Q&A: Mike Johnstone – “The scammers use all sorts of tricks to take advantage of the good nature of people.”

[Australasian Law Management Journal,Compliance & Risk Management,General Management,Technology] September 5, 2018

In this Q&A, Edith Cowan University cybersecurity expert Associate Professor Mike Johnstone discusses the latest security threats law firms must combat; how to overcome password vulnerabilities; and why employing cybersecurity experts is not needed at most firms.

In your research with colleagues at Edith Cowan University’s Security Research Institute, a survey of lawyers (see results below) revealed a lack of attention to antivirus protection on work computers and ignorance about smartphone safeguards. Given that the practice of law is built around protecting client information and data, why do you think lawyers have become complacent?

“It’s not about law firms being complacent. They’re probably unaware of the risk because their core business is law, not cybersecurity. It’s somewhat like driving a motor vehicle. Most people are aware of the principles of a combustion engine and how a drive chain will work to put power into wheels, but that doesn’t mean they’re mechanics and can fix it. The essential problem is that lawyers are not cyber experts, but they should still be aware of the risks they face.”

We’ve all heard about ransomware and hacking attacks, but what are the chief threats to firms?

“Phishing attacks are popular with cybercriminals because they are very cheap to deploy. It’s quite easy for someone to create a nice email that looks like it comes from your bank or another organisation with links to your firm. The people who do this are quite sophisticated and it’s not random at all – these scams make a lot of money.”

How much money are we talking about?

“In terms of all cyber-attacks, not just phishing scams, insurance giant Lloyd’s estimates that the Australian economy will be exposed to a potential $16 billion damage bill over the next decade. Now that covers all businesses, not just law firms, but it shows the extent of the problem. Furthermore, IBM surveys on data breaches of more than 400 companies indicate that the average breach costs a company about $3.5 million. Whose got a spare $3.5 million to pay for each data breach?”

A big talking point at the moment is business email compromise, a type of scam involving social engineering tricks to impersonate a CEO or an executive in emails and request bogus wire transfers. Tell us about this form of attack?

“The way this works is that it’s not necessarily a technical attack on a business whereby systems are hacked or there is a denial of service that destroys a network. Rather, the cyber criminals might try to exploit your social network or your trust network so they can break into a system. So, for example, if someone wanted to attack an organisation they wouldn’t go for the CEO, they might go for other members of staff. Then, if they can convince the staff that they’re legitimate, they’ll forward the email to the CEO and say, ‘Hey, check this out’ – and because of the trust relationship she’s much more likely to click on that link. This type of attack is much more successful than we might imagine.”

We understand that, for example, hackers might copy an executive’s email block or target lower-level employees with emails early or late in the day with urgent demands for payments. Is that common?

“Yes, the emails always have a sense of urgency and suggest that, if a payment isn’t made quickly, the person sending the email could lose their job. Or they may try some other sort of coercion. These emails are often carefully worded to push vulnerable people’s buttons and work on the psychology of fight or flight. It plays on people’s emotions and, even though there may be a corporate policy advising staff about appropriate actions, it’s natural that people want to help others. The scammers use all sorts of tricks to take advantage of the good nature of people. In the United Kingdom, what they are calling ‘Friday afternoon fraud’ has become a phenomenon – it’s the situation whereby law firms or other parties are tricked into giving bank details to fraudsters, usually as conveyancing transactions are being completed on Friday afternoons.”

A lax approach to passwords is a problem for many businesses, including law firms, where some staff members are still apparently using generic passwords such as ‘welcome1’. What are they doing wrong?

“Regrettably, welcome1, admin, 123456, qwerty and the like are not good passwords. The cyber criminals have databases of millions of passwords, so you can bet that all the permutations and variations of generic passwords are probably already on their list. Some people opt for a phrase out of a popular novel such as ‘It was the best of times, it was the worst of times’. That’s a nice long password, but unfortunately the scammers also have access to these novels in different languages. So it’s best not to choose a phrase out of a novel.”

What are some better options?

“Some businesses have a corporate policy that all passwords must be different, random and perhaps be 15 characters or so long, which by the way is good security. But no one wants to have to remember half a dozen completely random passwords. Most people can’t do that. So another way is to use password-management software that digitally stores all your passwords and to access them all you need to remember is a long passphrase that only you know – not your mother’s maiden name, or your dog’s name, but something of which only you are aware. The other way is to shift away from passwords completely. With devices such as smartphones, tablets and laptops, most of them have inbuilt biometric technology, so it can read your fingerprint, your voice or your iris for example, and away you go.”

Some cyber experts suggest education of employees and encryption of data is the key to security. Do you agree?

“Encryption is your friend, very much so. In terms of what you encrypt, if you just want to send me an email saying ‘come to a meeting’, that’s not particularly secret and doesn’t require encryption. However, if we ‘re sharing tender documents or some sort of contractual information where a third party could gain a business advantage, it’s best to encrypt those emails, especially if you’re using a third-party email service. In such cases you should learn how to use encryption because it’s reasonably straightforward – it’s not a technical decision, it’s a business-value decision about what risks you face. The same applies to storing documents in the cloud – don’t just assume that all your security concerns will be handled by the service provider.”

