In the previous articles (Business eMail compromise and Cyber liability insurance) the potential liability of attorneys for business eMail compromises and cyber liability insurance were discussed. In the former, the potential for the attorney being guilty of contributory negligence for failing to establish appropriate security measures was highlighted. In the latter, the importance of the well understood protections afforded by appropriate insurance was emphasised as an integral part of cybersecurity management. In both articles the issue of ensuring that appropriate technology is implemented was touched on. This article highlights a few of the important issues in considering the technology or technology services that are used by legal professionals.
At the outset a misunderstanding that seems to arise repeatedly in the illusion that technology is the “silver bullet” to cybersecurity. Indeed, appropriate technology is a very important component of cybersecurity but cybersecurity is by its nature multifaceted and seen by many experts in the area as being predominantly a “people” rather than a “technology” issue. Thus, while it is important that the appropriate technology is used the processes governing the use of the technology must be properly documented to enable the consistent understanding of behaviour promoting security by users. The processes in turn can be used to educate users in the appropriate use of the technologies and security measures that they are obliged to discharge to promote the secure processing of information and the mitigation of cyber-risk.
It is beyond the scope of this article to address all of the technology security issues. Readers are referred to the International Bar Association Cybersecurity Guidelines that are available at ibanet.org and the Information Security for South African Law Firms - LSSA Guidelines January 2018.
The following important points which are specific to protecting against business eMail compromises are highlighted.
eMail hosts
As the name suggests, business eMail compromises are an impersonation fraud that is perpetrated by intercepting and changing eMails. Therefore one of the primary considerations is the reputation and security provided by the eMail host. It is recommended that preference is given to eMail hosts that have a proven track record. They are likely to maintain superior security. The recommendation of experts in this field is that smaller providers be avoided unless they provide appropriate guarantees of security. Where the eMail host is selected purely on price it is possible and most likely probable that the cost saving that is passed on to the client is at the expense of security and will expose the client to greater risk.
Web browsers and eMail applications
In selecting web browsers and eMail applications care should be taken to choose secure mail client software. These applications should be configured for secure use as opposed to convenience and must have built in and automatically updated junk eMail and spam filters. It is also important that the granting of access to eMail boxes is subject to appropriate access control. If a person to whom an eMail address has been assigned leaves the legal practitioner’s employ, access to the eMail box must immediately be revoked.
It must be recognised that the use of old technology creates security risks. Old technology is likely to be more vulnerable and if it is used beyond its end of life will not be updated with security updates and patches to protect against vulnerabilities. Malware, spyware and anti-virus software as well as eMail filtering software must, as described in the Cybersecurity Guidelines, be of a “business grade”. Free versions of software are unlikely to provide the level of security that is necessary for the sensitive information that is processed by legal professionals. It is also important that care be taken to properly secure the applications that may be used in a practice and mail servers to protect the transmission of these communications to the service provider.
Sensitive information communication
Care must be taken when communicating sensitive information. It is suggested that any important information communicated by eMail is in PDF and not Word. There are other simple mechanisms of protecting important information. One of these is using passwords communicated out of band (if the communication is made by eMail the password should be made by SMS or Whatsapp) that protect the information. There are also more sophisticated mechanisms that should also be considered, such as the use of digital signatures which irrefutably identify the signatory and any change to either the signature or the data to which it is associated is immediately detectible. If configured correctly the eMails signed using digital signatures will be encrypted and render it impossible to intercept the text of the message (and therefore change it) during its communication. In certain instances the use of advanced electronic signatures may be a statutory requisite. In this regard readers are referred to the available at: LSSA Guideline on Electronic Signatures.
Remote eMail use
Care also needs to be taken of remote eMail use from devices that may not be protected by firewalls or the configuration of eMail servers.
User Awareness
Ultimately, while the choice of appropriate technology and maintaining the appropriate safeguards may significantly enhance the security that is sought to be implemented, unless this is well understood by users the security measures, which is typically by nature an inconvenience, will be disregarded by users. Users must be trained to identify bogus eMails, phishing exploits, and other mechanisms of social engineering that underpin business eMail compromises. They need to understand how important their role is in fulfilling the responsibility of the secure processing of information which is the legal professional’s indisputable obligation. Many guides are available that will assist legal practitioners in ensuring appropriate awareness of this important aspect of eMail use. A simple Google search will direct you to appropriate information.
Anthony Pillay
Leave a comment: