Staying cyber safe
Knowing how to stay safe online while working remotely is vital to reduce the cyber risk, as Peter Wright explains
March 2020 was the month we became home workers.
Law firms, departments and teams that were used to sitting in relatively close proximity to each other are now dealing with the new reality of social distancing; and seeing each other on video conference calls rather than catching up at the coffee machine or in face-to-face meetings.
Resistance to the concept of working from home, felt by many in the legal profession, melted virtually overnight. Like it or not, we really have all been ‘in this together’; facing a new reality of working from our home offices, or more likely for the majority of us – the kitchen table, living room or any other small space where we might be able to work for a little while without interruption from pets, children, spouses or other beloved family members with whom we have found ourselves sharing this broader social solitude.
Tools of the trade
The tool of the lawyer working from home in most instances has been the laptop. In recent years, the laptop has found itself side-lined in favour of sleeker devices such as tablets, with the Microsoft Surface Pro and iPad being embraced by many sectors.
However, given our profession’s ongoing addiction to email, lawyers need a device with a suitably robust keyboard for bashing out large volumes of text. Neither the lightweight keyboards of tablets nor the virtual keys on the screen lend themselves to the kinds of industrial use that lawyers tend to subject them to.
Tablets are fine on the train or for balancing on your lap at a conference, but less practical for producing a lengthy report while under a pressing deadline. The laptop allows for frequent video calls, producing heavy duty documents as well as editing and formatting them; and for accessing case management, practice management, human resource, time recording and accounts packages – the bread and butter for the lawyer beavering away out of the office.
If we have these tools available remotely, we can be pretty much as productive outside the office as we would have been while in front of our desks at work. But are we as safe from being exploited by cyber-attacks? Regrettably, the answer is: ‘No’.
Hackers have capitalised on the fact that the majority of the workforce is working at home using home wifi and personal devices that are not designed for the sort of mass intensive use they have had to handle during the lockdown.
The legal profession’s email addiction continues to leave us more vulnerable than most sectors of the economy to exploitation by the phishing email. These attempts to encourage recipients to click on malicious links or provide confidential information have become increasingly sophisticated and targeted during the lockdown.
The volumes of scam email traffic out there have been staggering. In April Google disclosed that it was blocking over 18 million coronavirus-themed scam emails every single day, and these represented less than one in five of the 100 million general phishing emails targeting Gmail accounts every day.
Meanwhile, UK Action Fraud reported a 400 per cent increase in coronavirus-related fraud reports in March 2020 alone. Examples include messages asking for donations to the World Health Organisation (WHO) or the NHS to help the relief effort. Other phishing emails impersonated government support packages, encouraging business recipients to follow links thinking they would be able to access government backed loans, grants or furlough schemes.
Phishing does not only occur on email. Business platforms such as LinkedIn have seen huge spikes in their daily usage from workers accessing it to network online as a substitute for the workplace. However, can you be sure that everyone you meet on LinkedIn and other platforms really is genuine? Never accept a connection request from someone that you don’t know; because if you subsequently engage in a conversation on LinkedIn messenger, who knows what you might be at risk from.
One scam involves users receiving connection requests from hackers posing as recruitment consultants. Once connected, they contact the user and flatter them, saying they have been headhunted for a prestigious role. The hacker then sends a spreadsheet as an attachment on LinkedIn, asking the recipient to confirm certain pieces of information.
The spreadsheet contains various macros that need to be enabled; and once downloaded and enabled the spreadsheet can potentially provide the hacker with access to the machine. This makes it possible to hack into the network and business systems or simply install some ransomware and lock the machine, demanding a ransom payment in Bitcoin in return for unlocking it.
The beauty of this method of delivery is that it circumvents all of the sophisticated cyber-security systems that might be in place on your business email, or even (as described above) on a Google account – giving the hacker an unprotected back door to potentially access a system. Many organisations have now banned LinkedIn access or, at least, LinkedIn messenger from their systems in an effort to minimise this risk.
