Virus alert
Until the recent emergence and spread of COVID-19, computer viruses, hacking and cybercrime were among the issues of greatest concern to businesses in Europe. During 2018, according to the Spanish Computer Crimes Observatory, more than 110,000 cases of falsification, illicit access, fraud or violations of industrial property were detected, both to individuals and companies. Law firms remain being the obscure object of desire for cybercriminals
The Spanish National Cybersecurity Institute (INCIBE) certifies that it manages more than 100,000 incidents per year and, according to the report presented last February by Cybersecurity specialist company Aon “Solving the cyber puzzle: the unexpected ways cyber risk impacts your business,” the global damage by ransomware is expected to reach twenty billion dollars by 2021.
TECHNOLOGY AND THE HUMAN FACTOR
“Security should encompass all stages through which all data pass. From origin to destination, passing through all the systems and people who access the information.” This is what Manuel Asenjo, IT Director at Eversheds Sutherland Nicea, says when describing what he considers to be Cybersecurity. “Currently the trend is to use hardening (reinforcement of a system to the maximum), but what is really complicated is hardening with people. It is the user who, when the time comes, will be able to stop many of the attacks by paying attention to the actions he or she carries out on a daily basis,” he says.
Noemí Brito, partner in charge of the Technology Area at Ceca Magán Abogados, agrees with him, clarifying that “Cybersecurity does not only include aspects related to the correct preventive and corrective technical security of assets, systems or networks, or even the prevention and management of any security breaches that may occur. The real key to fostering Cybersecurity revolves around the integration of a genuine awareness and culture in organizations around the importance of promoting and maintaining Cybersecurity and cyber-resilience processes. This is still the main outstanding issue.”
Jesús Yáñez, Risk & Compliance, Cybersecurity and Privacy & Data Protection partner at Écija Law & Technology, is of the same opinion and points out that “we talk about securing IT systems as best as possible, but there is no doubt that people are also part of these processes because of what we know and the uses we make of IT systems. Therefore, there is a tremendously technical component, but also and not less important, a human component.”User training is fundamental; “each company – says Joaquín Muñoz, head of IT&IP Law at Ontier- depending on its area of activity, structure and approach to the business, must evaluate the different risks that can affect its proper functioning and, based on that evaluation, focus on more critical aspects. Thus, the aspects most commonly covered by Cybersecurity are network security, endpoint security, data security, secure database and infrastructure management, disaster recovery and business continuity. But all of this is meaningless and ineffective if it is not complemented by user training and the creation of a company culture that puts security and compliance at the centre.
“In addition to the above, Francisco Pérez Bes, partner of Digital Law of Ecix Group, explains that “Cybersecurity also extends to other areas, such as terrorism, espionage and disinformation. The latter has also become a clear threat to the reputation and prestige of organizations and their leaders, something that may even affect companies stock market price, or the stability of a country if the incident affects critical infrastructure.”
SOPHISTICATION OF CYBER ATTACKS
“Attack profiles and trends change and evolve depending on the attacker’s target,” warns Joaquin Munoz. “Thus, it will be different if the attacker wants to get hold of some kind of valuable company information (business secrets or databases) through an intrusion in its servers, wants to receive money from the company through some trick/blackmail or intends to cause damage to the company through a targeted attack.”
For Jesús Yáñez, although there are still cyberattacks that focus on technical aspects, such as ransomware, “we are mainly concerned about the vulnerabilities of two-factor systems, especially those based on the SS7 protocol, which emerged in the late 80s and was not designed to be secure, but to be effective, because operators were very limited. It has been demonstrated that the SS7 protocol is vulnerable in sending SMS, and SMS can be diverted, so that an attacker could access those codes sent via SMS if a mobile phone is compromised, hence the great importance of securing these mobile devices. In our experience -Yáñez explains- these devices are not secured like others and it is a tremendous mistake, considering they are often used to access corporate information.”
In this sense, Manuel Asenjo recalls that “2019 was the year of ransomware, the kidnappings paid in Bitcoins took advantage of the cryptocurrency rise. By 2020 we expect an increase in ‘banking trojans’ on android platforms, which are programs that are installed in a latent state and go unnoticed and when the time comes, they can intercept and transmit our banking credentials. It is also expected that 80% of the threats will go to a targeted audience, where the human intervenes in a decisive way.”
For her part, Noemí Brito highlights the “sophistication of cyber adversaries” due to the increase in advanced AI and swarm intelligence; swarm cyberattacks, which can take advantage of 5G technology, are becoming increasingly sophisticated. “This is why,” she says, “we need to adopt new forms and proactive techniques for detecting threats and vulnerabilities (Threat Hunting), combining traditional detection techniques with intelligent technologies such as Artificial Intelligence and Machine Learning, in order to detect attack patterns even before they materialize”.
LAW FIRMS IN THE SPOTLIGHT
“Law firms are a clear target for cybercriminals,” says Francisco Perez Bes. “It is true that the larger the firm, the more exposure it has, and precisely, for this reason, there must be more emphasis on preventive aspects; awareness, sensitivity and training. Each office must develop its own Cybersecurity culture. To this end, they can use free content (as the case of ‘Protect your company’, from INCIBE, among others), and external suppliers to reinforce the most critical areas at any given time; awareness, training, simulations, etc. Obtaining quality seals for information protection is another good way of adopting best practices. After all, Cybersecurity is a corporate responsibility matter, as well as a commitment to ethics based on the protection of professional secrecy.”
