alexandrea wedutenko - clayton utz - cybersecurity and the legal profession

© Clayton Utz

CYBER SECURITY AND THE LEGAL PROFESSION

Alexandra Wedutenko

Partner, Chair of Cyber Security

Board

22 June 2016

OVERVIEW OF PRESENTATION

Cyber security and the legal profession

How can the legal profession minimise

the risk of cyber attacks?

How can government and the IT

industry best work with the legal

profession to safeguard systems and

data?

INTRODUCTION

ACSC 2015 Cyber Security Survey:

Major Australian Businesses

» Ransomware is the most prevalent type of

incident (72% of respondents affected)

» 70% are concerned by threat or breach of

confidential information

» 64% of respondents provide services to

government


Law firms represent an attractive target for hackers

Hackers are not just targeting credit card details and personal information -they want information that:» holds economic value (mergers and

acquisitions, business strategies, intellectual property, investments etc)

» promotes ideological causes


Understanding cyber security risks and

implementing adequate data security

measures is not simply a risk

management tool for the legal

profession

The obligation of confidentiality is a

critical feature of the lawyer–client

relationship


Identifying cyber security risks that affect business including the legal community

Data breach» External: unauthorised access by a third party

» Internal: human error, poor internal controls or deficient system infrastructure

Denial of service» Shutting down critical infrastructure

» Preventing or disabling access


A cyber security incident can lead to

serious damage to an organisation,

including those in the legal community

» Reputational damage

» Loss of clients

» Financial loss

» Disruption to business

» Breach of Privacy Act 1988 (Cth)

EXAMPLES

Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP

» Hackers targeted computer networks possibly looking to profit from confidential or insider information for publicly traded companies

» Difficult to determine initial damage of an attack as the stolen information can take time to make it to market

» The firms represent Wall Street banks and Fortune 500 companies

EXAMPLES - LEAKS

Panama Papers

» Panamanian law firm, MossackFonseca & Co, suffered a serious server hack

» More than 2TB of data was compromised

» The firm specialises in the creation of shell companies which can be legally used to hide the ownership of assets

EXAMPLES - LEAKS

Panama Papers

» 11.5 million records were leaked

including emails, contracts, bank

records, property deeds, passport

copies and other sensitive information

» The ATO will be investigating more

than 800 Australian residents that have

been identified in the leak

HOW CAN CYBER RISKS BE MANAGED?

Cyber risks should be managed by a

strategic and coordinated approach - it

is not just an IT issue

Focus on end-to-end processes

Management and where applicable, the

Board must be sensitive to cyber

security threats to foster a culture of

vigilance

AUSTRALIAN SIGNALS DIRECTORATE

The ASD states that 85% of the targeted

cyber intrusions it responds to could be

prevented by following the Top 4

mitigation strategies in the ASD's

"Strategies to Mitigate Targeted Cyber

Intrusions"


The 'Top 4' include:

1. Use application whitelisting to help

prevent malicious software and

unapproved programs from running

2. Use patching to fix security

vulnerabilities for applications such as

Java, PDF viewers, Flash, web browsers

and Microsoft Office


3. Patch operating system vulnerabilities

4. Restrict administration privileges to operating systems and applications based on user duties

There are 35 Mitigation Strategies listed in ASD's "Strategies to Mitigate Targeted Cyber Intrusions"

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Framework for Improving Critical Infrastructure Cybersecurity 2014» US Government initiative that includes

industry standards and best practices to help organisations manage cybersecurityrisks

» Cost-effective way to manage cybersecurityrisk based on business needs without placing additional regulatory requirements on businesses


Framework for Improving Critical

Infrastructure Cybersecurity 2014

» Adopts a risk based approach that

focuses on using business drivers to

guide cybersecurity activities

» Composed of a Framework Core,

Framework Implementation Tiers and

Framework Profiles


Framework for Improving Critical Infrastructure Cybersecurity 2014» Five functions: Identify, Protect, Detect,

Respond and Recover

» Assist with identifying key issues and mapping an organisation’s readiness and ability to deal with cyber attacks

» The exercise may reveal that an organisation is properly addressing cyber security risks, or, alternatively, that there are gaps in its approach

CASE STUDY: INFORMATION SECURITY IN THE CLIENT CONTEXT

Your business holds a range of important

customer data and is procuring outsourced

ICT services under a long-term contract.