Be careful of oversharing on social media. Some users have found themselves victims of assault and burglary in real life as a result of having inadvertently disclosed where they lived, where they worked, the rough time and method of their commute or details of travel they would be undertaking.
Depending on your privacy settings and the platform, information in a profile or in statuses and photographs can easily be found by undertaking general searches. Even IT staff should be discouraged from oversharing details of their roles and the projects they have worked on. I have seen many detailed professional profiles that detail exactly which security systems staff have implemented across their organisations, providing hackers with helpful information to allow them to plan their attacks in a way that will circumvent the systems that have been deployed.
Due to the heavy reliance lawyers have on remote access to case management and other related systems, the National Cyber Security Centre (NCSC) has been pushing the legal sector to ensure that all systems have two-factor or multi-factor identification (MFID) enabled where possible. You might be familiar with this, from when you access your online banking. Your bank will have provided a keypad or other device that provides an additional code to be entered alongside the traditional email address and password in order to access a system.
This technology is now available on the majority of systems via the expediency of sending an SMS text message with an access code to a previously nominated mobile phone number. Those who are familiar with the HM Revenue and Customs website will recognise the method. However, MFID is often not enabled by default so make sure that it is in operation where possible.
Will it guarantee that hackers cannot get it? No, but it does make their job more difficult; and they may switch their attention to less robustly defended accounts and systems as a result.
Don’t forget that the majority of cyber attacks are actually undertaken by artificial intelligence (AI) with automated attacks probing for a vulnerability. When they see that higher security measures are in place they will rapidly move on to the low hanging fruit with less secure systems. The mental image of the hacker as a highly skilled and experienced operative is largely a fiction, with many sophisticated hacking tools now freely available for sale to anyone on the dark web for less than $20.
Be aware of the risks posed by certain systems. The free version of Dropbox remains a ‘no’ for business activity as does WhatsApp. The new threat in 2020 has become Zoom. I have been recommending clients against the use of Zoom for undertaking the delivery of legal services for several years, but the massive expansion in its use created by the lockdown has also meant a far greater level of scrutiny.
The problems with the system are many but include user personal data being shared with Facebook (even if the user has no Facebook account); scraping user data from LinkedIn and sharing it with other participants on the call; a lack of encryption (despite having assured its own investors in 2019 that the system was end-to-end encrypted); encryption keys for calls being routed through a server in China (even if none of the call participants are based in China); and the phenomenon of ‘Zoom bombing’ where uninvited participants enter calls and disrupt proceedings.
As a result, the use of Zoom has been banned by the German, Taiwan and Australian governments, the US senate and SpaceX – even Google has discouraged its staff from using it. Zoom also continues to face multiple class actions both from users, privacy groups and even its own shareholders.
Consequently, law firms should not be using it for the purposes of delivering legal services to clients. Microsoft Teams represents a more secure option, as does Skype for Business.
Thankfully, there are plenty of sources of help and guidance available to firms and lawyers. The Law Society has been updating its practice notes, including the Protecting Your Firm If You Fall Victim To A Scam note which has been updated with coronavirus-specific guidance.
Other practice notes provide more general support on cyber security and law tech. UK Action Fraud also provides regular news and updates, meanwhile the NCSC has produced a plethora of guidance and tools. Alongside a detailed report on cyber threats to the profession, it produces a weekly threat report.
NCSC has also produced an innovative ‘exercise in a box’ that teams, managers, directors and partners can all use to simulate a cyber attack on their organisation and plan how they would respond.
By visualising being at the very centre of an attack and how they would cope, decision makers can then identify the appropriate measures that should be taken and ensure that they plan to provide adequate resources and reduce risks to hopefully prevent the worst from happening.
Peter Wright is the author of the Law Society Cyber Security Toolkit and managing director of Digital Law digitallawuk.com