Hacking is a persistent problem for organisations in every sector and industry, and the need for Cyber Security talent is rising sharply. Get ahead of the game with help from the aap3 Cyber Recruitment team. The only way to avoid becoming just another statistic in this growing trend of cyber crime is to plan ahead, invest in the right types of protection and train staff to ensure that best practices are being observed at all times. This preparation must be carried out from the ground up, ensuring that your IT security is built on firm foundations, rather than as an afterthought applied too late to have any tangible benefit.

1. 2015 aap
3
Limited
aap3
Southampton
3 Benham Road, Benham Campus, Southampton Science Park, Chilworth, Hampshire SO16 7QJ, UK
Tel: +44 (0) 2380 768 850 | enquiries@aap3.com | www.aap3.com
Getting Your Foundations Right
IT Security in the Legal Sector
Whitepaper
V1.0 - 18/04/2016

2. Half a billion login
details were stolen
from firms in 2015
Of the 100 most
successful law firms
operating in the US,
some form of
breach in the past
five years
Hacking is a persistent problem for organisations in every sector and industry.
A recent report from Symantec revealed that around half a billion login details
were stolen from firms in 2015, leaving businesses exposed to countless,
untold ramifications.
In spite of many high profile breaches, companies operating in the legal sphere are seen as
problematically complacent when it comes to protecting their digital assets. And the recent scandal
surrounding the theft of data from Panamanian law firm Mossack Fonseca has exemplified this
vulnerability, drawing global attention and scrutiny in the process.
Believing that the Mossack Fonseca hack is an isolated
incident may be part of the problem, as the reality is that it’s
all too common. To illustrate the severity of the situation, a
Mandrian Study revealed that of the 100 most successful
investigated over 170 law firms as a result of breaches of the Data Protection Act in 2014. In spite of
this, many firms remain blasé regarding the risks and thus fail to dedicate the necessary resources
to combating them.
Law firms are regularly hacked by cyber criminals from
around the globe not just because they are seen as soft
targets, but also because the data their IT systems contain
is extremely sensitive and thus innately valuable. Guidance
from the FBI in the US suggests that even if firms have yet
point, based upon the current rates of digital crime.
The only way to avoid becoming just another statistic in this
growing trend of cyber crime is to plan ahead, invest in the
practices are being observed at all times. This preparation must be carried out from the ground up,
ensuring that your IT security is built on firm foundations, rather than as an afterthought applied too late
to have any tangible benefit.
INTRODUCTION

3. INTRODUCTION
The costs of failing to properly secure IT systems will not be measured in purely financial terms,
although there should be no doubt as to the extent to which law firms that are hacked will face such
expense. It will also result in significant damage to the firm's reputation, with existing clients likely to
look elsewhere for support while new clients will be dissuaded from doing business with an
organisation that has proven itself to be incapable of keeping information from falling into the
wrong hands.
With the help of aap3 it is possible for law firms to live up to the IT security expectations which are now
placed upon them by clients. We can provide experienced IT Security professionals with proven
backgrounds to work with your business as employees or contractors, to design and support
solutions to face ever-changing cyber threats.
Symantec spokesperson Kevin Haley explained in a statement accompanying the aforementioned
report that cyber criminals based in countries such as Russia and China, as well as domestically in
Western nations, are well organised and have access to vast resources. In the latest security report
from CISCO, law firms were found to be the seventh most popular target for cyber-attacks. So it clearly
pays for law firms to be prepared to fight back with their own investment.

4. MOSSACK FONSECA
UNPICKING THE SECURITY FAILINGS
Until recently, the vast majority of people would not have been familiar with the name Mossack
Fonseca, in spite of the fact that it holds the honour of being the world's fourth largest law firm focused
upon asset protection. But when the Panama Papers were published and examined by more than 100
major media organisations across the globe, the firm was immediately propelled into the glare of
unwanted publicity and into the public consciousness.
The origins of the attack itself remain unknown, with the firm's founder and spokesperson Ramon
Fonseca asserting that an investigation was ongoing and that the source of the hack is almost certainly
foreign. This is effectively a denial of the claims that the leak originated internally, which would of
course raise further questions about the state of security within the firm, in addition to its operations
as a whole.
Mr Fonseca went on to argue that the fact that news outlets were choosing to report on the leaks was
a breach in its own right, failing to respect the right to privacy that the firm's clients should have
reasonably expected.
Irrespective as to the precise details of the hack, where it originated and for how long the attackers
had access to the email server that is thought to have been compromised, the undeniable fact of the
entire matter is that Mossack Fonseca's security was not up to scratch. This left it exposed to
exploitation and revealed the details of private affairs pertaining to some of the world's wealthiest and
most powerful people.
A major hack such as this not only presents a problem for the targeted organisation, but for the other
firms in the industry. If a top law firm can underestimate its IT security requirements, it follows that
many of its contemporaries and competitors could be in the same boat. Since Mossack Fonseca was
explicitly involved in asset protection, letting this protection slip is commercially disastrous, with the
adverse effects likely to take decades to disperse.
If a top law firm can underestimate its IT security
requirements, it follows that many of its contemporaries
and competitors could be in the same boat.

