As the sophistication of hacking tools increases in direct proportion to the decrease in the technical skill and knowledge required to operate them, professional firms with a presence on the internet are facing mounting risks. A successful hacker does not just compromise the firm’s data, staff records, accounting spreadsheets and business plans but, where clients’ files are exposed, can endanger the entire practice.
The importance of keeping confidential data secure is, arguably, appreciated by the legal profession more than most. However, while information technology advances have changed the face of law practice by allowing closer contact with clients and more efficient communication throughout the legal system, this has been accompanied by increased security risks.
Expert hackers are notoriously resourceful and network attacks can be as varied as the systems they attempt to penetrate. The nature of the internet means that computer hackers can share knowledge across borders and jurisdictions. A quick internet search on the words "hack," or "crack" turns up thousands of sites, many of which contain malicious code and instructions for use. The proliferation of easy-to-use operating systems has compounded the problem by reducing the ingenuity and knowledge required to cause serious damage. Numerous graphic-based hacking tools require only an IP (internet protocol) address or host name and a click of a mouse button to execute an attack.
Worms, such as Blaster and MyDoom, exploit known defects in operating systems, infecting many thousands of hosts around the world in an alarmingly short time. In March alone, rampant NetSky variants are estimated to have accounted for 60 per cent of all viruses reported, making them among the most prolific infections witnessed to date. A theory purported among anti-virus experts is that NetSky’s virulence was down to competition among its writers and that of the Bagle worm to see who could wreak most havoc.
As increasing numbers of firms rely on a corporate network and the internet to carry out their day-to-day business, these worms can have a devastating impact on their reputation in the marketplace, not to mention their bottom line. It has been forecast that computer viruses will cost the global economy $35 billion this year alone.
So, what can be done to stop malicious intruders in their tracks and make careless users think twice before exposing themselves to attack?
Hackers and intelligent viruses will specifically target system weak spots where two separate security arrangements meet. Disgruntled employees, corporate spies, guests and untrained users are all potential areas of weakness. As a result, firms should continuously monitor the potential for attacks and regularly test the state of security infrastructures.
To achieve these objectives, a change of mindset towards internet security is required to embrace a more proactive approach. To counteract the threat, it is essential to look beyond protection from traditional anti-virus software and the “never-ending race against time” patch updates. This reactive approach results in always being caught on the hop. The cost of having to patch every machine within a firm can also be costly and time consuming. In addition, what use is security technology if it is only capable of telling you that you have been hacked? There is a need to adopt multi-layered security systems not only for detection and reaction, but also for protection and prevention.
It is possible to aggregate multiple security functionality, combining host intrusion protection, distributed firewall and malicious mobile code protection, as well as operating system integrity and audit logs all within a single package. Unlike traditional security technologies - which look for tell-tale signatures in the virus code - this analyses behaviour to provide robust protection and reduce operational costs. It also reveals who or what has tried to break into systems and how they have been handled.
By identifying and preventing malicious behaviour before it can do any damage, potential security risks to networks and applications can be removed. It is the equivalent to having security cameras in every room and a team of private detectives questioning every suspicious move - essential when attempting to prevent confidential information falling into the wrong hands.
When evaluating different types of security breach, it is important to understand some of the inherent limitations of IP, the basic language by which most computers communicate. The architects of the internet failed to anticipate that it would move beyond its original purpose of facilitating learning and research among various government entities and universities. Based on this assumption of limited appeal, strong security was not included as an integral part of the IP specification during its early days. As a result, most subsequent implementations of the protocol, including those used in the internet and corporate networks, have proven vulnerable to attack.
Although complementary technologies, such as SSL, have sprung up to augment IP’s lack of security by adding additional encryption to data in transit, technological deterrents need to be backed by the development of a formal security policy to regulate the unpredictable human element. Such a policy will detail rules which must be followed by individuals with access to an organisation's technology and information assets. It can be as simple as an acceptable procedure for network resources, or several hundred pages long, detailing every element of connectivity and associated policies. Either way, it should include items such as an authentication strategy, defining the levels of passwords required for each type of user, including corporate, remote, dial-in users and administrators.
There is no miracle cure where network security is concerned. It is inevitably an ongoing investment, both in terms of financial outlay and manpower. Currently, the threat of a security attack is being further heightened by the growth in the number of firms switching to broadband. Research by the Yankee Group estimates broadband users are five times more likely to be affected by a security attack. The DTI reckons around 44 per cent of UK businesses suffer one or more security breaches a year, a percentage set to rise in line with increased broadband uptake.
However, it is important not to lose sight of the fact that the risks incurred by conducting business online can be more than outweighed by the tremendous opportunities on offer. To get the maximum possible return from the internet, it is necessary to mitigate the danger of unwelcome guests by deploying a combination of the right tools management and policies, together with a commitment to adhere to procedures, from board and partner level down. By doing this, it is possible to capitalise on the benefits of the internet, while minimising the risks from unwanted intrusion to a firm’s inner sanctum.
Gordon Thomson is country manager for Cisco Systems Scotland.
