Technology: Protecting against cybersecurity compromise

March 1st, 2019
x
Bookmark

By Anthony Pillay

In previous articles published in De Rebus, the potential liability of attorneys for business e-mail compromises (2018 (Sept) DR 35) and cyber liability insurance (2019 (Jan/Feb) DR 42) were discussed. In the former, the potential for the attorney being guilty of contributory negligence for failing to establish appropriate security measures was highlighted. In the latter, the importance of the well-understood protections afforded by appropriate insurance was emphasised as an integral part of cybersecurity management. In both articles the issue of ensuring that appropriate technology is implemented was touched on. This article highlights a few of the important issues in considering the technology or technology services that are used by legal professionals.

At the outset a misunderstanding that seems to arise repeatedly in the illusion that technology is the ‘silver bullet’ to cybersecurity. Indeed, appropriate technology is a very important component of cybersecurity, but cybersecurity is by its nature multifaceted and seen by many experts in the area as being predominantly a ‘people’ rather than a ‘technology’ issue. Thus, while it is important that the appropriate technology is used, the processes governing the use of the technology must be properly documented to enable the consistent understanding of behaviour promoting security by users. The processes in turn can be used to educate users in the appropriate use of the technologies and security measures that they are obliged to discharge to promote the secure processing of information and the mitigation of cyber-risk.

It is beyond the scope of this article to address all of the technology security issues. Readers are referred to the International Bar Association’s ‘Cybersecurity Guidelines’ that are available at www.ibanet.org and the Law Society of South Africa’s (LSSA’s) Guidelines on Information Security for South African Law Firms – LSSA Guidelines January 2018 at www.lssa.org.za.

The following important points, which are specific to protecting against business e-mail compromises are highlighted:

  • As the name suggests, business e-mail compromises are an impersonation fraud that is perpetrated by intercepting and changing e-mails. One of the primary considerations is the reputation and security provided by the e-mail host. It is recommended that preference is given to a company that hosts your e-mail has a proven track record, as they are most likely to maintain superior security. The recommendation of experts in this field is that smaller providers be avoided unless they provide appropriate guarantees of security. Where the e-mail host is selected purely on price it is possible and most likely probable that the cost saving that is passed on to the client is at the expense of security and will expose the client to greater risk.
  • In selecting web browsers and e-mail applications care should be taken to choose secure mail client software. These applications should be configured for secure use as opposed to convenience and must have built in and automatically updated junk e-mail and spam filters. It is also important that the granting of access to e-mail boxes is subject to appropriate access control. If a person to whom an e-mail address has been assigned leaves the legal practitioner’s employ, access to the e-mail box must immediately be revoked.
  • It must be recognised that the use of outdated technology creates security risks. Outdated technology is likely to be more vulnerable and if it is used beyond its end of life will most likely be updated with security updates and patches to protect against vulnerabilities. Malware, spyware and anti-virus software as well as e-mail filtering software must, as described in the Cybersecurity Guidelines, be of a ‘business grade’. Free versions of software are unlikely to provide the level of security that is necessary for the sensitive information that is processed by legal professionals. It is also important that care be taken to properly secure the applications that may be used in a practice and that mail servers are configured to protect the transmission of e-mails between the professional’s mail-servers and its service provider.
  • Care must be taken when communicating sensitive information. It is suggested that any important information communicated by e-mail is in PDF (which should also be password protected) and not in MS Word. There are other simple mechanisms of protecting important information. One of these is using passwords communicated out of band (if the communication is made by e-mail the password should be made by SMS or WhatsApp) that protect the information. There are also more sophisticated mechanisms that should also be considered, such as the use of digital signatures, which irrefutably identify the signatory and any change to either the signature or the data to which it is associated is immediately detectible. If configured correctly the e-mails signed using digital signatures will be encrypted and render it impossible to intercept the text of the message (and therefore change it) during its communication. In certain instances, the use of advanced electronic signatures may be a statutory requisite. In this regard readers are referred to ‘Electronic Signatures for South African Law Firms: LSSA Guidelines’ available at: www.lssa.org.za.
  • Care also needs to be taken of remote e-mail use from devices that may not be protected by firewalls or the configuration of e-mail servers. Practitioners should, therefore, be circumspect when using ‘open or free WiFi’ for business communication.
  • User awareness: Ultimately, while the choice of appropriate technology and maintaining the appropriate safeguards may significantly enhance the security that is sought to be implemented, unless this is well-understood by users the security measures, which is typically by nature an inconvenience, will be disregarded by users. Users must be trained to identify bogus e-mails, phishing exploits, and other mechanisms of social engineering that underpin business e-mail compromises. They need to understand how important their role is in fulfilling the responsibility of the secure processing of information, which is the legal professional’s indisputable obligation. Many guides are available that will assist legal practitioners in ensuring appropriate awareness of this important aspect of e-mail use. A simple Google search will direct you to appropriate information.

The Law Society of South Africa’s Cybersecurity Helpdesk is headed by Anthony Pillay. Mr Pillay is currently the Acting Executive Director of the Law Society of South Africa.

This article was first published in De Rebus in 2019 (March) DR 7.