5. If you accept that the Mossack Fonseca hack is symptomatic of the weakness of IT security in the
legal world as a whole, then it is also important to understand precisely why organisations in this
area might be so susceptible to attacks on their digital resources.
The legal sector is not known for its dynamism. Rather, it is tied into long-standing traditions and
burdened by the influence of history; the prestigious status that it holds in society; and the
significant impact that it has on every part of life and commerce. And so enacting change within this
environment can be an arduous task that takes a great deal of time and effort to achieve.
Law firms have been forced to evolve rather more rapidly as a result of the introduction of new
technologies in recent decades. But unlike the fast-paced world of the tech industry itself, it takes
legal organisations far longer to adjust to the solutions that they are adopting. This means that the
introduction of IT security may in many cases be too slow to counteract the likelihood of a hack
taking place. So even if firms are aware of the need to take action, the process of introducing the
necessary changes may have barely begun before a breach occurs.
Further restrictions on the implementation of adequate IT security measures result from law firms
failing to provide sufficient budgetary flexibility to accommodate the requisite improvements. This is
even more worrying because in many cases clients are calling upon firms to take action against
cyber threats sooner rather than later.
The Wall Street Journal reported back in 2014 that banks including J.P. Morgan and Morgan Stanley
were eager to find out exactly what security precautions were being taken by the law firms with
which they partner. Those that do not meet the more stringent standards seen in the finance sector
are likely to be ousted in favour of better equipped rivals.
Ponderous Evolution
Budgetary Restrictions
Goodwin Procter LLP spokesperson Lorey Hoffman
admitted that the firm's site was having to cope with
up to 500 hack attempts every week
WEAKNESSES IN THE LEGAL SECTOR

6. Innate Risks
Ignorance
In this same report Goodwin Procter LLP spokesperson Lorey Hoffman admitted that the firm's site
was having to cope with up to 500 hack attempts every week, while also arguing that this is not an
unusual case but rather a reflection of the state of play in the industry as a whole. Yet without
adequate IT security budgets, chief information officers at law firms simply cannot hope to cope
with this onslaught.
Law firms come in all shapes and sizes, but even a small organisation with a handful of staff will be
at greater risk of a hack than an equivalent SMB in another industry because of the sensitivity of the
data for which it is responsible.
This data can include litigation strategies for on-going cases; confidential information pertaining to
the business operations of a client; privileged communications between lawyers and clients;
intellectual property which may be subject to patent or copyright laws; the medical histories of
employees and clients; credit card numbers; and a host of other highly sensitive details. This is a
digital treasure trove to which hackers are attracted because of its intrinsic value.
Whether sold on the black market to the highest bidder or passed on to a third party that has paid
for the hack in an attempt at corporate espionage or another information-driven criminal act, the
risks faced by law firms are proportionately enormous.
In spite of all the evidence of the dangers associated with inadequate IT security and the warnings
of experts, the greatest barrier to wider action in the legal profession is the lack of understanding
that exists amongst those in positions of power. Lawyers and other staff are often ill-equipped to
appreciate the threats that face the firm, leading to existing weaknesses being amplified by
instances of human error.
This is why organisations are compelled by experts to not only invest in security solutions that
protect IT resources from remote attacks, but also to ensure that staff receive the right training and
education so that they can use these resources in a safe and productive manner.
WEAKNESSES IN THE LEGAL SECTOR

7. Even the most thoroughly protected IT asset cannot be deemed completely immune to hacking,
because of the way in which cyber criminal techniques are constantly evolving. So no law firm can
safely assume that it is possible to prevent hacks occurring altogether.
Instead, preparations need to focus on ensuring that any hacks which are directed against the
organisation can be caught at the earliest possible moment. This will ensure that any negative
ramifications are minimised and will allowing the firm to continue to operate as normal while
maintaining the trust of clients.
Of course it is not always possible for a law firm's IT department to divide its resources between
At aap3 Recruitment we assist our clients by providing them with pre-vetted contract & permanent
resources to fill key IT Security capability gaps at consultative / design levels, to allow you to move
forward your IT security strategy in the face of modern Cyber threats
A strong foundation can be achieved by gaining certification for compliance with ISO 27001, which is
an internationally recognised standard for information security. It not only provides protection for key
systems, but means that firms can present clients with an active, independently verified assurance
that their data will be as safe as is reasonably possible. An essential attribute for any firm in an
increasingly competitive legal sector.
MOVING FORWARD

8. aap3.com