alexandrea wedutenko - clayton utz - cybersecurity and the legal profession
TRANSCRIPT
© Clayton Utz
CYBER SECURITY AND THE LEGAL PROFESSION
Alexandra Wedutenko
Partner, Chair of Cyber Security
Board
22 June 2016
OVERVIEW OF PRESENTATION
Cyber security and the legal profession
How can the legal profession minimise
the risk of cyber attacks?
How can government and the IT
industry best work with the legal
profession to safeguard systems and
data?
INTRODUCTION
ACSC 2015 Cyber Security Survey:
Major Australian Businesses
» Ransomware is the most prevalent type of
incident (72% of respondents affected)
» 70% are concerned by threat or breach of
confidential information
» 64% of respondents provide services to
government
CYBER SECURITY AND THE LEGAL PROFESSION
Law firms represent an attractive target for hackers
Hackers are not just targeting credit card details and personal information -they want information that:» holds economic value (mergers and
acquisitions, business strategies, intellectual property, investments etc)
» promotes ideological causes
CYBER SECURITY AND THE LEGAL PROFESSION
Understanding cyber security risks and
implementing adequate data security
measures is not simply a risk
management tool for the legal
profession
The obligation of confidentiality is a
critical feature of the lawyer–client
relationship
CYBER SECURITY AND THE LEGAL PROFESSION
Identifying cyber security risks that affect business including the legal community
Data breach» External: unauthorised access by a third party
» Internal: human error, poor internal controls or deficient system infrastructure
Denial of service» Shutting down critical infrastructure
» Preventing or disabling access
CYBER SECURITY AND THE LEGAL PROFESSION
A cyber security incident can lead to
serious damage to an organisation,
including those in the legal community
» Reputational damage
» Loss of clients
» Financial loss
» Disruption to business
» Breach of Privacy Act 1988 (Cth)
EXAMPLES
Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP
» Hackers targeted computer networks possibly looking to profit from confidential or insider information for publicly traded companies
» Difficult to determine initial damage of an attack as the stolen information can take time to make it to market
» The firms represent Wall Street banks and Fortune 500 companies
EXAMPLES - LEAKS
Panama Papers
» Panamanian law firm, MossackFonseca & Co, suffered a serious server hack
» More than 2TB of data was compromised
» The firm specialises in the creation of shell companies which can be legally used to hide the ownership of assets
EXAMPLES - LEAKS
Panama Papers
» 11.5 million records were leaked
including emails, contracts, bank
records, property deeds, passport
copies and other sensitive information
» The ATO will be investigating more
than 800 Australian residents that have
been identified in the leak
HOW CAN CYBER RISKS BE MANAGED?
Cyber risks should be managed by a
strategic and coordinated approach - it
is not just an IT issue
Focus on end-to-end processes
Management and where applicable, the
Board must be sensitive to cyber
security threats to foster a culture of
vigilance
AUSTRALIAN SIGNALS DIRECTORATE
The ASD states that 85% of the targeted
cyber intrusions it responds to could be
prevented by following the Top 4
mitigation strategies in the ASD's
"Strategies to Mitigate Targeted Cyber
Intrusions"
AUSTRALIAN SIGNALS DIRECTORATE
The 'Top 4' include:
1. Use application whitelisting to help
prevent malicious software and
unapproved programs from running
2. Use patching to fix security
vulnerabilities for applications such as
Java, PDF viewers, Flash, web browsers
and Microsoft Office
AUSTRALIAN SIGNALS DIRECTORATE
3. Patch operating system vulnerabilities
4. Restrict administration privileges to operating systems and applications based on user duties
There are 35 Mitigation Strategies listed in ASD's "Strategies to Mitigate Targeted Cyber Intrusions"
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Framework for Improving Critical Infrastructure Cybersecurity 2014» US Government initiative that includes
industry standards and best practices to help organisations manage cybersecurityrisks
» Cost-effective way to manage cybersecurityrisk based on business needs without placing additional regulatory requirements on businesses
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Framework for Improving Critical
Infrastructure Cybersecurity 2014
» Adopts a risk based approach that
focuses on using business drivers to
guide cybersecurity activities
» Composed of a Framework Core,
Framework Implementation Tiers and
Framework Profiles
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Framework for Improving Critical Infrastructure Cybersecurity 2014» Five functions: Identify, Protect, Detect,
Respond and Recover
» Assist with identifying key issues and mapping an organisation’s readiness and ability to deal with cyber attacks
» The exercise may reveal that an organisation is properly addressing cyber security risks, or, alternatively, that there are gaps in its approach
CASE STUDY: INFORMATION SECURITY IN THE CLIENT CONTEXT
Your business holds a range of important
customer data and is procuring outsourced
ICT services under a long-term contract.
