Cybersecurity and Policy
Kafayat Omotayo
WRTG 112
UMGC
02/15/21
Commented [DW1]: Good cover page.
Table of Contents
Abstract ........................................................................................................................................... 3
Introduction .................................................................................... Error! Bookmark not defined.
Research Question ......................................................................... Error! Bookmark not defined.
Overview .................................................................................... Error! Bookmark not defined.
Standards .................................................................................... Error! Bookmark not defined.
Definitions .................................................................................. Error! Bookmark not defined.
The potential threat of a cyberattack on a law firm ................... Error! Bookmark not defined.
Law Firms’ Cyber Risk .................................................................. Error! Bookmark not defined.
Cyber Risk Cost Assumption and Attacks ................................. Error! Bookmark not defined.
Cyber enforcement issues for the law firms .................................. Error! Bookmark not defined.
Surveys ........................................................................................... Error! Bookmark not defined.
Prevention ...................................................................................... Error! Bookmark not defined.
Recommendations .......................................................................... Error! Bookmark not defined.
Conclusion ..................................................................................... Error! Bookmark not defined.
References ....................................................................................................................................... 8
Abstract
With the evolution of technology, all businesses use the internet and other smart devices for
smooth operations in their business. The advanced use of the internet and technology has brought
many security issues for businesses. This paper focuses on the current threats faced by law firms
in terms of cyberattacks. An insight is provided on how law firms can be threatened by different
actors for information. A survey approach has been used for collecting data for this paper.
Keywords: Cybersecurity, Law firms, Threat Actors, Information
Introduction
While firms around the world are forced continuously to enhance the complexity of their
risk reduction strategies, cyber-attacks are growing steadily. A study by Lab's panda in Q3 2016
only took another 18 million malware tests. In 2017, a further report from the Division of
cybercrime and intellectual property was carrying out more than 4,000 Ransomware attacks daily
(CCIPS). That's 300 p ...
1. Cybersecurity and Policy
Kafayat Omotayo
WRTG 112
UMGC
02/15/21
Commented [DW1]: Good cover page.
Table of Contents
Abstract
...............................................................................................
............................................ 3
Introduction
.................................................................................... Error!
Bookmark not defined.
Research Question
......................................................................... Error!
Bookmark not defined.
2. Overview
.................................................................................... Error!
Bookmark not defined.
Standards
.................................................................................... Error!
Bookmark not defined.
Definitions
.................................................................................. Error!
Bookmark not defined.
The potential threat of a cyberattack on a law firm ...................
Error! Bookmark not defined.
Law Firms’ Cyber Risk
.................................................................. Error! Bookmark
not defined.
Cyber Risk Cost Assumption and Attacks .................................
Error! Bookmark not defined.
Cyber enforcement issues for the law firms
.................................. Error! Bookmark not defined.
Surveys
...........................................................................................
Error! Bookmark not defined.
Prevention
......................................................................................
Error! Bookmark not defined.
Recommendations
.......................................................................... Error!
Bookmark not defined.
3. Conclusion
..................................................................................... Error!
Bookmark not defined.
References
...............................................................................................
........................................ 8
Abstract
With the evolution of technology, all businesses use the internet
and other smart devices for
smooth operations in their business. The advanced use of the
internet and technology has brought
many security issues for businesses. This paper focuses on the
current threats faced by law firms
in terms of cyberattacks. An insight is provided on how law
firms can be threatened by different
actors for information. A survey approach has been used for
collecting data for this paper.
Keywords: Cybersecurity, Law firms, Threat Actors,
Information
Introduction
4. While firms around the world are forced continuously to
enhance the complexity of their
risk reduction strategies, cyber-attacks are growing steadily. A
study by Lab's panda in Q3 2016
only took another 18 million malware tests. In 2017, a further
report from the Division of
cybercrime and intellectual property was carrying out more than
4,000 Ransomware attacks daily
(CCIPS). That's 300 percent more than 2015, with 1,000
ransomware attacks every day. Several
studies indicate that technology has two effects—connecting the
globe and simultaneously
enabling cyber-attacks. In 2016, it was discovered for the very
first time in history that
cybercrime has taken over traditional crime by UK National
Police Department and other
organizations (Alwan, 2018). In today's fast-moving dynamic
environment, all the business is
using the internet for smooth functioning and maintains
competition in the business world.
