It was a cyberattack that captured the attention of the world. In June this year, the NotPetya virus struck companies around the globe, crippling computer systems, including those of a leading international law firm.

In the months that followed, the afflicted firm not only had to cope with the massive task of rigorously restoring its computer operations while relying on alternative technology, but it also had to negotiate a media storm.

This incident was far from the only casualty of the NotPetya virus – several companies and organizations estimate that their losses from the attack could be measured in hundreds of millions of dollars.

“As a leading legal firm, our clients come to us for confidential legal advice,” explains Steven Chabinsky, the Chair of our Global Data, Privacy & Cybersecurity Practice, “so while you can measure the operational costs of an attack like this, the lasting damage to reputation and confidence, both to our clients and the Firm, could be far greater.

“In fact, one of our largest practices is Mergers & Acquisitions – a field that relies on intense secrecy and confidentiality – so the ramifications of client data being compromised are magnified.”

No wonder then that the Firm prioritizes cybersecurity. CIO Tony Cordeiro explains: “Back in 2011, we were one of the first law firms to obtain our ISO 27001 Certification.  It demonstrates to ourselves and our clients that we’ve reached a high benchmark level when it comes to our cybersecurity and data protection processes, policies and culture.

“We’re finding that clients are asking us about our cyber and data protection credentials far more often than they did in the past.”

Our cybersecurity team includes five dedicated engineers as well as a team of 10 analysts in our Global Operations Centre in Manila but, in reality, our cybersecurity culture is embedded and realized by all of us (not just those in IT) across the world.

It’s a threat that requires constant vigilance, as Tony explains: “When it comes to cybersecurity, the first thing any company or organization needs to do is secure the perimeter, so the bad guys don’t get in. After that, you ask yourself: if they did manage to get through, what sort of things would they be targeting?

“By doing that, we can add more fortification and segregation to those areas, so even in the event of a breach of the perimeter, the attackers can’t get to the crown jewels and do serious damage.

“It’s about knowing your enemy and adopting a hacker mindset, but never drawing the conclusion that what we have done is good enough.  We must always have humility when thinking these elements through.”

The Firm is equally vigilant when deciding who can access different types of data to minimize the threat of an increasingly popular form of cybercrime: ID theft. We recently ran a global exercise that mimicked a phishing attack on the business to test our resilience.

Tony says: “Though hacking is constantly evolving, the number one way that hackers attempt to steal credentials is still via simple phishing emails.

“Hackers will generally target vulnerabilities in a company’s security and, in most cases, they do this by targeting people. That’s why educating colleagues and instilling a vigilant culture is so important.”

In October, we ran an educational campaign across the Firm aimed at raising cybersecurity awareness. It included daily articles in The Reporter Daily, mandatory training, ‘Lunch and Learn’ sessions in selected offices, streamed global presentations videos and more.

The campaign also saw the roll out of desktop wallpaper offering top tips to help everyone improve their personal cyber and information security.

Tony says: “This campaign has been about raising awareness, building a secure culture, and making sure you let us know if you see or receive anything suspicious. We are here for you. We all have a role to play in protecting Firm and client information.”

While the Firm’s cyber and data protection policies and procedures are rigorous, the team is keen to ensure any security measures have the minimum impact on our colleagues’ ability to do their jobs effectively and efficiently.

Tony says: “Some clients have asked us to deactivate USB ports from all our computers but, to do that, we’d make it very difficult for some of our other clients to share data with us. We recommend that our clients share data with us through our own secure file transfer site (similar to Dropbox) and minimize the use of USBs. They should only be used if encrypted.

“One of the Firm’s strategic goals is to create a great place to work, so balancing our security needs while not making working here too difficult to actually get the work done is vital. We have to balance security policy against getting the job done in a sensible way and it isn’t always easy!

“And, of course, ensuring we’re able to continue offering a safe, trusted service to our clients is absolutely core to our global strategy.”

Helping clients through the maze

Chair of our Global Data, Privacy & Cybersecurity Practice Steve Chabinsky is well placed to appreciate the threat of cybercrime. Before joining the Firm in November 2016, he spent over 15 years with the FBI and was senior cyber adviser to the US Director of National Intelligence.

During his career, he’s provided cybersecurity advice to three US Presidents and, while General Counsel and Chief Risk Officer for the cybersecurity firm CrowdStrike, he was appointed to the Commission on Enhancing National Cybersecurity, which released its findings to incoming President Trump in December 2016.

“If you look at our clients you are unlikely to find any that don’t have reasons to be concerned about cybercrime,” Steve says.

“With critical infrastructure dependent on digital control systems, key industries dependent on network infrastructure, and consumer products increasingly connected to the internet, hackers can target anything from the systems that monitor hazardous equipment, to traffic light systems, energy distribution networks and even the braking systems of cars.”

Cyber and data security is something clients are increasingly asking the Firm to advise them on – whether that’s helping clients comply with privacy laws and contractual obligations, advising them on cybersecurity preparedness, or working with them to respond in the event of a security breach.

“We’ve got an extremely strong team across the globe and our cybersecurity experts also do a lot of cross-practice work, for instance helping our Financial Institutions Industry Group and M&A teams when their clients need advice on privacy and cybersecurity issues,” says Steve.

The Firm is currently helping many clients make sure they comply with the European Union’s General Data Protection Regulation, which takes effect in May 2018.

Steve adds: “We’re also advising a growing number of clients about the complicated legal and security challenges involved in moving their data and services to the ‘cloud.’  They want their global workforce to collaborate and share data across boundaries, but they recognize the need to take into account that data laws differ significantly from one country to another.”

Cybersecurity is indeed a fast-growing practice for the Firm. Steve says: “There is nothing to suggest it won’t continue to grow and, with the rapid boom in the Internet of Things, the likelihood is that demand will increase even faster.”