You want to achieve a good total cost for the
services. You are seeking quality services
that enable you to benefit from technological
improvements over time.
You are interested in a mixture of managed
services and cloud technology.
CASE STUDY: CONTINUED
As a lawyer, you need to address » Where cloud storage is maintained and in
which jurisdictions data will flow through
» Harmful code protection
» Contract documentation
» Assets management, configuration control and supply chain logistics
» Source of hardware/equipment
» Asset register obligations
CASE STUDY: CONTINUED
Lawyers need to think at a broad
organisational level
Ensure contracts and policies address
end-to-end business requirements
Business to consider outsourcing cost
against risks and business impacts of a
potential hack
CASE STUDY: CONTINUED
Risk tolerance informs cyber security policies and approaches
Risk tolerance informed by: » Nature of the organisation's businesses
» Ability to transfer, avoid or mitigate risk
» Impact of risk on organisation's delivery of goods or services
Following industry guidelines (ASD, NIST etc.) assists in any organisation creating a robust, nimble and practical cyber security approach
CLAYTON UTZ: INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)
In September 2015 Clayton Utz became the first large Australian law firm to be ISO 27001 certified
Whole-of-firm information security controls and framework established
No exclusions - all documents, papers, electronic data and any physical IT assets
Clayton Utz' ISMS experience to inform the Law Council project
PRACTICAL TIPS
Informed by Clayton Utz' experience and industry guidelines e.g. ASD and NIST
Invest in cyber security insurance
Focus on email security » Encryption
» Use SPAM filters to intercept suspicious email
» Invest in programs that allow the sender to disable the forwarding function on emails that contain highly sensitive/confidential information or set expiration dates on email communications
PRACTICAL TIPS
Focus on end users» Install antivirus programs that are centrally
managed
» Implement strong policies on mobile devices
» Invest in education and training programs
» Ensure there are clear internal reporting procedures
» Introduce strong password policies
PRACTICAL TIPS
Making cyber security a strategic objective» Undertake internal audits of systems and
processes
» Undertake risk assessments, implement risk registers and management plans - ensure these are regularly reviewed and updated
» Ensure policies apply throughout the information lifecycle from acquisition/creation, through to utilisation, storage and disposal
PRACTICAL TIPS
Making cyber security a strategic objective continued» Align internal policies with cyber security
frameworks and standards such as ISO 27001 -Information Security Management
» Ensure business recovery planning includes cyber security threats i.e. breach of network security, business interruption, cyber extortion, data breach etc
Law Council welcomes any additional tips
WORKING TOGETHER TO SAFEGUARD SYSTEMS AND DATA
Cyber attacks are a real risk to the
provision of legal services
The profession must ensure its systems
are safe and secure
The first step to working with government
and the IT industry is to ensure that cyber
security incidents are reported
WORKING TOGETHER TO SAFEGUARD SYSTEMS AND DATA
Increased collaboration and information
sharing amongst the legal profession
Targeted education and assistance
programs for small to medium sized legal
services providers
Law Council welcomes advice from cyber
security professionals in development of
project
WORKING TOGETHER TO SAFEGUARD SYSTEMS AND DATA
Opportunity for the legal profession to:
» contribute to the development of
voluntary cyber security guidelines
» for small/medium sized firms, to take
advantage of having their systems tested
by accredited experts
» align their systems to industry best
practice
WORKING TOGETHER TO SAFEGUARD SYSTEMS AND DATA
Greater access to information for the
legal profession to:
» understand the changing and growing
nature of cyber security threats
» make informed decisions and work with
government and the IT industry to take
appropriate action
WORKING TOGETHER TO SAFEGUARD SYSTEMS AND DATA
The legal profession should consider
» engaging external cyber security experts in their cyber security contingency planning
» information sharing with other organisations
» working with government and the IT industry by reporting cyber security incidents