What professional organisations need to know about cybersecurity post-Covid

E

arlier this year, an online hacking group posted a series of files that it claimed to be from the Jones Day law firm after it was hit by a data breach at one of its vendors. 

Jones Day is just the second law firm to acknowledge that it was affected by the hack of a file transfer vendor, Accellion. Goodwin Procter is potentially another who revealed in an internal memo that some client information may have been accessed in a breach of an unnamed vendor, later identified also as Accellion.

Unfortunately, exfiltrating data is not the only hack game in town. For a professional that uses and transmits funds via wires, cybercriminals have a unique and painful game.

In a mortgage wire fraud, a hacker poses as the real estate agent or client and attempts to divert closing costs into a fraudulent account. This type of fraud usually relies on a familiar hacking technique called 'spear phishing' or 'spoofing'.

In a spear-phishing scam, a hacker uses several mediums ranging from fake emails and phone numbers to websites to impersonate someone you trust. A scammer who runs a mortgage wire fraud might use an email address or phone number that looks like the one used by the professional to get the unsuspecting victim to lower their guard. These emails and texts can look authentic and even contain personal information that only the professional would know.

Scammers might take it up a notch from there by also using a technique called spoofing to make themselves seem more legitimate. Spoofing primarily occurs when a scammer uses special software to mimic your agent or lender’s phone number or email. The reason why it is so convincing is that when a scammer calls or emails you from a spoofed account, it can look exactly like you are talking to someone you trust.

The goal here of course is to get the closing costs into an account that the scammer owns. The scammer may use primers to create a sense of urgency by telling you that there has been a last-minute change in their banking procedures. They might also tell you that they sent the wrong address the first time, thereby increasing the urgency to then hijack the transaction.

Furthermore, ransomware attacks have significantly increased recently in number and frequency. So why ransomware?

Ransomware is a type of malware designed to encrypt files on a device or system that renders the files, including the system, completely unusable. The hackers then demand ransoms in exchange for the encryption key to decrypt the data and system. All too often, though, the ransom is paid but no encryption key is produced in exchange for the money.

Ransomware is frequently delivered in the form of a phishing or spear-phishing email with the malicious code embedded in a link or download. An unsuspecting employee then inadvertently clicks on the link, and the malware is immediately deployed into the system.

The catch is that the system may not be locked down by the hackers at that time. More often, the malware will just sit hidden in a system, waiting until a later date when the hackers enable the ransomware to be deployed. Most of the time, it is done at a calculated moment to maximise disruption and create the most havoc.

Colonial Pipeline, the largest pipeline system for refined oil products in the US, and JBS, the largest meat producer in the world, are the two most recent public victims of ransomware attacks.

Colonial Pipeline reportedly paid $4.4m in ransom, where JBS reportedly paid $11m. A group known as DarkSide took credit for the ransomware attack that caused Colonial Pipeline to shut down its fuel distribution pipeline. A similar group, REvil, is reportedly responsible for the JBS ransomware. Both groups essentially operate a 'ransomware-as-a-service' business.

In its statement claiming responsibility, DarkSide stated that its motivation was purely financial. Still, while financial gain is typically the goal, appropriating valuable intellectual property and proprietary information can also be high on the list and in some cases more valuable.

So what does this mean for your law firm or accounting firm? In no uncertain terms, it could mean you are next up. Simply relying on cyber liability insurance or a managed services provider is just not enough.

A data privacy and cybersecurity impact assessment is a necessary and solid first step to providing your organisation with the knowledge and roadmap it needs to mitigate its risks and liabilities. Professional services undeniably run on data. Therefore, it makes them a target-rich environment for cybercriminals.

Risk mitigation is always the principal goal for any business – and especially for professional services – when it comes to data privacy and cybersecurity. It is what currently keeps chief executives up at night, according to a report by the Wall Street Journal last year.

As the saying goes, you simply cannot know what you do not know, and what you do not know can be costly. Coming up with a plan to shore up cybersecurity defenses can admittedly be daunting. But professional organisations first and foremost need to get a handle on their data.

Such a strategic first step is critical to understanding what laws may be impacting the organisation and developing the initial blueprint to construct a cyber defence plan for the organisational infrastructure. After all, all roads to compliance lead toward and originate from this strategic first step.

First, understand the legal landscape by conducting a data privacy and cybersecurity impact assessment. It allows an organisation to build off this knowledge and achieve an important goal when it comes to legal compliance: providing it with a comprehensive and efficient overview of its data collection practices, contractual obligations, technology usage, and business workflow.

Examining this type of information, along with the business’s internal policies and guidelines on data privacy and cybersecurity, is a key component and will go a long way to determining the nature and type of laws and standards with which an organisation must comply. Every single state has a data-breach notification law, and some, like New York, have a proactive cybersecurity law: the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act).

Like many other pieces of proposed data privacy and cybersecurity legislation, the SHIELD Act has an extraterritorial effect, covering any business that holds sensitive data of New York residents, and includes proactive requirements on all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data.

Other states have adopted some form of security and privacy laws that govern the US legal landscape, while 66% of countries have passed data protection and privacy legislation, according to the United Nations Conference on Trade and Development.

Discussions with global colleagues in the Abacus Worldwide association confirm the urgent need to add knowledgeable and experienced cyber legal counsel to the corporate advisory team, who can not only navigate these growing number of tangled regulations but likewise apply them in a way that satisfies the unique needs and operational infrastructure of the organisation’s footprint.

Plus, the enactment of new data privacy and cybersecurity laws worldwide makes one thing certain: enforcement is on the way. And one thing is for sure when it comes to enforcement: these costs weigh on the bottom line, not to mention adding years of potentially crippling oversight as the company wrestles with regulators and compliance.

As professionals, we have heightened duties to our clients, like ABA Formal Opinion 477R (May 2017) that states: “Security threats to lawyers and law firms continue to be substantial, real and growing. Attorneys and law firms must recognise these threats and address them through comprehensive cybersecurity programs.”

As professional service providers, we must also address our ethical concerns along with the regulatory obligations.

Next, create a comprehensive cybersecurity and data privacy program. Regardless of the size of the law or accounting firm, having a written information security program (WISP) demonstrates compliance.

In the world of data privacy and cybersecurity, if it is not documented, it is not done. Part and parcel of having a WISP is also having a data breach response plan. Many data protection laws require organisations to have a written response plan.

Keep in mind too that your law or accounting firm should also train on the WISP and the response plan. The last thing an organisation wants to do is practice responding to a data breach during a data breach. This also helps to keep security and privacy top of mind for employees, which can reduce error and show a reasonable approach on the part of the firm.

In the end, where an organisation begins stepping through compliance will for the most part dictate where it ends up. Proactive decisions typically pay big dividends in the long run. Delay and denial, on the other hand, in addressing cybersecurity can lead to a potential domino effect down the road with cost overruns generally the first one set in motion.

Creating a thorough, documented, and thoughtful strategy will not interrupt the accounting or law firm’s forward movement or visions of the future. In the area of cybersecurity and data, legal preparation is a necessary ingredient to success here, and pays dividends to deflect potential costly enforcement actions later.