Joaquín Muñoz ratifies this idea: “giving priority to the protection of assets and information is nowadays a lawyer ́s deontological duty,” something that is also supported by Manuel Asenjo: “All law firms must be prepared, they all handle important information about their clients and regardless of their size they can suffer attacks, which to a greater or lesser extent will cause their reputation to be seriously damaged.”
Jesús Yáñez believes that “headcount is the least important thing, in the end, security falls on technical aspects, but also human and procedural, hence the measures are similar regardless of the volume.” Brito agrees with him: “All law firms, regardless of their size, must comply with personal data protection regulations, which implies having a security policy appropriate to the security risks involved at any given time. I recommend adopting the recommendations included in the ‘Cybersecurity and online reputation guide for law firms’ published by the General Council of Spanish Lawyers (CGAE) and INCIBE and the ‘Cloud computing user guide for law firms’ published by the AEPD and the CGAE is also very useful.”
BUDGET EXPENDITURE
“There is no common rule,” says Joaquín Muñoz, “just as total security does not exist in Cybersecurity, spending on security infrastructure can be very high, but it does not guarantee zero risk. It is advisable for companies to have a good Cybersecurity Plan defined, which should be based on a good analysis of their business activity, infrastructure, as well as the real risks they face, so that based on that analysis, they can determine the priority and organize themselves to gradually improve their protection by implementing measures. This process has to be iterative and incremental, the review and continuous improvement of this plan is paramount so that the company can focus on those critical issues for its business.”
Francisco Pérez Bes agrees with him, saying that investment “must depend on the needs of each moment, although what is important is not so much the quantity but the quality of the measures to be implemented. In any case, Cybersecurity in organizations must be a function that cannot be discontinued.”However -Asenjo is categorical: “All the investment that can be made. It is not only information that is at stake, but also their most valuable asset: their reputation, and this is something that, as the ad says, is priceless. With this clear premise, we must try not to crack a nut with a sledgehammer. If we are a firm with only one office and few lawyers, we must encrypt the equipment and devices, encrypt the information we exchange and hire a professional cloud, install a good antivirus, protect communications and constantly update systems. An annual training plan and the above measures should be enough and do not involve a large investment. In the case of medium-sized offices, I would recommend security suites that have a SIEM system and firewalls that allow tunnelling to secure connections and of course all of the above. In the case of bigger firms, each location has to be controlled, as if it was a fort and coordinated with a centralized security, with enough layers so that the attackers cannot reach the objective and the systems deceive them taking them to the different traps prepared for them. These offices should have a CERT (Computer Emergency Response Team). Maintaining a team like this has a high cost in both tools and personnel.”
CONTINGENCY PLAN
“There is a series of standards (ENS, NIST, ISO27001, INCIBE’s Cybersecurity Master Plan, GDPR…) that we can take as a reference – says Joaquín Muñoz – but it must always be aligned with the company’s vocation for compliance and be a consequence of a previous risk management analysis.”
Francisco Pérez Bes: “Contingency plans must cover all aspects of the company’s activity. And, what is more important, to foresee unforeseen events, and to clearly design how the organization should act, in order to be able to deal with an incident, from the moment it is detected until it is resolved. It is important to obtain estimated response and recovery times in the most realistic and possible way. This way we ensure the plan can be as successful as expected,” says Manuel Asenjo
SECURITY BREACH
Acknowledging and communicating that one has been a victim of a cyberattack as soon as possible is another point of discussion. Should one communicate immediately? “Absolutely,” says Jesús Yáñez. “There is this idea that being a victim of a cyberattack and reporting it to the authorities could bring a penalty, but it is not true. The idea behind mandatory communication is solidarity and coordination between incident response centres (CSIRTs). Only in a coordinated way and by sharing knowledge can increasingly sophisticated attacks be dealt with.”
Joaquín Muñoz points out that “it is mandatory depending on the type of attack and the company ́s type of activity. An attack compromising personal data, following the obligation of the RGPD, will have to be communicated to the Spanish Data Protection Agency and if, in addition, it can put the rights and freedoms of the people contained in the database at risk, it will also be necessary to notify them. The main doubt of companies is usually to determine whether a security incident becomes serious enough to be notified to the AEPD, since notification does not exempt from assuming the objective responsibility of the company in case the authority deems it so.”The time factor is crucial for Brito: “The sooner the existence and extent of the cyberattack is established, the sooner it can be mitigated and alleviated, preferably by taking a proactive stance on solutions, notifications to relevant competent authorities and stakeholders, and the adoption of appropriate corrective and improvement measures.” For his part, Francisco Pérez Bes explains that, apart from being mandatory, “the exchange of information regarding cybersecurity incidents is essential to effectively combat cybercrime. Traditionally, CERTs have been a key agent for receiving information and sharing it with State security forces and other agencies. It is precisely this exchange of information that makes it possible to prevent, warn and properly manage threats arising at any given time.” Pérez Bes explains that the General Data Protection Regulations and the NIS Directive already explicitly include this obligation. And he comments that “the Whistleblowing Directive imposes an obligation on companies to implement measures to protect whistleblowers who wish to disclose the existence of a Cybersecurity incident in their organizations.”
Article by Desiré Vidal.
To read the article in full please download issue N.93 here
