Law Times

Law Times • September 30, 2013 Page 15 BRIEF: LEGAL TECHNOLOGY Training key as big law firms step up cyber-security efforts BY JuLIUS MELNITZER For Law Times C yber security is a hot issue for law firms, probably a much bigger one than the profession cares to admit. Law firms, after all, aren't very likely to acknowledge publicly that they've been the target of cyber attacks, especially successful ones. According to David Craig, PricewaterhouseCooper LLP's Toronto-based national security practice leader, potential hackers can be state-sponsored groups, other parties interested in corporate espionage or organized crime, opportunists who exploit a weakness for one-time gain or so-called hacktivists with a cause or ideology. The most high-profile attack in Canada started in September 2010 when hackers compromised the security of seven major Canadian firms — Blake Cassels & Graydon LLP and Stikeman Elliott LLP among them — involved in BHP Billiton Ltd.'s proposed takeover of Potash Corp. of Saskatchewan Inc. Both Blakes, counsel to BHP, and Stikeman Elliott, counsel to Potash Corp., say there was no compromise of client information. Still, that wasn't all. Elsewhere, an unrelated attack targeted another major transaction while a third related to high-profile litigation. In the United States, Washington-based Mandiant Corp., an information security company, estimates 80 major U.S. law firms were hacked in 2012. Direct competitors not linked to governments may also be potential hackers. Public reports suggest, for example, that Nortel Networks Corp.'s systems had been seriously compromised before the company's demise. Still, unscrupulous companies working alone aren't nearly as formidable a threat to law firms as state-owned enterprises. "For many western companies, hiring hackers is just illegal and off limits and few are willing to take the risk," says Stewart Baker, a partner in the Washington office of Steptoe & Johnson LLP. "Because of the expense and sophistication involved, you're more likely to find the threat among companies, particularly SOEs, that have a close relationship with an intelligence service." What makes law firms even more attractive to hackers is that their cyber-security defences have tended to lag behind those of their clients. "As companies get more sophisticated, the attackers have moved on to secondary targets," says Baker. The irony is that law firms' information can be more valuable for cyber hackers than the data harboured by their clients. "For example, on an M&A deal, we sometimes have information or documentation that the clients themselves don't have," says Dick Jensen, director of technology at Goodmans LLP. So what are Canada's law firms doing to shore up their security? Both firms and outside experts agree that awareness is increasing. "The Potash takeover incidents brought cyber security to the forefront because the attacks occurred so close to home," says Jensen. "Consequently, law firms who may have had three types of security monitoring in place now have four or five." By way of example, the Potash incident prompted Goodmans, which was not a target in the cyber attack, to introduce an application white-listing technology. The software allows only trusted programs to run on a law firm's system. "The theory is that everything is blocked unless it is explicitly authorized," says Jensen. "If it is not, we check it out to make sure it is what it purports to be and then allow it if it's safe because we're not trying to police our staff 's online habits. But the software does step up the level of protection beyond almost anything else and catches stuff that anti-virus software would not." By contrast, Torys LLP simply locked down end-user privileges on the firm's desktops that prevented people from installing applications without authorization. "In the past, we had wide-open computers where people could install whatever software they chose, but that opened the floodgates to malicious software," says Patrick Laflamme, the firm's director of information services. "But we now understand that in today's environment, no one can do that without permission." Craig agrees. "Lawyers should be aware that any change in the performance of their desktop, laptop or other device can signal a problem," he says. But, naturally, there's a price. "Technology costs have gone up because law firms are now layering their security systems," says Laflamme. Otherwise, keeping up with the technology is but one element of effective cyber security. "The weakest link in the cyber-security defence chain is the human link," says Sharon Mitchell, chief operating officer of Gowling Lafleur Henderson LLP. Fixing the problem doesn't involve rocket science but it does mean breaking old habits and forming new ones. "The biggest challenge is making sure that people think before they click and exercise caution when faced with questionable e-mail or odd behaviours," says Laflamme. Having recognized the issue, law firms are dedicating more resources to educating lawyers and staff. Torys, like many Canadian firms, has instituted formal and informal education efforts ranging from seminars to memos offering tips and tricks. "Where organizations had put significant spending into protecting their perimeter in the past, the emphasis has now shifted to making sure that people are aware that law firms will be targeted for their data and what individuals can do to protect that data," says Craig. "A well-educated and equipped workforce is the strongest defence against cyber breaches." Craig says proper training programs focus on awareness, a communication plan via e-mail or some other method, and formal classroom training. "Most organizations will require between one and four hours of classroom training annually for their employees. And they should supplement this training with continual computer-based training that focuses on best practices." LT LEXPERT® LEGAL EDUCATION SEMINARS FALL 2013 SCHEDULE WEBCAST OPTION AVAILABLE FOR COURSES! THE 5th ANNUAL PROCUREMENT & FINANCING OF PUBLIC INFRASTRUCTURE PROJECTS FORUM December 2, 2013, Toronto, Ontario THE 6th ANNUAL ADVERTISING AND MARKETING LAW FORUM December 10, 2013, Toronto, Ontario ABORIGINAL LAW: CONSULTATION AND OTHER EMERGING ISSUES October 28, 2013, Calgary, Alberta November 5, 2013, Toronto, Ontario CLOUD COMPUTING: A PRACTICAL APPROACH November 26, 2013, Calgary, Alberta November 28, 2013, Toronto, Ontario December 10, 2013, Toronto, Ontario CORPORATE GOVERNANCE 2013: MEETING SHAREHOLDER EXPECTATIONS December 3, 2013, Toronto, Ontario December 5, 2013, Calgary, Alberta DEALING WITH THE LEASE: LEGAL PRINCIPLES & LITIGATION PERILS! November 21, 2013, Toronto, Ontario ANTI-BRIBERY AND CORRUPTION COMPLIANCE: COPING WITH THE ONSLAUGHT December 9, 2013, Calgary, Alberta December 12, 2013, Toronto, Ontario CONDUCTING EFFECTIVE WORKPLACE INVESTIGATIONS: WHEN IGNORANCE ISN'T BLISS DOING BUSINESS IN CANADA'S OIL & GAS AND LNG SECTORS* December 10, Houston, Texas EMERGING TRENDS AND BEST PRACTICES IN INFORMATION TECHNOLOGY SOURCING November 28, 2013, Toronto, Ontario December 10, 2013, Calgary, Alberta INFORMATION PRIVACY AND DATA PROTECTION: TECHNOLOGY, SECURITY AND CORPORATE ACCOUNTABILITY IN TODAY'S MARKETPLACE November 14, 2013, Montréal, Québec December 9, 2013, Toronto, Ontario THE LIFE CYCLE OF PHARMACEUTICALS: ADDING VALUE AT EACH STAGE December 2, 2013, Toronto, Ontario December 5, 2013, Montréal, Québec NEW DEVELOPMENTS IN ENTERTAINMENT LAW IN CANADA: SUCCEEDING IN THE BRAVE NEW WORLD* December 3, 2013, Los Angeles, California PATENTS: PRACTICAL STRATEGIES FOR PROTECTING YOUR TECHNOLOGY November 12, 2013, Toronto, Ontario November 18, 2013, Calgary, Alberta For more information or to register for these seminars, please visit www.lexpert.ca/events *webcast option not available Lexpert_LT_Sep23_13.indd 1 www.lawtimesnews.com 13-09-17 6:30 PM

• Cover