For a stronger cybersecurity culture in the legal sector

The pandemic has pushed the legal industry and the judicial system to rely on technology more than ever. Given that October is Cybersecurity Month, doctoral student and former cyber risk consultant Luigi Bruno, LLM’16, shares some practical advice to fend off the most common threats.
7 October 2020

The pandemic has pushed the legal industry and the judicial system to rely on technology more than ever. Given that October is Cybersecurity Month, doctoral student and former cyber risk consultant Luigi Bruno, LLM’16, shares some practical advice to fend off the most common threats.

Woman using her phone to connect to a Virtual Private Network
A VPN, or Virtual Private Network, is a tool that helps enhance online privacy and security.  It extends a private network across a public one, enabling users to share data as if their devices were directly connected to the private network.

Having a background in both law and computer science, and having worked in information security for some years, I am often on the receiving end of various IT-related questions from my lawyer friends.

Over the years, these questions have evolved from how to edit a locked PDF file to guidance on setting up virtual private networks and now to issues such as implementing secure digital signatures.

Meanwhile, legal practitioners have been cautious in their adoption of technology solutions, sometimes implementing them to automate repetitive tasks or when required to do so by law.

However, the current pandemic has forced the legal system to rely on technology in order to avoid being brought to a catastrophic halt. While this has resulted in more flexibility and efficiency for both lawyers and clients, it has also presented cybercriminals with a wealth of opportunities.

Awareness of cyber risks and threats can help to avoid them. It can also mitigate the effects of malicious attacks, predominantly involving the loss of clients’ sensitive data.

Some of the most common cyber threats

  • Poor password hygiene: Passwords are like toothbrushes; change them often, do not share them, and do not leave them lying around. Research shows that many passwords are based on information easily found on the target’s social media accounts (e.g., spouse or pet name). It is best to choose complex passwords (avoid dictionary words), and avoid oversharing on social media. Law firms should implement password management policies.
  • Phishing: A social engineering attack to steal personal information, login credentials, and credit card numbers, by impersonating a trustworthy party. Always check the trustworthiness of emails and phone calls and check the URL (text of the web link) of any webpage before entering information. Since awareness is the most effective tool against phishing, law firms and lawyers should invest in phishing awareness campaigns, and assess what further training is required to keep the risk of falling for phishing attacks low, be it for themselves or their clients.
  • Shoulder surfing: With so many working remotely, the risk that attackers could watch over one’s shoulder to catch valuable information is high. In a public space, it is best to minimize the amount of valuable information displayed on-screen. An effective strategy is to invest in a privacy screen, or privacy enabled laptop.

Overall, establishing a culture of awareness, implementing cybersecurity policies, and designing, testing, and enacting disaster recovery/business continuity plans are some of the crucial steps to stay secure.

Cyber criminal at work. Image by Avi Richards via Unsplash.com
Awareness of cyber risks and threats can help to avoid them. It can also mitigate the effects of cyber attacks from malicious actors, predominantly involving the loss of clients’ sensitive data.

When a security breach occurs

In the event of a successful attack, some steps should be taken immediately.

  1. Assess its impact and isolate the infection.
  2. Notify authorities and affected third parties (there might be regulatory requirements to do so), and consult cybersecurity experts.
  3. Activate your disaster recovery/business continuity plans, identify further vulnerabilities and develop a report of the incident.
  4. Refresh cybersecurity training, update policies, and implement/strengthen risk control.

Technology in the legal profession is clearly here to stay. With the profession being digitally transformed and with legal technology automating an ever-larger number of tasks, lawyers will increasingly be exposed to cyber risks.

Cybersecurity is now a priority, and it requires professional expertise, tailored strategies, and constant attention.

A strong cybersecurity culture within the legal industry will benefit lawyers, clients, and ultimately protect the ethical pillars of the profession.

 

 
Doctoral candidate Luigi BrunoLuigi Bruno, LLM ’16, is a doctoral candidate at McGill’s Faculty of Law.

His research explores the use of legal instruments to prescribe engineering requirements and guidelines that lead to the development of ethical, unbiased, and fair Artificial Intelligence. Bruno is also completing an MSc in Computer Science at the University of York (UK).

Before starting his doctoral studies, he was a Sr. Cyber Risk Consultant at Deloitte.