Ensuring the safety of the data has become the prime motive of
all trades. Similarly, the
relevance of cyber protection for their customers and the status
of the company have begun to be
understood by law firms. One of the chief duties of the law firm
is to ensure the protection of
client's private legal information. There are several kinds of
cybersecurity research; however,
very little research has been offered on security issues in law.
One of the greatest cybersecurity
faced by law firms includes data breaches and ransom-hack
attacks (Stark, 2021).
Research Question
How do threat actors obtain classified information from a law
firm?
5. Overview
Standards
The main aim of the National Institute of Standards and
Technology (NIST) is to offer an
overview of how different institutions, states, or nations
understand or approach "cyber-attacks."
A cybersecurity policy for the European Union is being
developed by the European Network and
Information Security Agency (ENISA) to aim for continuity
across Europe, across different
international boundaries, across national borders and industries.
For EU companies to comply
with their cybersecurity pledge and regulation conformity,
ENISA works toward harmonized
standards. Homeland Security also offers a cross walking
cybersecurity NIST system that
provides a comprehensive checklist to classify the terms.
Commented [DW2]: Formatting: be sure to check the
guidelines for the formatting. While this might be useful for
some arenas, this course is aimed to familiarize you with the
formatting you’ll be using in future courses (unless they
request otherwise). You do not need a Table of Contents or
Abstract, and the sections (introduction, body, conclusion)
do not get their own headers.
Commented [DW3]: This could work as a thesis if it is
slightly re-worded; your thesis should take a stance/position
on the issue, one that is arguable. See the examples in our
course readings for more, and develop a strong thesis here in
the introduction.
6. Commented [DW4]: Great citing.
Commented [DW5]: Instead of these headers and sections,
we need body paragraphs that each support your stance and
begin with a topic sentence. See above.
Definitions
Cybercrime, as stated in the Tallinn Manual on International
Law for Cyber Operations,
is defined by the Australian Government under the
Commonwealth Penalty Code Act 1995 as
computational crimes involving unauthorized entry,
modification, or disruption of electronic
communication. Austria offers a wide-ranging description of
cybercrime as "illegal cyber-space
attacks on and through ICT systems defined by criminal or
administrative laws," Includes, as
well as internet crime, any crime committed through IT and
communication networks. In the US
and Russia, common definitions are followed: cyberspace use in
conjunction with domestic or
international legislation for criminal purposes. Although
cybercrime is unified, law enforcement,
including Interpol, is typically distinguished between the two
main forms of internet-related
crime: advanced (or hi-tech) cybercrime such as sophisticated
hardware and software attacks and
cyber-enable crime, wherewith the onset of the internet, many
"traditional" criminals have
changed their course (Alwan, 2018).
The potential threat of a cyberattack on a law firm
7. Malware: This software helps in breaching information systems.
By clicking on a link, one can
install this software on their system. Spyware, ransomware, and
malware are some of the
examples of this program. Malware will obstruct the company's
access. Also, it can copy all the
information of the firm into a drive. Ransomware enables the
hacker to lock the employees or
owner out of the system until the firm pays the ransom to the
hacker.
Phishing: The hacker acts as an authentic firm or company and
tries to steal private information
and login passwords.
A MITM (man-in-the-middle) attack: The hacker captures and
transmits messages to two
parties who believe they communicate with each other; this
scam is also known as a scooping
attack (Mayo, Mayo, Spencer, Spencer & Spencer, 2021).
Law Firms' Cyber Risk
Cyber Risk Cost Assumption and Attacks
In the retention agreement, cyber protection is changing and is
now more than a technical
challenge or an added clause. This was the greatest risk facing
law firms in 2017, for example -
A massive cybersecurity infringement, later related To an
insider trade of $4 million-plus scam,
was endured by Cravath, Swaine and Moore, and Weil
Gotshal&Manges, two of US's biggest
law firms. In July 2016, their little Philadelphia business, the
computer system – Greseng Law –
was infested by malware. Their outsourced IT supplier,
8. Integrated Microsystems, was contacted.
Jessica L. Mazzeo stated, "We caught it almost immediately".
While Chief Operating Officer at
Griesing Law stated that "We took down our network and ran
virus software on every computer
in the firm. Once we located where the virus originated, we
wiped the hard drive." This incident
was a revolution in law firms. Lawyers took a different
approach in dealing with emails and
websites (Alwan, 2018).
Commented [DW6]: Be sure to see the above notes—this
needs to be formatted into an essay.
