The Hidden Wiki -Dark Web - Darknet Links

2 months ago

Law Firms as Targets For Hackers – Risks and the Way Forward – Proshare Nigeria Limited

Sunday, February 28,
2021 / 02:00PM / By Raphael Irenen (Aelex) / Header Image Credit: Aelex

  

Introduction

The
growth in technology has led to a sudden shift in the storage of information
from physical storage systems to online storage platforms. Individuals and
organisations are now beginning to save their information online and the
reasons for this development are not farfetched.

 

Amongst
several advantages, online storage of information appears safer compared to
traditional methods, as such information stored online cannot be wrecked by
environmental hazards such as fire or natural disasters including storms and
earthquakes.  Furthermore, it makes such
information easily accessible for those that are entitled to access them.

 

The
outbreak of COVID-19 has also encouraged and facilitated an increase in the
online storage of information by individuals and organisations. This is mainly
as the various lockdown orders halted the movement of goods and persons and as
a result, several organisations and businesses have had to work and operate
remotely. To be able to access relevant data and work effectively, while working
remotely, these organisations have had to adopt several digital means of
storing its relevant data.

 

However,
the storage of information through online and digital means does not occur
without some challenges. Indeed, with the increase in online and digital
storage of information, cyber-attacks and data breaches by cybercriminals are
now a very common phenomenon in the world today. And these cyber-attacks mainly
occur without the knowledge of their victims. Additionally, the cybercriminals
either utilise these access and information they get, for their personal use or
sell them to other persons who may be in need of them. For example, threat
intel firm, Group-IB reports that the sales of access to compromised corporate
networks grew fourfold in 2020.
1  It therefore appears that the sale of access
gained by cybercriminals to the data of some corporate organisations and
entities have become a lucrative venture. 

 

The Peculiarities of the Legal Sector

In
Nigeria, the legal sector is not left out of the odious ventures of these
cybercriminals as law firms are a vital part of society. First, they have in
their possession and control, commercially sensitive and privileged
information, as almost all sectors in the country involve the services of
lawyers in their operations and transactions. These transactions have given
Nigerian lawyers and law firms access to salient and privileged information of
these business entities that they work for.

 

The
information with law firms that are attractive to hackers include intellectual
property information (such as trade secrets, patents, industrial design and
copyrights), corporate financial reports of clients, financial details
(including account access information), confidential and privileged business
information of both the law firms and their clients, relevant information
relating to their clients’ criminal activities, personally identifiable
information (PII) of both law firms and clients, proprietary software codes,
the personal health information of individual clients, emails and other forms
of correspondences.

 

Ironically,
despite the potential cyber threats being posed by cybercriminals and the
tendency for law firms to be targets, there appears to be the narrow-minded
belief that law firms are hardly targeted or that if such threats exist, then
they are problems of the magic circle or top-tier law firms. However, in
reality, small law firms and sole practitioners have become vulnerable targets
of cybercriminals. As a matter of fact, the issue of cyber breach and attack of
law firms was raised in a 2020 ABA Legal Technology Survey Report that revealed
the percentage of law firms experiencing a known security breach stood at 29%in
2020.

 

Furthermore,
DLA Piper, a multinational law firm with solid expertise in cyber-security was
also hit by the popular Notpetya Ransomware attack. This should serve as
sufficient warning for both law firms and lawyers, on the issue of
cyber-attacks and data breaches. Consequently, the need to establish protocols,
procedures, policies and precautions that guarantee cyber hygiene for both
lawyers (involved in sole practitionership) and law firms cannot be
overemphasised.

 

 

Types of Cyber Threats/Breaches

It
is salient for these law firms to have an idea of the possible cybersecurity
risks that they are highly susceptible to. Though cyber breaches can occur in
various forms, the ones that commonly affects law firms include:

 

1.     Ransomware

It
is a type of malware from cryptovirology. It threatens to release and publish
its victim’s data or block access to it in perpetuity unless a certain sum is
paid. It is quite common and infected DLA Piper’s system in June 2017.
 
2 

 

2.    Virus

A
virus uses written codes that it replicates. It also attempts to spread from
one device to another by attaching itself to a host program.

 

3.    Worm

It
is a standalone and self-malicious program that replicates itself in order to
spread to other programs.

 

4.    Malware

A
software that is intentionally designed or formulated to damage, disrupt or
gain unauthorized access to a device. It is often utilised by hackers to
compromise information systems.

 

5.    Spyware

It
is a software that enables its user spy on other computers. It enables its user
to obtain covert information about the activities and actions of other computers.
It does this by simply transmitting data in a covert manner, from their hard
drive.

