Government clients require ASD Essential 8 compliance before engaging law firms.
Law firms in Australia, including international offices of major law firms are increasingly being asked by their clients and prospective clients to show they adhere to the ASD Essential 8 cyber security framework before gaining work mandates. The ASCS requires all Local, State and Federal government and agencies to only deal with Essential 8 compliance firms.
The Law Council of Australia recently outlined that a successful cyber-attack may have severe consequences for your law practice. Cyber-attacks have most notably caused damage in the following areas:
- Theft of corporate, and financial information which has led to the theft of large sums of money;
- Destroying and rendering all client data useless by irreversible encryption;
- Affecting the operation and use of mobile and computer equipment.
- Reputational damage and loss of work
One unnamed CISO at a global firm recently said “My head office in the UK doesn’t know what the Essential 8 is, however my partners locally need me to demonstrate we are adhering to the framework or they won’t win Australian government business. We don’t do Application Whitelisting so I need to get cracking on implementing it outside the global firm’s security policy which they have approved me to do locally”.
While statistics on law firm hacks and data breaches are not easily found due to not being disclosed, some prominent recent ransom hacks of law firms and their client’s data made headlines.
In May 2020 hackers hit A-list law firm Grubman Shire Meiselas & Sacks of New York. The firm whose clients include Lady Gaga, Drake, Madonna, Rod Stewart, and Robert De Niro. The hackers claim to have 756 gigabytes of data including contracts and personal emails.
A $42-million ransom demand came from criminal group called REvil threatening to release damaging documents.
In May 29, 2020 in California IP law firm Vierra Magen Marcus had data stolen relating to major businesses. Screengrabs purportedly posted on the dark web by REvil show folders listed under the IP firm’s name alongside an index note of high profile organisations including the US Navy, ExxonMobil, L’Oreal, Nissan, Daimler Chrysler, Honeywell and LG Electronics, as well as other well-known businesses. One of the screenshots refers to an archive download of 1.2TB.
The group’s objective was to prove to the company that they had access to the network and to scare them into paying.
In June 2017 DLA Piper LLP one of the largest law firms in the world, was hit by a ransomware attack that infected hundreds of thousands of computers across their platform globally. The global cyber event encrypted all affected files and requested a ransom of $300M in bitcoin to regain access or avoid threat of deletion. It took the firm at least 6 months to rebuild its IT capability costing millions.
The ASD Essential 8
Small and large firms, including the local offices of global firms, can still enact measures in the ASD Essential 8 such as application whitelisting, privileged account management and multifactor authentication and train employees to spot phishing attempts. All it takes is one malicious phishing email to be clicked on by an employee. Now that bad actor has gained the username and password and circumvented security controls to gain access to your data.
While companies often claim to have been victims of a ‘highly sophisticated cyberattack,’ the reality is that, in many cases, the attacks only succeeded because basic best practices were not followed. “Problems such as weak passwords, a lack of multi-factor authentication and non-patching are, unfortunately, all too common.
If it’s good enough for the government to insist on adhering to the Essential 8, it makes good sense to implement the framework and for all your clients to know that you are following this best cyber security practice. Your firm’s reputation is enhanced.
Can your firm afford the reputational damage of a client data leak, not to mention the financial cost of remediation of a Direct Denial of Service or a ransom demand?
As a law firm IT administrator juggling a lot of hats, come and have a professional consultation with Securite on how we can assist with hardening of your cyber security posture with the latest cost effective solutions with minimal disruption to your job and firm to comply with the ASD Essential 8.
Jack Drewe, Risk Advisor Securite.