Current Submissions04.07.08 Getting a Get in Scotland - 2This follow-up to the article published in March 2006 explains how current Scots divorce law affects Jewish clients and how solicitors can give appropriate advice 12.06.08 No place for secrecyFuller version of the Opinion article, Journal, June 2008: critique of the system for appointment as Queen’s Counsel in Scotland 11.03.08 One Scotland, many cultures?Despite the protections of the Human Rights Act, the position of travelling people in Scotland appears to have worsened in recent years - why? 26.02.08 Bank charges and the Unfair Terms RegulationsThe significance of the Unfair Terms in Consumer Contracts Regulations in the context of the current litigation over bank charges 21.02.08 CGT: Don't lose out on 6 April 2008Couples should consider asset transfers before then to preserve indexation relief 14.12.07 Common sense prevailsThe options open, and the issues that arise, now that the proposed planning gain supplement is not to be introduced 07.12.07 Discounting justiceAuthor contends that sentencing discounts and other developments have created an imbalance in the justice system 10.10.07 Advocacy in mediationAn overview of the mediation process and the opportunities for solicitors and clients 06.09.07 TUPE: stay your handA Court of Session ruling on a law firm redundancy marks a fundamental change in TUPE 24.07.07 EAT breaks ground with TUPE insolvency rulingRuling on when insolvency proceedings begin leaves successor employer liable 06.07.07 Confidentiality clauses - beware!The Information Commissioner's decision in the VisitScotland case requires very careful drafting of confidentiality provisions in public sector contracts if they are to work 06.07.07 The power of marks: Frankie goes after Hollys nameHow failure to address issues of ownership of the band's name stored up trouble for Frankie Goes to Hollywood 14.05.07 Court plans with little appealThe fuller version of the Opinion article in the Journal for May 2007 14.05.07 Winning waysThe fuller version of the article in the Journal for May 2007 08.02.07 Routes to qualification: the Italian pictureAn Italian lawyer with an interest in training in different jurisdictions reports on current developments in the Italian legal system 09.01.07 Contractual handcuffs: enhanced redundancy rightsThe Court of Appeal decision in Keeley v FOSROC International Ltd requires employers to exercise caution when referring to redundancy rights in staff handbooks 27.12.06 The Isle of ManAn summary of the current legal and tax regime for individuals and companies based on the island (a longer version of the briefing in the November 2006 issue) 15.11.06 Costume Wars: copyright storm over the troopersA row over "Star Wars" costumes illustrates the need to protect all intellectual property rights in written agreements 13.10.06 Survival of the fittest? A replyReply to article on selection for Diploma and traineeship places by Michael Torrance in the September 2006 Journal 13.10.06 TUPE passes the buckFar from providing clarity, the new regulations will need litigation to decide the effect of the insolvency provisions (longer version of October 2006 briefing article) 17.08.06 For supplement read tax - an updateAuthors update their previous Journal article on the proposed planning gain supplement 17.08.06 Technology and the Scottish courtsAn update on the use of technology in the Scottish courts, based on the author's experience of a recent patent case 26.07.06 A lack of trustForthcoming in August issue, put online because of its urgency, the article outlines the final form of the trust tax changes in this year's Finance Act 17.07.06 Ireland 4, Italy 0The ECJ decision in the Irish-Italian dispute in the Parmalat companies liquidation proceedings provides important guidance on jurisdiction 05.04.06 Legal science or law-lite? A responseThis reply to Professor Gretton argues that changes in Scots law teaching are a necessary response to changes in universities, the wider community and the law itself 03.04.06 Opening a binding global route for personal dataIn a significant move the Information Commissioner has allowed a company to transfer employees' personal data outwith the EU under binding internal rules 02.04.06 Mentally disordered offendersOverview of the options available to the courts when dealing with offenders who have or may have a mental disorder, following recent legislative reforms 30.03.06 Bias and mental health tribunals: a replyReply to criticisms of the new tribunals, arguing that the composition of the tribunals is not inherently unfair and only research can assess their performance 17.01.06 Legal aid in children's hearing referralsThis paper delivered at the legal aid conference, argues that the interests of justice require better remuneration for solicitors appearing in children's hearing cases 09.12.05 Holes in Scotland's corporate killing proposalsGaps in the expert working group's proposals could make them unworkable and bad for business 10.08.05 Prosecuting bigotry offencesTwo appeal decisions have exposed limitations in the statutory offences directed at racial abuse 08.07.05 Commissioner: Public Authorities must do moreInformation Commissioner's first appeal decision highlights areas for improvement 14.04.05 New identity for criminal justice bodyScottish Association for the Study of Offending launches by removing "Delinquency" from title 14.04.05 Information and Consultation RegulationsBriefing on the regulations in force from 6 April 2005, covering businesses with more than the prescribed number of employees 13.04.05 Retailers seek effective court action on crimeScottish Retail Consortium proposes more effective intervention following 3rd Retail Crime Survey 11.04.05 Appropriate dispute resolutionThis paper, given to the Four Jurisdictions Conference in Nice this year, discusses how family law can make a difference for the better by careful choice of the most suitable method of resolution 09.03.05 ASBOs and young peopleWhat to look for when acting for a young person facing an antisocial behaviour order application 21.02.05 Sell or transfer?Longer version of briefing published in February 2005 issue, page 44 08.02.05 Promoting competitiveness or competition?Discussion of EU rules on state aids with particular reference to Highlands and Islands ferries 10.11.04 Guarding the inner sanctumHow to minimise the risk of breaches of internet security 10.11.04 The Clinical Trials Directive - a summaryWhat the EU Clinical Trials Directive means for trials of medicinal products 13.10.04 Sheriff Court Rules Council consultation paperConsultation on proposals for further extension of the use of information technology in civil cases in the sheriff court (response date: 15 November 2004) 13.10.04 Ignorantia juris: it's all Greek to meSecond annual APEX lecture given by the President of the Law Society of Scotland, on the rule of law and its essential components 13.10.04 Virtual firms: transactional learning on the webHow today's Diploma students are introduced to legal transactions in a virtual environment 13.10.04 Drafting consumer contractsGuidance on drafting consumer contracts and ensuring compliance with the Unfair Terms in Consumer Contracts Regulations 1999 |