But hackers do not just leave their imprints on news outlets. Cybercrime, in fact, is a universal problem that touches all industries, including law. “You don’t have to read the paper for very long to understand how current and significant and challenging this problem is for our nation and for each and every one of us,” said Allen Goolsby, special counsel, Hunton & Williams, and moderator of the American Bar Association webcast “How to Limit Cybersecurity Risks and Respond to Cybersecurity Breaches.”
And it’s no longer enough to simply install antivirus software, said Jody Westby, CEO of Global Cyber Risk, a firm that focuses on cyber crime and breach management. “Most companies still believe, ‘Oh, if I have a good antivirus program and am up to date with my software and we have good firewalls, that’s the best I can do,’” Westby said. “And it’s not good enough anymore. The malware is so sophisticated, antivirus programs are no longer adequate complete defense against them.”
The webcast addressed how to identify cybersecurity risks and how to deal with an actual cybersecurity incident.
David Burg, director of PricewaterhouseCoopers’ advisory services, dispute analysis and investigations practice, profiled three groups of potential hackers. First are state-sponsored groups, said Burg, who specializes in forensic technology solutions. “Law firms are specifically targeted by state-sponsored groups,” he said. “The reason being, a law firm is a wonderful place where there’s a concentration of information, and so it becomes an efficient mechanism for an attacker to focus on a place where large volumes of sensitive information are stored.”
One of the key attributes of state-sponsored groups is that while their techniques are sometimes simplistic, they’re highly effective and generally difficult to detect, Burg said. “In our experience, we see matters where our clients have been compromised for months or even years without the security infrastructure becoming aware of the compromise,” he said.
The second group is organized cyber criminals. They principally seek to convert information into monetary gain in the short term as opposed to the longer term, “which is more of the trend that we see in the state-sponsored groups,” Burg said. “These are actors that can take systems offline and inflict damage and harm to infrastructure.”
The third group is individuals that operate either in a collective manner or on their own to capture and expose information for a variety of reasons, Burg said. In some cases, these individuals may be motivated for their own personal financial gain, and in other cases they are, in fact, affiliated with a state-sponsored group or organized cyber criminals. Or they can be disgruntled employees who have “sought to damage their employer as much as possible by destroying information, by disabling disaster recovery or business continuity capabilities,” Burg said.
Across all of these groups, there are a number of common themes. Namely, the cyber criminals are able to find a vulnerability, maybe a simple vulnerability, Burg said. “They’re able to exploit that vulnerability and gain a foothold in the environment, and then they’re able to expand their base or operations to be able to examine the infrastructure … survey various data … and identify the information they’re interested in, and they’re able to move it from the environment,” he said.
The risk isn’t limited to very large companies. It also can impact small private firms, said John Woods, partner, Baker & McKenzie. His practice involves conducting internal investigations and advising clients on data security, privacy and information governance.
Yet the panelists agreed that there is a “very significant lack of awareness around just what these cyber risks are,” Burg said. “From our own finding in a PWC survey that was released at the end of 2011, 42 percent of respondents did not know or did not evaluate their cyber risk.
“What we see is that awareness remains low until it happens to your organization,” Burg continued. “[Those] that experience a significant breach, they get it. And it’s this type of company that really steps back and looks at the component parts of the risk equation and is willing to make greater investments in infrastructure.”
To address this challenge, you must have ongoing insight into the motivation, tools and tactics being employed by cyber criminals, Westby said. “That is so important because this threat is evolving, and it’s evolving almost daily,” she said. “And the nature of the threat has gotten so sophisticated that companies really have to understand what they’re up against or you really end up in an activity where you’re addressing one threat and the next thing you know, you have another.”
It’s difficult implementing efficient strategies when you don’t have a current view of whether your system is able to withstand more advanced threats, Westby said. “Controls are better rooted really if they’re based in intelligence because that’s really enterprise risk management,” she said. “It leads your operations to the threat and then you can determine the best response and approach to take to mitigate that or deter it or even prevent it.”
Westby offered advice for when an attack does occur. Her words of wisdom: Hands off the “crime scene.”
“I think that one of the most important things in looking at how we respond to a cyber incident is to sort of compare it with a traditional incident,” she said. “If someone was murdered or attacked on your corporate premises, you would know enough not to go stomp around the crime scene and make a mess of it. And one thing that happens in computer incidents is people go stomp around the crime scene in muddy boots and often don’t think about some of the very critical aspects that need to be considered upfront, which is documenting everything that is done, documenting chain of custody, knowing which machines to shut down or unplug or which machines do have write-protect and equipment … so you can preserve the electronic evidence.”
When client information is compromised, another challenge arises, Westby said: When do I notify? Companies may want to notify but may not have enough information. “One of the state laws may be saying within a certain time period you have to notify,” she said. “And the problem is, companies don’t want to notify and then have to renotify and say, well, we now found out something else. So it’s difficult to try to meet the timing of notification requirements while you’re trying to gather enough information to have some certainty with that notification.
“I really push my clients to be forthcoming and to be honest about what happened if they have to reveal it,” Westby added, “and to the extent they don’t, put it under attorney-client privilege or protection where you have some control.”
The good news is that there are law firms today that have “evolved impressively and have very mature capabilities to minimize the risks that we have talked about,” Burg said. “You cannot eliminate the risk, but the key here is to minimize the risks that we know are manifest in this world.”
ABA President Laurel Bellows is responding to the cybersecurity threat with a task force that is developing a “cyber incident response handler” that will be published by Aug. 1, Westby said. It will be for all organizations, small and large. “So there’s help on the way to give you a handbook and a guide you can use as a scenario unfolds in your organization,” she said.
Bottom line: Companies should be prepared for a cyber incident, Westby said. “Find out cyber crime laws in jurisdictions where you do business, have a point of contact with law enforcement and local ISPs, and have a local attorney lined up,” she said.
This webcast is part of the ABA CLE Premier Speaker Series, sponsored by Bank of America. It is a monthly program that allows ABA members to earn up to 18 hours of free CLE credits every year.
For more information on cybersecurity, visit the ABA Cybersecurity Legal Task Force web page.