store, process or transmit cardholder data
- WIPO ' Created by the UN, the World Intellectual Property Organization details regulations on the promotion and protection of intellectual property
- NCSL ' The National Conference of State Legislatures Cyber Security Task Force promotes legislative discussion on cyber security; A number of states have already enacted security breach protection and notification laws
- HIPAA ' The Health Insurance Portability and Accountability Act sets standards for the privacy and security of health information and data
4) Apply the Right TechnologyWhile there is no question that innovative technology solutions are essential to help companies close security gaps, it's equally important to ensure that the right solutions are applied.
Referring back to the ESP data usage findings noted above, given the highly sensitive information handled at the board-level, more secure technology is necessary to protect confidential information and conversations. The right tool can help securely manage data, control access and authorization as well as assist in compliance reporting.
Breaches and hacking can originate from any place in the organization. Thus, it's essential that companies take a closer look within individual business lines and determine which solutions will be most effective to mitigate major risks.
ClosingThe exponential surge in cyber threats alongside the growing sophistication of techniques employed by hackers has made security a top priority for organizations today. Organizations that create and reinforce a security-minded workplace culture as well as implement proper technologies and protocols to enforce it will thrive.
Today's General Counsel is the only award winning business law resource to address the information needs of General Counsel, CEOs, CFOs, and other C-Level decision makers. It's marketing reach and database includes over''275,000 unique names of both in-house attorneys and those in private practice.