New Zealand Law Society - Cyber-Security: Protecting your data

Cyber-Security: Protecting your data

This article is over 3 years old. More recent information on this subject may exist.

“Information is everything,” Bill Clinton said in the 90s. “We live in a data economy,” acting Government Communications Security Bureau (GCSB) director Una Jagose said last month. You’ve probably heard something similar before, and for no profession is it likely more true than for law.

Law is about information. From databases storing clients’ details, to records of file notes, title searches, online banking, accounting, trust account transactions, internal memos, emails, evidence – almost everything lawyers do rests on the knowledge that essential information exists, is available, and is secure from being accessed by those without authority.

And since the meteoric rise of the World Wide Web lawyers have relied on internet networks to manage and work with information that was once stored snugly in hardcopy in their firm’s back-room filing cabinets.

Today’s information tends to be stored inside vast digital servers and databases, and within the ethereal “cloud” that floats above cyber-space and absorbs much of the information that is generated online.

It’s a lot of information.

Google’s executive chairman Eric Schmidt has remarked that “every two days internet users create about as much information as humanity created from the dawn of civilisation up to 2003” – about five billion billion bytes. That’s a LOT of pictures of cute kittens. It is Hammurabi’s entire code, times a quintillion or so. The full text of Magna Carta wouldn’t even make a ripple in the data pool.

While much internet traffic is innocuous user-generated content – Facebook posts about family holidays, pets and ‘selfies’ (so many ‘selfies’) – more and more commerce is being conducted online, including many of the services and activities of law practices.

“Your data is valuable,” Ms Jagose beseeches. And with value comes risk.

“Connectivity to the internet knows no geographical boundaries, and, accordingly, there is vulnerability.”

New opportunity, new risk

The speed, ease and efficiency of digital business operations has increased opportunities for law firms, for example to find new clients, build professional networks and to work more effectively. But the growing trend to move work and data storage online also introduces risk.

“The internet wasn’t designed with security in mind,” Ms Jagose says.

“The more we are connected to and holding data on internet-facing systems, the greater our vulnerability to attack,” she says.

In 2017 there will be three times as many internet devices as there are people on earth, she says. Nearly two billion people already use the internet as a preferred means of communication.

“The scale and pace of growth is almost unimaginable, and means vulnerabilities are constantly being introduced, protected against, and reintroduced and discovered.

“It’s a scale that offers massive opportunities, both for those who have good intentions, and those who don’t.”

As pickpockets frequent bustling public places to ply their craft, internet-savvy criminals lurk at the edges of organisations’ internet-facing systems in the deepest, dark parts of the World Wide Web, sniffing for security gaps and opportunities to breach sensitive, private data storage systems and networks – like those guarded by law firms.

Dogs will gather wherever butchers do business. Let’s call them cyber-criminals.

Cyber-criminals’ mischief manifests in a variety of ways, and it is important that company boards, directors, and staff have at least some understanding of the potential pitfalls of operating a business over the internet.

Knowing the threat – Data breaches, denial of service and developing trends

Whether it’s credit card information hacked from a website designed to help spouses have affairs, or diplomatic cables that reveal the behind-closed-doors discussions and opinions of political leaders, or leaked pictures from celebrities’ cell phones, data security breaches and other cyber-risks have become a commonplace feature of the modern digitised world.

What the still-developing Ashley Madison leak of 2015, the ongoing WikiLeaks revelations, and the infamous public-figure phone hacks have in common is information.

In each case, the targets – a popular website, the US government, celebrities – held information that was intended to be secure, on networks that were meant to be private.

Privacy concerns over data leaks and security breaches regularly make media headlines, and are a growing concern, particularly for those with online habits they’d rather remained hidden.

But there are other threats too, which can cause damage far beyond the embarrassment or reputational injury that may be suffered in the wake of a data breach, cyber-insurance expert Bob Parisi says.

“Many [cyber-criminals] are not after information, but are trying to access systems, disrupt processes and gain access to target organisations via the target’s business partners.

“Attempting to fit all of the risks a business faces today into a traditional policy is like putting a round peg into a square hole.”

Part of the problem is that cyber-risks are too many, and are developing too rapidly for policy-takers to foresee all of the potential consequences, liabilities and costs that might result from a digital security breach.

“It’s difficult to mitigate against unexpected threats,” he says.

It can be hard to glean a clear picture from the numbers, but what is certain is that the threat is growing.

In the first 10 weeks this year the GCSB resolved more cyber-security incidents than it did in all of 2014.

In 2013 the largest single DoS attack in history was recorded. It was three-times bigger than the previous biggest attack.

