Infiltration! A less controversial term, this one is used to describe how an attacker gradually and unobtrusively gains access to a target, often by abusing some existing relationship or trust. In the cyber security world, a good example of infiltration occurred when attackers breached network-monitoring company Solarwinds with the end goal of infiltrating Solarwinds’ customers, which included Australian and overseas law firms and US attorneys’ offices.

Increasingly, we see prospective clients test the cyber security water before signing agreements with law firms of all sizes. Those clients don’t want to be collateral damage or stealthily infiltrated when their law firm is targeted in a cyber attack, and so they look for law firms who proactively improve their cyber security maturity, thereby reducing not only the law firm’s risks but also the risks to the law firm’s clients. 

Some law firms understand this, and those are the ones we partner with. Our Australian legal customers are very proactive about security and recognise that a solid cyber security profile is more than just insurance against an attack. It’s a value-adding, profile-raising business asset that attracts new, risk-averse clients.

By way of example, one of our customers is a national law firm that we have worked with for around eight years. In the early days of our relationship, we illustrated how the firm could improve its existing security processes and practices, and they were very receptive. Like everyone, they had budget constraints, so we set about designing a program that would fortify the business at a national level over time and together, we collaborated on a multi-year plan for improvement.

Security awareness

A core aspect of our client’s strategy is security awareness. This is essentially a process of allowing the chief information security officer (CISO) and the IT team to see what’s going on across their entire organisation: users, networks, mobile devices and servers. 

With total security awareness, one can be proactive about threats rather than responding to an attack and trying to pick up the blast fragments afterwards. And to assist with this, we put in place a managed detection and response (MDR) service that we still run today.

VIEW ALL

Long-term planning

Credit where it’s due: this law firm took a long-term view of its cyber security needs. Some businesses take a piecemeal approach, purchasing a firewall here or some endpoint detection and response (EDR) software there — that’s very common. But this client now has a clear strategy in place and has implemented that strategy over a number of years. 

It is improving its security maturity through a scaled process, understanding where its risks are, prioritising and triaging them, and then acting accordingly. The value of this approach is that you can see things on the horizon and begin preparing for them before they become a security incident — or worse.

Collaboration

The firm has a solid and experienced IT team in place, and in many ways, we are part of that team, providing collaborative cyber security expertise and working with our team of legal IT experts. There are no big egos here, and humility goes a long way when it comes to security.

As a result, the firm relies on us quite heavily for both MDR and security event and information management (SIEM) operations. One of the most valuable aspects of the relationship is working collaboratively. For example, one exercise we do is to see if it’s possible to bypass our own systems, so we can see where weak points are. In the industry, we call it “purple teaming”, or sometimes “red teaming”. 

We construct scenarios that mimic a cyber attack (we call it “adversary emulation”) in order to test the detections and defences we have established, and we use the results of these tests to improve the effectiveness of our systems as we go. By working collaboratively with the IT team, we have been able to improve our level of service while also upskilling our partners and building a strong relationship around the mission: Protect client information and prevent (or at least detect in a timely manner) cyber attacks. In our experience, it’s far better to discover the shortcomings of a security system as a team.

Adding value

Cyber attacks are becoming increasingly common, and Australian law firms are a major target — any organisation that holds valuable data is at risk, but law firms are especially attractive because they handle large volumes of commercially and personally sensitive information and because that information can be used to support secondary attacks against the law firm’s clients.

We have seen that an increasing number of corporate clients are now requiring higher levels of cyber security from their legal partners, and we have assisted our clients by completing and evaluating security-compliance attestations and questionnaires. Savvy legal operators are starting to realise that a wait-and-respond cyber security posture does not promote confidence amongst prospective risk-averse clients and are instead using their rigorous and proactive approach to the cyber security system as a major competitive advantage.

Tim Redhead is the owner of cyber security firm DotSec.