Data breach. Who would have thought that two simple words could instil so much fear into boards and executives worldwide. Yet here we are in 2023, and these two simple words have us on edge. The worst part, no one is immune to a data breach, and it effects every industry. Just look at websites such as Webber Insurance Services, The Complete List of Data Breaches in Australia for 2018-2022. Lists like this gives me goosebumps. Partly because of the magnitude of breaches Australia has suffered in just four years, and partly because I use or engage personally with some of the providers whose name appears on the extensive list. This leads me to ask the question, how much of my data is available on the dark web and did these providers do everything they could to protect my data before it was swept away and capitalised?
Anyone following cyber news in the last few weeks will undoubtably have heard of a recent spate of cyber-attacks against law firms via two strains of malicious software (malware), GootLoader and FakeUpdates. Threat actors compromised legitimate websites which lawyers and business professionals were lured to when searching for certain types of legal and business information. In doing so, visitors to the websites would unknowingly download malware instead of the contract or agreement templates they had searched for. On the sneaky scale, this hits the extreme end. As a practicing lawyer or business professional with limited cybersecurity training, there is no possible way that you could know that this simple action, an action that in the past has been safe and held no risk, now threatens the very existence of your organisation.
A little dramatic I know, but the malware that was being delivered included ransomware and Cobalt Strike, a post-exploitation agent that allows a threat actor to sit in your organisation’s environment quietly for a long period of time. The use of Cobalt Strike suggests to cybersecurity professionals that rather than straight up financial gain, the threat actors were into espionage. Add this to the plethora of other cyber-risks faced by organisations, including the multitude of phishing email variations such as spear-phishing, business-email compromise, whaling, vishing and smishing (I know who comes up with these names) man-in-the-middle attacks, zero-day exploits and a whole heap of other cyber-attacks which make no sense at the best of times, and things are looking fairly grim. Or are they?
Just as the law profession has its own language, so does cybersecurity. Most organisations hire professionals when it comes to legal advice, the same way they hire professional when it comes to cybersecurity. But how do you know that your cybersecurity professionals are doing everything they can to protect your organisation the same way you, as lawyers, work hard for your clients? The answer, it’s not straightforward. But if you know the right questions to ask, you are one step closer to ensure that your organisation is doing the best it can to protect the safety of your client’s personal information and their intellectual property.
Having worked with several law firms over the years, below are five questions I encourage you to ask your cybersecurity professionals as a starting point to ensure that your organisation is on the right path to becoming secure.