That raises the question about using ‘open’ email platforms such as Gmail, Yahoo or Hotmail when lawyers or staff are working remotely. We have even heard stories of barristers sending highly personal information over such platforms. How should this be handled?

“In our survey, quite a number of respondents indicated they were happy to forward work emails to a third-party service such as their home email. Law firms need to have a policy around this. What happens is that most firms insist on having high security, but then realise that such a policy can result in difficulties in terms of usability for people wanting to work from home. You can’t make a system so secure that people can’t use it – people will find ways around such rules so they can actually do the work. Firms need to think through their policies, though. Remember, for example, that a corporation such as Google owns the Gmail email platform, so you don’t have true control over any information you send on it. That raises questions about data sovereignty and terms of service and the fact that data that is stored digitally may be stored overseas and is, therefore, subject to the jurisdiction of more than one country, Lawyers are very good at reading contracts, so it’s a good idea to read any agreements to make sure you are fully aware of your obligations and rights if you’re flicking work emails through to another system for the sake of convenience.”

In an infamous case last year, one of the world’s biggest law firms, DLA Piper, was hit by the global NotPetya cyberattack, which seriously curtailed employees’ access to emails and documents. What can we expect in the short-term as scammers ramp up their attacks on firms and businesses?

“It’s predictable in so much as the situation will get worse. Our national broadband networks are getting better and faster, which is great for transferring information. Regrettably, though, the people who promulgate these cyber-attacks can also use that speed to target firms. There are two things about this that worries me. The first is that in the past you used to have to be a specialist to perform these cyber-attacks. However, just as you can buy legal or cloud services, cybercrime is now also a service-based phenomenon. You can rent people to do it for you. And you can bet they won’t use their own infrastructure to carry out these attacks – they will take over some unsuspecting person’s computer in another country and have the attack come from there. Trying to work out where that attack is coming from is difficult. The second concern is that, assuming you want legal redress for the loss of business caused by a cyber-attack, you have to go back to those countries in a legal sense and check if you have a treaty with them to follow up on law enforcement. You can see how difficult that can be in a legal and practical sense. There may be a trail to the perpetrator eventually, but trying to get redress for that loss of business is very difficult.”

New rules around the mandatory notification of data breaches up the ante for all organisations, including law firms, who must in certain circumstances report breaches to the Office of the Australian Information Commissioner (OAIC). What are the implications for law firms?

“To date, most of the data breaches have been for revealing contact details, and you might think that this is pretty harmless because it’s not bank details or other such information. But hackers can do a lot with just one piece of data and use it to snowball their knowledge of an organisation. So all businesses need to be careful, especially law firms because scammers may try to target them because they are custodians of confidential information. OAIC figures for April to June this year show that almost two-thirds of data breaches are the result of malicious or criminal attacks, and about one-third relate to human error such as sending emails containing personal information to the wrong recipient. So, through training, all firms can at least try to reduce the human error factor.”

Given cybersecurity is becoming such a crucial business issue, should law firms be investing more into recruiting suitably trained cyber specialists rather than simply relying on software fixes?

“As a cybersecurity specialist, I should say ‘yes’, but in practical terms a law firm’s core business isn’t cyber, so outsourcing the task is a more viable option for most firms. It could be possible for larger firms, but smaller partnerships and sole traders just don’t have the resources.”

But ignoring the issue is clearly not an appropriate response, right?

“No, especially for law firms that have overseas clients it can result in very interesting international law implications. Take, for example, the General Data Protection Regulation (GDP) regulation in European Union law on data protection and privacy for individuals. Europeans have always been very strong on personal privacy, so the GDPR is hardly a surprise and they take it very seriously. For companies dealing with a European business, the Australian law firm that’s assisting the local firms needs to be aware of that supply chain because the instant you transfer data in or out of the European Union, there may be ramifications around the GDPR, much as is the case in Australia with the Australian Privacy Principles. Lawyers and law firms really have to understand this environment.”


The key findings

The Edith Cowan University’s Security Research Institute (ECUSRI) survey of 122 lawyers on their cybersecurity practices reveals:

  • 11 per cent of lawyers had no anti-virus protection on their work computer;
  • 41 per cent did not know what cybersecurity countermeasures were in place on their smartphones;
  • 64 per cent reported using home or free public Wi-Fi;
  • 41 per cent did not have automatic updates switched on for their work computer;
  • 53 per cent forward work-related emails to a non-business email account (Gmail or Hotmail);
  • 94 per cent use email to send confidential data; and
  • Only 9.4 per cent use encryption to protect client data.

 What you should do?

The research identified five key areas for immediate improvement:

  • Turn on automatic software updates on all devices;
  • Utilise cybersecurity countermeasures such as antivirus software and firewalls on computers and smartphones;
  • Encrypt sensitive client data, especially when sent via email;
  • Limit use of third-party email services such as Gmail and Hotmail; and
  • Report cyberattacks to government initiatives such as the Australian CyberCrime Online Reporting Network (ACORN).