Last week’s cyber attack on a law firm representing Uber is a reminder that law firms are very much part of the “supply chain” that can be used to attack a target business, writes Annie Haggar.
Law firms don’t normally think about themselves as part of a business’s “supply chain”. As professional advisers, we traditionally put ourselves in a little box off to the side. We are brought in when strategically necessary, bringing our specialist expertise and like to think of
ourselves as “trusted advisers” but not part of the fabric of the client’s business. We don’t, after all, provide inputs to manufacturing processes or sell widgets.
However, last week, it was announced that Uber’s third major breach in six months was caused by one of its law firms being hacked, exposing the personal details of the company’s driver network. A classic “supply chain” attack.
I have spent a lot of time thinking about supply chains. I led the global legal team supporting one of the world’s largest company’s partnership and supplier networks. Each and every one of those thousands of suppliers was a potential source of a cyber attack. What we knew about their cyber security, what security measures we could expect them to have in place, and what assurance we could ask them to provide was a really important part of the risk profile my team helped to manage.
In the world of cyber security, law firms are very much part of the “supply chain” that can be used to attack a target business. Threat actors don’t see “advisers” differently from “suppliers”. They see a source of highly valuable information, sitting outside the business’s
secure corporate network, and therefore easier pickings.
Pause for a minute and think about the information that your firm holds about your clients. For commercial and corporate firms, you hold information about IP yet to be registered and protected, projects to develop and launch a new industry-changing product, plans to acquire
another business or sell off part of the company, and bids for major tenders, with key financial information that could give a competitive edge to another bidder.
For family law firms and community law, the picture can be even more troubling. The data you hold may not be valuable to “traditional” threat actors — but if accessed by the other side (perhaps a violent partner), it could put your client’s safety at risk. You know, as well as I do, this is just a small sample of what law firms hold.
Law firms must stop thinking about threat actors being guys in hoodies in dark rooms somewhere on the other side of the world that would have no interest in your little firm. It has been possible for some time to pay threat actors to undertake a hack on your behalf, so you require no technical skills. This might be an attractive option to a business wanting to find out what its biggest competitor is up to (corporate espionage). However, the availability of artificial intelligence (AI) like Chat GPT makes it even easier to run a cyber attack. While the platform has some “restrictions” on executing “bad commands” like “give me code to launch a cyber attack”, if you ask the questions the right way, you can still get step-by-step instructions on how to create one. You can also get a perfectly written phishing email asking to change bank account details, with none of the hallmarks of old-style phishing (no spelling or grammatical mistakes). I created one for a group I was training last week in 10 seconds.
The upshot of this is that your assessment of who might be targeting your business, and how, needs to consider not just traditional threat actors but also anyone who might hold a grudge against you or one of your clients or see value in the information you hold. Law firms have been the target of supply chain attacks for some time, and yet we seem remarkably slow as a profession to be taking active steps to upskill and train our people, change our behaviours, and increase the firm’s technical protections. Our clients are working hard to improve their security and are now facing regulatory consequences if they don’t. All the while, their “trusted advisers” are quickly becoming the weakest link in their supply chain.
While the “business” of a law firm will always be providing quality advice to clients, partners and boards of firms need to have the security of the firm high on their agenda, ensuring that the risk management program of the firm includes prompt technology patching, training of
staff and other standard security “hygiene” practices.
Law firms are increasingly using technology to support their practices and collaborate with clients — as they should. However, these technology solutions each come with their own set of risks and vulnerabilities. The due diligence system you use to access documents for your client’s takeover bid holds extremely sensitive information and also provides a whole other set of vulnerabilities to your firm’s IT network. For example, the Allens breach in 2021 was a breach of the file-sharing system used by the firm — Accellion. As you start to adopt these technologies, you need to be asking about their security as part of your own due diligence.
A culture of security must also become part of the culture of every law firm and led from the partnership. I have worked with many partners who are proud “technology luddites”, refusing to use unique passwords and actively resisting the implementation of security measures like
multifactor authentication because it’s “all too hard”. This attitude then infects the security culture of the firm. This might have been excusable in the past but not in 2023.
What is at stake? To name a few of the consequences, fines for breach of data privacy laws, reputational damage and loss of trust (and likely loss of clients), and increasingly likely, an investigation by the Australian Securities and Investments Commission (ASIC) and consideration of professional misconduct from the profession’s regulatory bodies.
What should firms be doing to uplift the security of their practice and become a “strong” link in their client’s supply chain?
- Understand what data your firm holds, where it is held, and how it is protected. You can’t protect what you don’t know you have or where it is. Is there a culture of saving documents to your laptop’s desktop? Or USBs? In small firms, is it all on a server in a cupboard that hasn’t been patched in recent memory?
- Set security policies for your firm and enforce them when they’re not followed (including where there is a partner doing the wrong thing). For example, multifactor authentication on everything, unique passwords, no portable media (e.g., USB drives) unless encrypted, no family use of work devices, and no BYOD.
- Get good IT support, and line up specialist incident response support on retainer for when your firm suffers a breach. You want to know who to call — not be googling who might be able to help once the breach happens.
- Train your people. Your people, from your admin staff to your executive, are some of your weakest links. It doesn’t matter if you are fully protected on the technical side if your teams can’t spot phishing attacks.
- Practice your incident response plan. Like your fire drill, you should be practising your cyber emergency plan regularly. Your IR plan is more likely to be put into practice than your fire plan.
If you don’t know where to start — get some help.