Digital: the dark side

No better illustration could be needed of the potential effect on a legal firm of a cyber security breach than the “Panama papers” saga earlier this year. Weaknesses in Mossack Fonseca’s systems allowed hackers to access millions of confidential documents relating to the tax affairs of wealthy and famous individuals, the repercussions of which are likely to be felt for a good time to come.

Have lessons been taken on board by Scottish solicitors’ firms? Not necessarily, it appears. Anyone thinking they are unlikely to be a target would have done well to hear Mark Leiser of Strathclyde University’s presentation to the Law Society of Scotland’s October conference on Technology and Cybercrime. Leiser told how, walking the length of one Glasgow street, he had been able to detect the wifi networks of 10 legal practices using his smartphone – three of which, when he then called them, actually disclosed over the phone their network passwords.

Law firms, Leiser continued, are an attractive target for the hackers. Why? He gave four main reasons: they are “information hoarders”; they are understaffed compared to large corporations when it comes to cybersecurity; they generally hold more sensitive information than other businesses of equivalent size; and they may be associated with unpopular individuals or organisations that are the hackers’ real target. And he didn’t even mention the attempts made to intercept funds related to property transactions, the cautionary tales relating to which have regularly featured in the Journal in recent times.

Rising tide

Leiser was followed by Mandy Haeburn-Little of the Scottish Business Resilience Centre, who told us about the frequency of cyber attacks on the average business – a daily occurrence – and the “rising tide of ransomware”, or malicious software that prevents a business accessing its own data until a sum is paid to release it. Indeed, although the Scottish Government likes to reassure us that crime figures are at a 40-plus year low, the as yet underreported wave of cybercrime “will burst all the crime figures”, Haeburn-Little warned.

In truth, the profession is at least to some degree aware of the trends. The Society’s first “technology audit” of the profession, published to coincide with the conference, reported among the responses to an Ipsos MORI survey that maintaining cybersecurity came top of a list of 12 “biggest technological challenges” faced by solicitors in their daily work, named by 42%, ahead of using different systems/integrating systems at 39%, and keeping up to speed with new technology, at 32%. And 90% claim not to click on suspect links, 85% do not download suspect files or programs, and 80% password-protect their internet access (77% with a complex password). That still suggests some scope for outsiders to cause harm; more so that the proportion who password-protect their internet network (broadband or wifi) stands at 68%, and only 48% do not use public or insecure wifi.

Summing up the survey, the Society finds it “reassuring that members recognise the importance of cyber security, although there are some concerns about the level of reporting of cyber breaches” (of 294 who had experienced a cybersecurity breach in the previous 12 months, 35% had not reported it to anyone, and 44% only to work colleagues). It also notes a “broad acknowledgment that more training is required across a range of IT-related subjects”.

What to do?

Some conclusions should be clear this far. First, whatever the nature of your business, it is almost certainly a target. Secondly, whatever the technical standard of your security, it is only as good as your weakest (human) link – who is as likely to be your receptionist as anyone else.

Other standard failings mentioned at the conference included using unprotected devices for confidential matters, perhaps the user’s personal device: for opening speaker James Kwaan, BYOD, or Bring Your Own Device, ought to stand for Bring Your Own Disaster. Or even if you have password protection, you share your password, or leave yourself open to others watching you key it in. Or you fail to install software updates, especially relating to security.

Some sympathy was expressed for small firms in particular, which may have limited understanding in this whole area, and at least one speaker made a strong plea for the Society to provide more practical guidance beyond the general duty to maintain confidentiality (we were assured in response that this is in hand).