You want to achieve a good total cost for the

services. You are seeking quality services

that enable you to benefit from technological

improvements over time.

You are interested in a mixture of managed

services and cloud technology.

CASE STUDY: CONTINUED

As a lawyer, you need to address » Where cloud storage is maintained and in

which jurisdictions data will flow through

» Harmful code protection

» Contract documentation

» Assets management, configuration control and supply chain logistics

» Source of hardware/equipment

» Asset register obligations


Lawyers need to think at a broad

organisational level

Ensure contracts and policies address

end-to-end business requirements

Business to consider outsourcing cost

against risks and business impacts of a

potential hack


Risk tolerance informs cyber security policies and approaches

Risk tolerance informed by: » Nature of the organisation's businesses

» Ability to transfer, avoid or mitigate risk

» Impact of risk on organisation's delivery of goods or services

Following industry guidelines (ASD, NIST etc.) assists in any organisation creating a robust, nimble and practical cyber security approach

CLAYTON UTZ: INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

In September 2015 Clayton Utz became the first large Australian law firm to be ISO 27001 certified

Whole-of-firm information security controls and framework established

No exclusions - all documents, papers, electronic data and any physical IT assets

Clayton Utz' ISMS experience to inform the Law Council project

CLAYTON UTZ: ISMS OVERVIEW

CONTROLS TO SUPPORT ISMS

PRACTICAL TIPS

Informed by Clayton Utz' experience and industry guidelines e.g. ASD and NIST

Invest in cyber security insurance

Focus on email security » Encryption

» Use SPAM filters to intercept suspicious email

» Invest in programs that allow the sender to disable the forwarding function on emails that contain highly sensitive/confidential information or set expiration dates on email communications

PRACTICAL TIPS

Focus on end users» Install antivirus programs that are centrally

managed

» Implement strong policies on mobile devices

» Invest in education and training programs

» Ensure there are clear internal reporting procedures

» Introduce strong password policies

PRACTICAL TIPS

Making cyber security a strategic objective» Undertake internal audits of systems and

processes

» Undertake risk assessments, implement risk registers and management plans - ensure these are regularly reviewed and updated

» Ensure policies apply throughout the information lifecycle from acquisition/creation, through to utilisation, storage and disposal

PRACTICAL TIPS

Making cyber security a strategic objective continued» Align internal policies with cyber security

frameworks and standards such as ISO 27001 -Information Security Management

» Ensure business recovery planning includes cyber security threats i.e. breach of network security, business interruption, cyber extortion, data breach etc

Law Council welcomes any additional tips

WORKING TOGETHER TO SAFEGUARD SYSTEMS AND DATA

Cyber attacks are a real risk to the

provision of legal services

The profession must ensure its systems

are safe and secure

The first step to working with government

and the IT industry is to ensure that cyber

security incidents are reported


Increased collaboration and information

sharing amongst the legal profession

Targeted education and assistance

programs for small to medium sized legal

services providers

Law Council welcomes advice from cyber

security professionals in development of

project


Opportunity for the legal profession to:

» contribute to the development of

voluntary cyber security guidelines

» for small/medium sized firms, to take

advantage of having their systems tested

by accredited experts

» align their systems to industry best

practice


Greater access to information for the

legal profession to:

» understand the changing and growing

nature of cyber security threats

» make informed decisions and work with

government and the IT industry to take

appropriate action


The legal profession should consider

» engaging external cyber security experts in their cyber security contingency planning

» information sharing with other organisations

» working with government and the IT industry by reporting cyber security incidents

www.claytonutz.com

alexandrea wedutenko - clayton utz - cybersecurity and the legal profession

Internet