In 2014 non-profit New Zealand organisation NetSafe recorded 8,121 incidents and $8 million directly lost to a range of “digital challenges”. Indirectly, it could be a $500 million dollar issue for the New Zealand economy. It’s been estimated that, globally, trillions of dollars are liable to be lost annually because of cyber-crimes.

“[The cyber-risk] is growing in sophistication and size,” says Paul Ash, director of the National Cyber Policy Office, an office of the Department of Prime Minister and Cabinet established in 2012 to formulate policy and advise government and private sector partners on how to respond to cyber-security threats.

“It’s not going away, it’s getting worse. In response, companies are getting better at defending themselves, but that adjustment can take time.”

Unsurprisingly, given the growing magnitude of risk, digital security has become a very big business, both on the “top-of-the-cliff” and at the “bottom”. Most firms likely already employ some form of anti-virus software to guard against attempted hacks and scams.

But what if, as the experts suggest may be inevitable, one gets through?

Mitigating cyber-risk – Indemnity insurance

Cyber-risk insurance is worth billions on the global insurance market, and is experiencing “unparalleled growth”, Bob Parisi says.

Anecdotally, the NZLS has heard of clients requesting descriptions and guarantees of a law firm’s internet security strategy before they might be considered as a potential winning tenderer.

International insurance and risk management company Marsh recently held two fully-booked seminars in Wellington to illustrate the growing global threat posed by cyber-risks.

Mr Parisi explained that “traditional insurance was written for a world that no longer exists”.

It’s not that insurers have failed to recognise the perils of the online commercial world, or failed to digitise their own operations alongside other modern industries. It’s that the game itself, while still relatively new, is changing, and security software companies, cyber-crime policing units, and others with skin in it are struggling to keep up.

“It used to be, [cyber-criminals] would hack into a system, steal a company’s data or sensitive information, then offer to return it for a ransom,” Mr Parisi says.

“They were good hackers, but bad criminals.”

But in the wake of developing technology and increased digital commerce, hackers have become savvier, better at breaking the numerous laws usually breached by any given cyber-attack.

With the rise of the so-called “Dark Net” or “Deep Web” – an “area” of the internet not easily accessed by the public, where passwords and other private information is stored – black-markets have arisen. They are privately-accessed forums, like shadowy alleys where traditional deals between mobsters and con artists might occur – shady “places” where a swelling network of mal-intentioned and opportunistic internet users conspire unseen, plan hits or attacks, and trade in criminal spoils.

Cyber attacks involving blackmail now usually involve many more parties than just the original hacker, who, as soon as he or she sells the stolen data or private network-access key to a third party, silently disappears without a trace into the deepest darkest parts of the net (and, often, eastern Europe) never to be ever seen nor heard from, Mr Parisi says.

The information is then traded and on-sold on the Deep Web black markets.

Saucy photos from hacked celebrities’ phones are bargained for by gossip magazines and website hosts and fetch a high price, but the real prize, while usually less salacious, has potential to have a much wider effect. Screeds of company records and accounting data and personal information don’t have the inherent attention-grabbing value of a famous person’s private photos, but such information can carry currency enough to hold large, powerful companies to ransom.

And as firms move more and more of their work and sensitive data storage solutions onto online platforms the threat multiplies.

“If an entity uses technology in its operations, and/or handles, collects, stores confidential information – it has cyber risk,” Mr Parisi says.

He identifies at least nine distinct “exposures” or “perils” of operating a business online, which he suggests professionals consider in the context of their professional indemnity policies.

The first three “exposures” could result in a targeted company owing liabilities to third parties, the next two are threats that may manifest into actual monetary cost, while the final four constitute tangible direct losses of company revenue.

About the cost of lost reputation, Mr Parisi says the magnitude of potential risk is directly related to how well a company can “damage control” a situation after it has occurred.

“You don’t want to be the next company in the news or the newspapers, having their activities picked apart by the press,” he says.

Just another risk — Accept it

National Cyber Policy Office Director Paul Ash has heard of companies “pulling out typewriters” to record their transaction records and other business operations. That’s one way to get around the risk – break the link in the digital chain – but a far less efficient way to operate a modern business.

“It’s better to understand and manage the risks, not to avoid them,” Mr Ash says.

As Ms Jagose admits, the only way to avoid the risks is to have a better defence than every potential attack and “that’s not likely.”

Rather, she recommends that organisations adopt a “risk acceptance strategy to mitigate risk and prepare resilience to those risks being realised at some point.”