 

6.     Trojan Horse

A
type of malware that often confuses computer users of its true intention. It
usually appears useful or even harmless. However, it contains hidden codes
designed to exploit or damage any device which it runs on.

 

7.     Phising Attacks

This
is a type of social engineering that disguises as a trustworthy entity in an
electronic communication (mainly by mail), in order to steal user data,
including login credentials and credit card numbers. It operates in such a way
that it dupes its victims into opening an email, instant message or text
message, just to get relevant data from the user.

 

Other
factors that can also contribute to cyber breaches include:

  • External and internal threats (such as
    recklessness of certain members of staff).
  • Website vulnerabilities
  • Security issues with cloud systems
  • Security issues with other third-party
    providers
  • Weak password management
  • Utilization of outdated technology
  • The activities of Hacktivists.

 

 

The Importance of Cyber Hygiene to Law Firms and Lawyers

According
to a recent report, email malware creation increases by 26% year over year,
with about a million malware threats created every day.
3 Additionally,
between 2014 and 2015, the number of new malwares that emerged grew from 317
million to 431 million. By 2016, a breach of more than 11 million confidential
and privileged documents which included emails, databases, files, PDFs and
thousands of text documents, occurred as a result of an attack on Mossack
Fonseca law firm. Based on the reports released by security researchers, there
were multiple reasons for the success of the attack. These reasons included
external-facing servers running outdated software while missing critical
security updates. This suggests that the Mossack Fonseca law firm did not have
adequate cyber hygiene protocols and procedures as there was a clear lack of
visibility across the firm, as well as missing patches and vulnerabilities
including poor network segmentation. This clearly indicates that the worst
cyber breach is often a result of poor cybersecurity.
4

 

To
this end, law firms and lawyers need to pay more attention to their
cybersecurity. With the growing rate of cyber breaches, law firms cannot afford
to be careless with the information of their clients within their possession.
Procedures and protocols must be established by these law firms to ensure cyber
hygiene.

 

For
the purpose of clarity, cyber hygiene underscores a successful incident and
threat management program that keeps computer systems up to date, promotes full
visibility and guarantees data protection. It includes a range of procedures
and protocols that helps to maintain best practices in keeping sensitive data
safe from external attacks. It also helps to ensure compliance with the latest
security standards.
5 If a proper cyber hygiene
procedure is not put in place, then the valuable and sensitive information in
the possession of these law firms may be tampered with by cybercriminals. This
will affect the integrity of the firm and may also result in some legal actions
being taken against the law firm.

 

Additionally,
ethical issues may also arise, particularly with regards to the provisions of
the Rules of Professional Conduct (“RPC”) which vests with legal practitioners
in Nigeria, an ethical and professional obligation to make sure that valuable
and sensitive information of clients are protected from unauthorised access and
they are kept confidential.
6 The provisions
of Rule 19 (1) – (3) of the RPC is clearly to the effect that a lawyer has a
duty to ensure that whatever information that is disclosed to him by his
client, is not divulged to another person, except:

  •  with the
    consent of the client (upon full disclosure to them);
  • where such
    lawyer is required to disclose any relevant information on grounds of law or by
    an order of the court;
  • where the
    intention of the client is to commit a crime and a disclosure of such
    information is necessary to prevent the commission of such crime;
  • Where such
    disclosure is necessary for the lawyer to establish or collect his fee; or
  • Where such
    disclosure is necessary to defend himself or his employees and associates
    against an accusation of wrongful conduct.

 

Clearly,
the above exceptions provided for under the RPC does not cover
cyberattacks/breach. The inference drawn from this is that a lawyer may be
liable under the RPC for any cyber or data breach that affects his clients’ information.

 

 

Possible steps that can be taken by law firms to ensure cyber
hygiene

The
following steps can be taken by lawyers and law firms to ensure cyber hygiene
and prevent any further cyber or data breach.

1.      Law firms
should routinely identify items such as unmanaged laptops, servers and
desktops.

2.     Engage in
regular awareness and training of its employees on cyber security and cyber
hygiene in general. 

3.     Carefully
address any system updates and operating-system-specific updates.
7

4.     Initiate a
regular change of password policy and multi-factor authentication.

5.     Adequately
identify unencrypted valuable and sensitive data and adhere to the required
industry security compliance program.

6.     Develop a
security system that adequately addresses insider threats.

7.     Scrutinise
hardware and firmware updates for the purpose of identifying security risks and
priorities.

8.     Obtain cyber
insurance policies for future cyber liabilities.

9.     Establish and
frequently update cybersecurity policies.

10.  Carry out
regular penetration and vulnerability test on the various software and hardware
being utilized by the firm, to determine their cyber strengths, overtime.