Cyber enforcement issues for the law firms
Unlike any businesses law firms are prone to breaching and
quite a lot of them have a
requirement of pre-breeching safety. If a problem emerges, a
corporation will be far superior to
its customers, its government regulations, or compliance
organizations, if the firm can illustrate
the following (1) Their protection agenda is consistent with best
practices, (2) have active
management, (3) All the procedures and applications are being
followed well, and (4) Adequate
tools are involved in detecting malware and illegal activities.
The lack of investment in
cybersecurity is one of the biggest issues. Many legal
professionals (lawyers) describe costs as
an important factor in the planning of cyber-attacks, why law
firms fall behind. At least up-to-
date software is needed for an efficient cyber risk program and
9. is very expensive for all law
firms. Law firms have never been highly technical and are now
pressurized to upgrade their
systems, as company breaches are being publicized by news and
consumers are increasingly
asking about protection (Heikkila, 2009). In New York at the
beginning of 2012, the FBI
released notices to businesses to discuss the possibility of
infringements and misuse of consumer
data. Alan Paller, the research director for the Cyber Training
SANS Institute, disclosed at the
same time that he had a wonderful conversation with associates
from a New York corporation,
told the FBI that they had all their consumer records were stolen
(Alwan, 2018).
Surveys
In the areas of personal injuries, housing, tax, and intellectual
property, law firms serve as
custodians for intensely sensitive details for their customers. It
is therefore important to maintain
appropriate procedures for cybersecurity to guard the
information and maintain the trust that
consumers put in them. Breakdown of this process results in
degradation of the company's
reputation and severe consequences for clients. Several cases
are depicting the above scenario.
For example, in the year 2020, a file was hacked in September,
having the information of 9
employees. All the important and personal information like
name, phone number, email address,
passport number, social number, and other important details that
could be used as identity theft.
To recover all the employees from the cyber hack, the law
company had to pay free credit
10. monitoring service to all its client's employees. It is estimated
by the American bar association
that almost 29% of respondents on the survey have faced cyber
threats related to data breaches.
But only 34% of firms are maintaining the plan of cybersecurity
incidents ("2020
Cybersecurity", 2021).
A survey of dark-web activity stated that how actors monetize
their abuse of law firms
(screenshot in appendix 1). This is accomplished largely by the
hacking and resealing of a law
firm's data. For example, in the given (Appendix1) on June 14,
2020, on the forum Dark Web,
the risk player "pirate cap" proposed to trade. The approach of a
domain manager level to a law
firm offered at the USD 24 million in revenue, where the
opening offer was USD 500 (Andariel,
2021). Another such example can be seen in appendix 2. On
October 28, 2020, a risk
factor "whisper". With the message, they give a business in the
area of corporate law and
advocacy access to 25 hosts on the network of the target
company. This is likely to be a
considerably higher access standard from the 25 hosts to the
starting request of the USD 1,000.
This would cause great harm to the law firm (Tyler Combs,
2021).
Commented [DW7]: Sentence fragment—overall, I’m
seeing a lot of sentence issues, mostly revolving around
wording that is hard to understand. Be sure to proofread
carefully.
Commented [DW8]: This is another example of a fragment.
11. Prevention
Although the cybersecurity of law firms is seriously threatened,
there is clear action that
is vital for law firms to take to defend themselves. As stated
earlier, a 2020 cybersecurity study
from the American Bar Association found that incident response
plans were in place only for
34% of the respondent of law firms. Therefore, business
monitoring and cyber-attack recovery
protocols are a valuable starting point. If lawyers do not know
how to speak when a suspicious
email is opened or major files are lost, and nobody is
responsible for fixing these problems, a
company is opening up to simple manipulation.
A cognitive approach to cybersecurity: This is another approach
that can be brought into
practice. In this various approach to cybersecurity is defined. It
is motivated by human cognition
to learn diverse information. In Oxford's dictionary, awareness
is characterized as "the mental
action or process of acquiring knowledge and understanding
through thought, experience, and
the senses".