Meantime a number of recommendations can be gleaned from the various presentations:

• Do not rely solely on “passive” defences – firewalls, anti-virus software etc. Criminals are finding ways round these, and law firms are targets.
• “Active defences” are available, including technologies that detect attacks and trace them to their source.
• Create a risk assessment matrix, setting the probability (frequency) of types of assets being put at risk against the business impact of the risk being realised (both on a low/medium/high grading. Produce a top 10 (or five) risks from this and consider action with internal/external parties as appropriate.
• Identify who or what it is in your office that hackers would see as your weakest link, and make sure the relevant people are trained in cybersecurity.
• Prioritise security as a requirement among your business partners.
• Report incidents of cybercrime (or attempts) to Police Scotland (call 101). Most people are not sure whether they should, but we were assured that the police “absolutely want” us to.
• Don’t assume that if you are caught by ransomware, it will just be a one-off if you pay what may seem a relatively small sum to be freed from it. Don’t pay bitcoin ransoms.
• Remember that compliance does not mean security!

Managing risk

Conference sponsor Amiqus, in a blog reproduced with this month’s Journal Online exclusives (click here to view), offers a four-stage approach to managing data and privacy risks:

• Create a simple risk management process, to understand the risks faced and what relevant level is acceptable, assigning board or senior management to identify these risks and own them.
• Be proactive and not reactive to risk: understand misuse cases and predict worst-case scenarios for both internal and external attacks, and take preventative steps with proportionate resources.
• Take a continuous approach to risk assessment: it can’t be viewed as a one off or periodic activity, as threats evolve continually: systems should be kept up to date and monitored internally or in conjunction with external assistance of ethical hackers or security consultancy.
• Understand the requirements in the Data Protection Act 1998 and have processes in place to detect, report and investigate a data breach. Make your organisation aware of the General Data Protection Regulation, which will be enforced from 2018.

To offer a personal impression of the day’s proceedings, you quickly realise at an event such as this how little you know about what is really going on, and the risks to which we are all exposed. This is not an area where amateurs should be operating without expert support. At the same time, most of us could benefit from some basic practical advice and guidance and it is to be hoped that the Society’s good intentions in producing this will soon bear fruit.

Digital complaints: how close?

A project group is examining how far summary criminal procedure can be digitised

There is huge potential for using digital processes to cut down on the number of summary criminal hearings, but it is too soon to say whether the models being developed will become reality.

That was the message to the conference from Tim Barraclough, Scottish Courts & Tribunals’ chief development and innovation officer, who updated us on developments since Lord Carloway’s 2015 Evidence & Procedure Review presaged a radical shift of the criminal courts to digital- based processes.

Barraclough put his presentation in the Tomorrow’s World category, recalling the TV series of yesteryear that unveiled visionary prototypes, but headlined duds such as the Sinclair C5 as well as revolutions like the microwave oven.

Some things are already happening in practice: videoconferencing, including prison links, is slowly being rolled out and is working well; also coming through are integrated case management (with civil cases first), an online jury portal and online fines payment.

But these do not meet Lord Carloway’s call for “clear sky thinking”, and court processes need to be redesigned – without compromising on the right to a fair trial – before digital solutions are applied.

For this, the Justice Board has commissioned a joint project to redesign summary procedure from complaint through to sentencing, in particular by minimising unnecessary court hearings. Do we need first callings, Barraclough asked? Could pleas be tendered online, and at any stage? What about intermediate diets? Could there be case tracker functionality for witnesses and accused?

Figures show that of an annual 72,000 first callings, only 15,000 are from custody; 52,000 trial diets are set but 9,000 trials take place. And how many of the 89,000 intermediate diets could be replaced by digital case management hearings?

Some jurisdictions have digitised stages of their summary procedures. Here, options under consideration include electronic service of complaints; digitally managed timetabling; digital submission of evidence and case documents; and digital sentencing for lesser offences. But Barraclough recognised the significant issues around accused who are unrepresented, fail to give instructions, or are even less cooperative; witnesses failing to turn up; restructuring the legal aid system; and indeed resourcing the necessary quality IT.

Some proposals “may emerge in the next three to six months” for wider discussion; but any new system will take three to five years minimum to implement.

And he reassured us that the two defence solicitors who are members of the project team have given invaluable assistance in advising on what is workable.