The TalkTalk hack – is cyber security more complicated than we think?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.legalfutures.co.uk/blog/the-talktalk-hack-is-cyber-security-more-complicated-than-we-think

The recent hacking of phone and broadband provider TalkTalk has raised
plenty of questions among lawyers about how safe the internet really is. Is
our information, stored in distant silicon towers, really protected? Has
the penny dropped on IT security? Shouldn’t we be more guarded in our
acceptance of new technology and systems?

The truth, however, may not only put you at ease but also bring to light a
slightly different picture of our misconceptions about IT security. Brace
yourself, friends: it’s often human error more than IT that causes hacks
and cyber-breaches.

We do need to be aware of a criminal’s motives in order to protect
ourselves. A look back at the TalkTalk hack points to profit as a key
driver. In this case, the hackers’ motive was to steal names, email
addresses, telephone and bank details, possibly to sell to the highest
bidder. The target was TalkTalk’s valuable financial data, and reputational
damage was just an unfortunate consequence of the calculated and sustained
attack.

Since then, TalkTalk has attempted to mitigate some of the damage.
Fortuitously, the actual impact was revealed to be ‘materially lower’ than
feared, and hackers did not have enough information to break through the
credit card companies’ own security checks on online websites.

But when financial gains are at the heart of an attack like this, it means
that hackers will no longer only waste their energies on the Apples or
Sonys of the world; rather, they’re going to look for weaknesses in all
kinds of industries, niche or common, consumer or business facing.

Solicitors need to break out of the mind-set that they’re too small and
therefore inconsequential in the eyes of hackers, and take time to consider
the sets of information in their systems that have economic value. One of
the lowest of the low-hanging fruit is still the oblivious high-street
lawyer, unprotected and exposed to cyber-crime because of painfully obvious
gaps in security.

The good news is that although cyber-crime is often portrayed by 24-hour
news as an act worthy of a Mission Impossible sequel, in reality the
average hacking isn’t really blockbuster material; in fact, you can protect
yourself by following very basic guidelines.

If you’ve adopted technology quite recently, you’re actually a lot safer
than if you are still using old legacy systems from 10 or 15 years ago.
Also, if you’re using cloud technology, such as Microsoft’s Office 365 or
the Amazon Cloud Drive, these readily available systems already have their
own in-built security in place and offer an encrypted database.

One of the major problems suffered by telecom companies, such as TalkTalk,
is that their behemoth size makes it harder to keep ahead of the curve and
encrypt all their data. Some legacy systems can’t encrypt their database at
all to protect against hacks.

Cybercriminals can also attempt to access data through an unsecured Wi-Fi
network, so solicitors working from home need to have a powerful
alphanumeric password in place – an obvious statement to some, but you
won’t believe how many times this needs to be spelled out.

I’m sure conveyancers, with their growing workload, take assignments to a
coffee shop, so they need to be aware hackers can use their access to an
unprotected Wi-Fi network to wriggle through all the way to their company’s
secure system. Be sure to listen to your devices prompting you about an
unsecure Wi-Fi. Working from home, in contrast, is much safer.

It’s also important to be organised in the way you arrange and maintain
your data. It may even be worth looking at whether suppliers are providing
you with well-organised data, and some housekeeping never hurts.

Emails are the biggest gateways to cybercrime, but it’s humans who click on
fishy emails at the end of the day. Lawyers need to be sensitive to the
kind of information or queries they receive through emails, and detect when
something’s off about an email or a phone call. While this may be a matter
of common sense to the tech-savvy, a day’s training course can bring the
rest of the team up to speed.

While there is a lot of literature to inform lawyers, if it all gets too
overwhelming, they should consider investing in external advice. For
example, a consultancy can assess the firm’s risks and present a granular
solution to all potential threats.

We’re already part of an industry that’s facing the growing risk of
conveyancing fraud. It’s only a matter of time before more hackers can gage
for themselves the cash cow that is the property market and its ancillary
industries.

The attacks are not going to bring back the era of dusty files that’s
already on its way out. Technology has kept pace with cybercriminals, so
now you should keep pace with technology. To keep these malicious forces at
bay, conveyancers and other lawyers need to walk in stride with other
industries and keeping looking to the future.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!