New Zealand businesses and government agencies must change their thinking about cyber-security, re-framing it from an “IT risk” for the tech experts to manage to an “operational risk” like any other that prudent businesses must plan and account for, Mr Ash says.

“Treat cyber-security as a risk-management issue or exercise,” is his advice.

“Managing the risk is just a part of the digitised world.”

Board and management-level decision-makers must realise the significance of cyber-threats to their business operations and must “act now, plan accordingly”, by raising these issues within their organisations, putting systems in place to mitigate known and unknown risks and identifying and responding to crises if they occur.

“We are fundamentally a pretty trusting bunch in New Zealand,” Mr Ash says. “We too often think ‘it won’t happen to us’.

“We need to find ways to get over that.”

New Zealand businesses have traditionally enjoyed a sense of security, relative safety from the turbulence and legal technicalities of commerce and crime between border-sharing countries, which has derived from our geographic isolation, Mr Ash says.

In the digitally connected global economy, that no longer applies.

“Cyber-attacks collapse that paradigm.”

A local perspective

Kendra Ross is a Kiwi working on the digital frontier to help protect businesses from cyber crime. She founded and directs Duo NZ Ltd, one of the country’s largest IT security distributors. She recently established the INFOSEC security awards NZ, and constantly encounters new and evolving cyber risks.

“Data or information is the new currency,” she says. “Through a breach and disclosure of millions of credit cards you can cripple the share price of a company and have all the ‘C’ suite fall on their swords like Target in the USA or you can cause untold embarrassment and potential death as seen with Ashley Madison.

“If you are connected to the internet or a mobile network then everything is available at some point in time.”

She notes three “thriving” areas of cyber crime that New Zealand is not immune to:

Criminals moving from traditional black-market trade, such as in drugs and weapons, to the cyber-sphere, where there are no borders to cross, staff are more reliable, and there are fewer “moving parts” in the operation where things might go wrong. “They are following the money.”

“Hacktivism” is on the rise, with embarrassment and potential ruin a real risk for targeted organisations.

State-sponsored espionage – the most difficult area of cyber crime to shine light on – employed by government spy agencies to target other governments’ systems to steal intellectual property, uncover state secrets, or to achieve other political ends.

But, in her opinion, the biggest risk to law firms remains the potential exposure of a client’s data through a breach or hack that results in brand or reputational damage and loss of trust in the small New Zealand market.

“Many law firms’ clients are going to be small and medium enterprises (SME’s), and they will have poor information technology security postures. Therefore the digital supply chain – email coming into firms – is very likely to be tainted already.

“These days it’s not a case of when the bad guys get in to their system and reach the ‘Crown Jewels’ – data – it’s a case of how they got in, where are they and what have they got already.”

A view from the top

As cyber crime has become more prevalent the New Zealand government and others around the world have responded with various policies, initiatives and advice. Not-for-profit private organisations like NetSafe also play an important and massive role in educating the public, monitoring cyber threats, and providing a platform to report incidents or seek advice.

We have the National Cyber Security Strategy of 2011; the National Cyber Policy Office oversees the implementation of this. The government’s response is delivered by a range of operational agencies, including the National Cyber Security Centre (NCSC) within the GCSB, which is charged with protecting the operations of “critical infrastructure providers” such as power and telecommunications companies. The NCSC also delivers Project CORTEX, an initiative to counter sophisticated malware that targets New Zealand‘s most important information systems.

The NCPO also operates – a digital protection web resource and partnership across the public and private sectors. The police have developed the Cybercrime Unit which focuses on prevention, investigation and prosecution, where other agencies are concerned with defence and recovery. The Online Reporting Button (ORB), is a partnership between NetSafe and the Government that enables internet users to report online abuses. The New Zealand Internet Task Force is another private entity offering information and advice.

Despite the wide response, Parliament has not yet considered the mandatory reporting of cyber security breaches. At this point, Mr Ash says New Zealand is keener to develop within domestic organisations an “intrinsic desire to report and record incidents”, rather than rely on rules and sanctions.

“Treat cyber risk like any other business risk; act now, and act accordingly,” he advises.

Internationally, the trend among developed economies is for legislatures to enact regulatory notification requirements following significant cyber security breaches, Mr Parisi says. The USA and Europe have led the way. Australia is ahead of us. China is catching up fast.

But this area of crime and prevention is so dynamic that the regulations enacted have been described as “goofy”, the interplay between international commerce and domestic law creating uncertainties in its application. A wholesale governmental intelligence review is anticipated in the coming months, as policy and best practice doesn’t remain relevant or adequate for long in this rapidly evolving arena.

Lawyer Listing for Bots