 

 

Conclusion

As
earlier noted, cyber hygiene in Nigerian law firms is now more than ever, imperative.
Law firms must begin to take steps to secure information that is stored online
and offline. An understanding of the responsibilities vested with a lawyer to
protect and keep confidential, information of clients, is sufficient for a
lawyer to be proactive and take the necessary steps to avoid any cyber breach.
Lawyers must also understand that they are not in any way immune from the
activities of cybercriminals. In fact, they appear to be one of the most
vulnerable targets of these cybercriminals.

 

Hence,
law firms must begin to establish and maintain policies that guarantee and
promote cyber hygiene. These firms must consider educating and enlightening
their employees on cybersecurity. Apart from the steps recommended in this
article, Nigerian law firms must also look forward to other ways, in which
their data will be secured. Similarly, the services of experts and consultants
should also be acquired by these law firms where necessary.

 

Though
some of these measures may be expensive, it is better to expend resources
ensuring the safety of the information of their clients, than to spend on any
resultant legal action or liability that may be incurred as a result of a cyber
breach.

 

 

Footnotes

1.      Network hacking
and ransomware fueling global cybercrime surge by John Leyden (accessible via
https://portswigger.net/daily-swig/network-hacking-and-ransomware-fueling-global-cybercrime-surge)

2.     DLA Piper set
to sue insurer over Notpetya Claim: Report (published on
infosecurity-magazine.com)

3.     5 Facts on
Email Security Threats in 2021 (published on Mailbird Blog).

4.     Law firms as
prime targets for hackers: 7 Steps to reducing cyber risks by Aniket Bhardwaj,
Charlse River Associates (Published on Lexology).

5.     Ibid.

6.     Rule 14 and
Rule 19 of the Rules of Professional Conduct.

7.     Ibid.

 

Proshare Nigeria Pvt. Ltd.

Previous
Posts by Aelex

1.      Open Banking in Nigeria and Emerging Opportunities for
Fintechs and Financial Institutions

2.     The Right to be Left Alone
– Examining the Impact of the NDPR on Cold Marketing

3.     An Appraisal of The CBN’s Frameworks for Sandbox
Operations and Quick Response Code Payments

4.     Diaspora Remittances in Nigeria: Examining the New CBN
Policy (2)

5.     Sharing Of
Content Through Online Platforms – Considering Digital Piracy In Nigeria

6.     Diaspora
Remittances in Nigeria: Examining The New CBN Policy (1)
 

 

Proshare Nigeria Pvt. Ltd.

 

Related News

1.      FITC Technology Summit: Stakeholders Explore Strategies
For Addressing Cybercrimes and Hacking

2.     FITC to host Technology Summit on Security Strategies on
February 26, 2021

3.     NSE Kenya Transitions to a New Broker Network

4.     Payment Security Predictions for 2021

5.     CIBN President Tasks Banks On Strengthening Cybersecurity

6.     CSCS Sensitizes Financial Market Stakeholders On The Value
Of Cyber-Security

7.     Stakeholders Harp on Robust Cybersecurity Architecture for
Financial Services in Nigeria

8.     FITC and NIBSS to Host Largest Financial Services Sector
Cybersecurity Conference in Africa

9.     Bankers’ Committee launch “Moni Sense” Campaign
to boost Fraud Awareness

10.  When the Cookie Crumbles: Phasing out third-party Cookies
– By Elo Umeh

11.   Zooming In: Voice Over Internet Protocol and the Corollary
Regulatory Regime in Nigeria

12.  Data Backup and Security Guideline as Impact Mitigation
Strategies in Light of the COVID-19 Pandemic

13.  COVID-19: Visa Shares Tips on How to Stay Secured When
Shopping Online

14.  COVID-19: Cyber Risks, Insurance and Us

15.  Financial Fraud Solutions Must Beat the Best Criminal
Minds And Match The Rate Of Digital Change

16.  Safer Internet Day: Facebook and Nine Partners across
Africa to Work Together for a Better Internet

17.   Cybercrime in Nigeria: Causes and Effects

18.  Cybersecurity Threats Call for a Global Response

19.  How to Best Securely Handle Documents in a Modern Office

20. Financial Institutions Face Growing Cyber Risk Ratings
Pressure

Proshare Nigeria Pvt. Ltd.

Proshare Nigeria Pvt. Ltd.

Darknet – Dark Web – OnionDir- How to access the dark web?

Only working links and trusted sites.