As hacking attacks proliferate around the world, Asian law firms need to take their cybersecurity very, very seriously
The month of August saw the hacking of Canada-based Ashley Madison, a website enabling married people (or those in committed relationships) to have affairs, and the details of more than 37 million users were extracted and posted online. The Internet erupted with a mixture of mirth and schadenfreude as the odd semifamous celebrity and public official were found to be users – to date, one must add, since a data dump that large requires time to process. But broadly, the hack again put the focus on just how vulnerable companies are to cyber threats. While high-profile cases like Ashley Madison as well as Sony and Target, to name just a few, are ensuring that the issue stays in the public conversation, the fact is that a broad range of companies nowadays are under siege from increasingly innovative and sophisticated hackers. And Asia is far from immune: Companies in the region are targeted 35 percent to 40 percent more than the global average, according to cybersecurity firm FireEye.
Included in that list are law firms, which are prime targets for hackers, thanks to the amount of sensitive client data they handle. According to cybersecurity firm Mandiant, at least 80 of the 100 biggest firms in the U.S. by revenue have been hacked since 2011, and the feeling among experts is that smaller outfits (and less technologically savvy ones) are even more vulnerable. And yet, a large number of these attacks go unreported, as law firms are loath to go public with the news, fearing it might jeopardise relations with current and prospective clients.
This approach benefits no one. The lack of public awareness means many firms don’t even know if they’ve been hacked, or realise the importance of preventing such an attack. Another concern is the cost of being hacked: The Ponemon Institute in the U.S. estimated that in 2014 a data breach – including crisismanagement services, data investigations, legal counsel, breach-notification expenses, and credit monitoring – cost an average of $3.5 million. That’s enough to sink a small enterprise. Given that law firms have the additional duty of protecting their clients’ information, damages can push that figure into stratospheric levels indeed. So what can law firms do to protect themselves? Well, for one they need to be more open about cybersecurity issues and become comfortable with exchanging information. A U.S.-based alliance calling itself the Legal Services Information Sharing and Analysis Organization (LS-ISAO) was launched last month, and it is also open to law firms based in the UK and Canada. This is an idea whose time has come in Asia as well.
Internally, aside from taking the obvious help of IT security professionals, law firms need to become more responsive to the threat and take necessary steps: the basics like encrypting data, using caution when it comes to the cloud, eliminating the BYOD (“bring your own device”) culture, training staff and so on need to be addressed as soon as possible. Because when a cyber attack hits you – and data suggests that the chances are increasing all the time – you don’t want to end up feeling as exposed as the users of Ashley Madison did.