Written and recorded by Robert Edwards, Law Hound
welcome to this cybercrime training session from Data Law. My name is Robert Edwards. I'm a consultant at Law and Limited. My background is as a counterintelligence. Andi I, t security specialist with Her Majesty's government before I moved on to lecturing on providing legal training, S R A. Cybercrime risks and your duties Cybercrime effects, all of us, often in ways we don't consider. Let's examine the risks. Cybercrime features quite regularly in the news, often relating to the release of personal data. But apart from the mention of hackers, there is usually little to no information regarding how the hackers access the data. In order for us to take measures to reduce the risks to our business on personal data, we need to learn more about the processes and methods that may be used to attack the defense's we used to protect information. While the global costs of cybercrime are impossible to calculate accurately because of differing standards and methods of accounting, we can estimate direct financial impact and trickle that down predictably to losses of future business due to lost confidence in a company resulting job losses and the overall effect that will have on national GDP there are associated costs of insurance and data management for organizations processing either financial or sensitive personal data or both. More sophisticated threats require more sophisticated defenses to be put in place and more knowledgeable people to ensure that protective measures function at an optimum level, which is the level at which the organisation is able to function effectively without being hampered. But at the same time, with the confidence that the risk has been minimised, the cost of cybercrime in the UK was deemed to be £7.5 billion in 2013. That's approximately 20130.13% of GDP ONDA. While that may seem a somewhat insignificant figure as a percentage, it's the equivalent of roughly 70,000 more people unemployed on drawing on national resource is without making a financial contribution. Solicitors are obliged under the code of conduct to maintain effective systems and controls, to mitigate risks to client confidentiality client money and to maintain overall compliance with S R A regulatory arrangement. While headlines Cyber attacks over the last two years have targeted Clippard Chance Bro in Leighton Paisner Navarro Dechert on Burden Bird, not to mention de L. A. Piper's recent denial of access to systems and telephones. Even small law firms need to be worried because a small practice may hold several £1,000,000 in client account at any one time. Smaller law firms also often lack the layers of protection that a more affordable on an economy of scale, making them quite juicy targets for hackers with less expertise than those operating globally. The S R A has highlighted the risks that law firms face with regard not only to financial assets but also in respect of personal information, with the latter being of particular relevance. In light of the GDP are we'll take a look at how information technology in the way we use it has developed on how that development has created an unrealistic expectation in some quarters, that things will work in the way we want them to cloud computing. To put the cloud in context. It's only a little over 20 years since Kline, information such as letters, personal details and case notes was saved onto 1.44 megabyte floppy disks, which were kept under lock and key. The proliferation of cloud services driven by recreational activities such as YouTube, Instagram, Pinterest, flicker and Vimeo are a few examples, has made the idea of saving data to remote servers a much more acceptable concept. The benefits saving to the cloud brings portability in terms of remote access to information and can enhance profitability as Fiona's air able to spend more time on operational matters. Under able to address urgent requests without having to attend an office. Most businesses relied to some extent on cloud based services. They're less expensive than maintaining. Complex internal networks can be scaled up and down easily to meet fluctuating demand. The servers are generally well protected because it's in the best interests of the service provider to ensure security is built into their systems. The risks, compliance with legal obligations and regulatory responsibilities will remain the remit of the business controlling the data. This must be a primary consideration when selecting a service provider, since cloud flexibility may involve data being transferred to servers outside the EU without the knowledge of clients. This may occur when a provider has a need to undertake a maintenance program or is adversely affected by a power outage or other unavoidable event. If the recipient data servers are in the U. S. A. with whom the U has an agreement of data protection called Privacy Shield, which replaced the old safe Harbor framework. Data controllers should be aware that US companies can opt out of the privacy shield framework at will if the recipient servers were once run under the auspices of Privacy Shield but are no longer. This is a potential breach of duty by the business. It is incumbent on you to ensure that a service level agreements specifically precludes the transfer of data to servers outside the EU or privacy shield environments. Switching providers may be desirable at some point for a number of reasons, it may seem counterintuitive to think about leaving a provider even before signing up to its services. But when considering data protection and continuity of business, it becomes obvious that long term planning is essential. Consideration of the process of data transfer, including timescales for the completion of such an operation, should feature as a key element when deciding to utilize remote service storage. The case for synchronous data replication S Dion. In an ideal world, everything works perfectly all of the time, but in the real world we have power outages. Telephone lines are accidentally cut hard drives fail on Businesses Cease to trade, apparently overnight. All the due diligence you undertook during your selection process will be meaningless in some of these scenarios. If your clan provider suppers any catastrophic interruption of business, where does that leave you? In respect of your valuable on mission critical data, any professional I T director or manager will advocate the use of SDR, which enables data to be simultaneously saved to the cloud server on DTI to on site storage or to a different service provider. In the event there is a failure of a single facility, the data can be easily recovered from the alternative. It's true that building in more solutions adds to cost, but this has to be weighed against the potential cost of data loss or even a shutdown of remote services. So that's a brief insight into how we came to be where we are now. What happens in the real world on some of the measures we should include in any I T services planning process, cybercrime on dvoa, honora bility exploitation or as it's otherwise known, hacking acquitted crime of any variety relies on exploiting