One new feature of our frame is its capacity to assimilate
complex textual information
and combine it with wrongdoing, identification of known and
unknown attacks. With written
sources, the key problem is that the knowledge may be
12. incomplete and is for human use
(Narayanan et.al, 2018). However, trained individuals must be
aware of constructive cyber safety
to avoid attacks in the first place. Most of the cybersecurity
workers at big corporations (those
who hire over 100 lawyers) have been dedicated for this
purpose, although this figure is dropping
dramatically as the size of the businesses reduces. However,
whatever the scale it is, workers
must grasp simple security procedures. Cybersecurity
requirements can differ greatly according
to the size and capabilities of the organization. For certain
businesses, this would also include
instruction in activities such as efficient login credentials
protection, fraudulent email detection,
and other cheap and typical prevention. Because of the
comparatively few law professionals with
IT backgrounds, this is especially required. Last but not least,
law firms must be kept updated on
the cyber challenges they face. Via the loss prevention services
of AdvIntel, businesses may have
access to specialized, proprietary sources of knowledge on
risks. By detecting prominent botnets
associated with ranch bands and analyzing DarkWeb markets,
AdvIntel, and our Andariel
network, law firms are provided with real-time information on
their most volatile and active
risks. Our approach to intelligence gathering and research is to
help law firms retain a strategic
advantage over the risks that are meant to manipulate them, and
we view the legal industry as
one of our focus industries.
13. Commented [DW9]: This is an example of a sentence
whose wording doesn’t quite make sense. “There is clear
action that it is vital” is hard to understand. Be sure to
proofread the document carefully.
Commented [DW10]: This is another example.
Recommendations
Apart from the aforementioned research, further investigation in
this emerging field is
recommended. The first review paper to be established from this
research work can be developed
considering other similar legal sectors, including businesses or
application service providers for
law support programs. For instance, a sample of cybersecurity
feedback may be analyzed and
compared with legal firms and can be used to detect if the
protection of corporate laws is
perceived differently.
Conclusion
Following an impact assessment and liability on all possible
kinds of risks to data
privacy, it seems like the most important lesson to be learned
14. from past company violations is
that cyber policy and regulatory processes are not consistent,
successful, and consistent. This
emphasizes the need for a comprehensive cybersecurity
solution. Law firms should not only
comply with the regulatory checklist but should also make a list
in its entirety and go above what
regulators expect to secure not only their data but also the data
of their clients. Policymakers
must now evaluate and enforce the regulations that have been
checked in these studies to
guarantee that the internet is more protected to protect their
clients.
Commented [DW11]: I’m not sure what you mean here—
you are repeating “consistent.”
References
John Reed Stark. 2021. Law Firms and Cybersecurity: A
Comprehensive Guide for Law Firm
Executive Committees. Retrieved 15 February 2021, from
https://www.johnreedstark.com/wp-
content/uploads/sites/180/2016/04/Law-Firm-
15. Cybersecurity-Guide-Final-PDF.pdf
Alwan, H. (2018). Policy Development and Frameworks for
Cyber Security in Corporates and
Law Firms. International Journal Of Legal Information, 46(3),
137-162. DOI:
10.1017/Jul.2018.41
Mayo, V., Mayo, V., Spencer, K., Spencer, K., & Spencer, K.
(2021). The Role of Cybersecurity
in the Legal Field. Retrieved 15 February 2021, from
https://www.biggerlawfirm.com/the-role-of-cybersecurity-in-
the-legal-field/
Faith M. Heikkila. (2009). An Analysis of the Impact of
Information Security Policies on
Computer Security Breach Incidents in Law Firms. Retrieve at
https://core.ac.uk/download/pdf/51097899.pdf
S. N. Narayanan, A. Ganesan, K. Joshi, T. Oates, A. Joshi, and
T. Finin. 2018."Early Detection
of Cybersecurity Threats Using Collaborative Cognition," IEEE
4th International
Conference on Collaboration and Internet Computing (CIC),
Philadelphia, PA, 2018, pp.
354-363, DOI: 10.1109/CIC.2018.00054.
16. Commented [DW12]: Alphabetize by first letter in the
entry. O
Commented [DW13]: Be sure to use APA format—the last
name goes first.
Andariel. (2021). Threat Prevention. Retrieved 15 February
2021, from https://8dfd1b9a-1d6d-
4233-af4b-
26b0945b72b9.filesusr.com/ugd/0e8cc9_a30a4def495049a28c51
1e92ef29959d.pdf
Tyler Combs. (2021). Retrieved 15 February 2021, from
https://www.advanced-
intel.com/post/breach-of-trust-how-threat-actors-leverage-
confidential-information-
against-law-firms
2020 Cybersecurity. (2021). Retrieved 15 February 2021, from
https://www.americanbar.org/groups/law_practice/publications/t
echreport/2020/cybersec
urity/