on identified vulnerability whether It's shoplifting in an understaffed store without a security system by passing and sophisticated alarm system to commit a burglary or infrequent or ineffective auditing, which enables a fraud to go unnoticed until long after the perpetrator is over the horizon. Cybercriminals seek to identify weaknesses in hardware firmware software on processes. Put simply, hardware vulnerabilities are weaknesses in operating systems or in the nature of data storage that enable dated to be retrieved or elevated access levels to be created. You took flaws inherent in a computer system. Most hardware vulnerabilities require physical access to the hardware before they can be effective, although there are methods of exploiting hardware vulnerabilities remotely given sufficient time, effort and commitment of resource is this investment is usually directed only at extremely high value targets. Firm Where is the term used to describe software embedded into devices? These air usually low level operating instructions that enable more complex software to function by providing a basic structure of command compatibility, typically firm where will manage drives and other devices within a computer system and is read only in the firmware cannot be written to buy a conventional user. Firmware updates or patches are periodically released for some devices and it's good practice toe have these updates implemented Software refers to programs with higher level functionality, usually in a business environment. Extremely complex programs such as Microsoft Excel, Adobe Photo Shop or Google Chrome. The complexity of the code involved creates a potential for them to contain exploitable vulnerabilities. And there are frequent updates released to address compatibility problems, which may be exploitable Onda as a response to updates in operating systems, Windows, Lennox and IOS updates often affect how software interacts with these systems, sometimes rendering third party software unusable until it, in turn, is updated. Processes are the physical processes that determine how systems are used and how hardware, software and data are handled and managed. This includes passwords, remote working protocols, Andi making backups. It's true that hacking is not always conducted in the pursuit of profit. There have been many instances in which the purpose of the hacking attack has been to exact retribution for a wrongdoing, and whether the offensive activity is riel perceived or even fabricated. It makes no difference to the severity of the attack. There are also many hackers who do it simply because it provides them with a sense of achievement. Distributed denial of service. DDOS attacks To make DD ice more accessible as a concept, imagine that you have an appointment booking system that responds to an appointment request by offering a date and time to a client. The system locks that date and time until reclined responds with either yes or no to the appointment. A subsequent request from a different client cannot be placed into the open date and time so a different appointment is offered. This, in turn, is locked as unavailable until declined response. It obviously wouldn't take very many client requests to lock your forthcoming appointments so that nothing was available for several weeks. A DDOS attack occurs when multiple computers make contact requests with a server. The protocol for computers to communicate is precisely the same as the appointment system. The multiple responses from a server are unanswered by the computers. Making the unit's initial request on the server eventually reaches capacity, rendering it useless to everyone, people and robust processes. We often find that I T users constitute the weakest link in any system, not intentionally but because they don't appreciate how or what they do could elevate the level of risk to a system. It's essential that you not only have in place policies and procedural guidance, but that your entire team understands them on the potential consequences of failing to comply with them. To put all of this into context, your SRE duties include that it's important to put cybercrime and its risks into the context of how this effects law firms. The S R A. Says solicitors are obliged under the code of conduct to maintain effective systems and controls to mitigate risks to clients. Firstly, in relation to confidentiality as Outcome 45 of the S R. A Code of conduct 2011 says you have effective systems and controls in place to enable you to identify risks, declined confidentiality and to mitigate those risks. Secondly, in relation to client money as outcome 74 of the S. R. A Code of conduct, 2011 says you maintain systems and controls were monitoring the financial stability of your firm on risks to money and assets entrusted to you by clients and others, and you take steps to address issues identified thirdly, in relation toe overall compliance with regulatory arrangements as outcome 72 of the ice are a code of conduct says you have effective systems and controls in place to achieve and comply with all the principles, rules and outcomes and other requirements of the handbook, where applicable as the S. R. A. Makes it very clear as such. There may also be legal and regulatory consequences for the solicitor or law firm after a breach of confidentiality or loss of client money if something goes wrong, the S r A. Recognizes that no defense is perfect on accepts that things will go wrong. However, the S R A expectation is that firms will take proportionate steps to protect themselves and their clients money and information from cybercrime attacks while retaining the advantages of advanced I t. Reporting. Irrespective of weather, you lose client money, but replace it or are you are under a duty to report any breaches to the S R. A. As Outcome 10 3 says you notify the S r a promptly of any material changes to relevant information about you, including serious financial difficulty action taken against you by another regulator and serious failure to comply with or achieve the principles, rules, outcomes and other requirements off the handbook, the S R. A. Says that it will judge whether it is appropriate to take action on a case by case basis according to the facts of the incident. One thing that is clear is that the S r. A will be taking into account whether the firm had adopted reasonable systems and controls to protect against the risk. Looking at whether the firm is proactive and lets the SRE know immediately has taken steps to inform the client on Daz a minimum, make good any loss and shows that they are taking steps to improve their systems and processes to reduce the risk of a similar incident happening again. And in the case of the Information Commissioner's office or the I C e O. Like any other business solicitors and law firms can be reported to the i c e 04 data protection breaches. Actually, it's incumbent upon the law firm once GDP are comes, and it will be incumbent upon the law firm to report themselves. Onda that concludes this session for Data Law. Thank you very much for joining me. Robert Edwards, on this session
00:16:38