Our blog this week takes a look at a common misconception among some SMEs - that their business are so unique that they need specialist software and/or specialist support for it to be effective. However, we here at Virtuoso have learnt through experience that this is often not the case and the following account is a prime example of where the cloud might just be the easiest way to hit your IT infrastructure objectives.
A few weeks ago we wrote in one of our blogs, cyber-security-lessons-for-law-firms “….for law firms the safety and security of their own and clients’ data is not only a legal and compliance requirement, it is also essential to their….survival.”
Why are law firms such an attractive target for hackers?
This is a question worth considering because the reasons behind the hacking of law firms can serve to better illustrate the security needs peculiar to law firms.
Take the example of New York law firms Cravath Swaine & Moore and Weil Gotshal & Manges. According to reports in the Wall Street Journal and Fortune during 2016 both these prestigious firms were hacked in an insider-trading scheme that involved planned mergers. The motive was clear, financial gain. And what better way to get information about future corporate mergers than to target firms active in the M&A market. Both firms it should be said denied that there was evidence of anyone benefiting from the hack although they did not deny that there had been a hack.
In 2012 Bloomberg reported that Wiley Rein, one of the largest law firms in Washington, DC was hacked - reputedly by Byzantine Candor, linked to the Chinese People’s Liberation Army. Of course accusations of cyber attacks by nation states are easy to make but harder to prove. At around the same time twenty other companies including nine law firms were hacked by the same or linked groups. The motive was apparently industrial espionage and the reason these specific law firms were targeted is instructive to consider.
All the law firms hacked were engaged in activities relating to China: pursuing trade claims on behalf of US firms against Chinese exporters or acting on behalf of oil & gas companies drilling or bidding for drilling rights in seas near or claimed by China. In the case of Wiley Rain the firm was acting on behalf of SolarWorld which at that time was also hacked by the same group (Byzantine Candor). Why?
SolarWorld was scaling up for mass production of Passivated Emitter Rear Contact (PERC) solar cells, one of the first manufacturers in the world to do. At the same time they were fighting a trade case against the importation of solar cells from China citing unfair competition. Engineering and other IP was stolen and coincidentally a Chinese solar cell manufacturer brought a PERC solar array to the market 18 months before they were expected to do so.
Wake up call
It may surprise you that up to 80% of IT security breaches may originate in the supply chain. Some of the most high-profile hacks were at Target, Home Depot, Sony, Sears and JP Morgan Chase. The scale of the hacks are staggering. The Home Depot hack involved the compromisation of 65 million customer accounts and JP Morgan Chase had an impact on 7 million businesses. Perhaps the most interesting was Target, not only did the hackers gain access to the personal information of some 70 million customers but the manner in which they did so is illuminating. They breeched security by stealing network credentials from Fazio Mechanical Services, a provider of heating, ventilation and air conditioning (HVAC). How did they steal them? By stealing credentials from a supplier to Fazio. So at two removes Target was compromised through its supply chain. The other noteworthy point was that this was a HVAC supplier, what could have been stolen if it was a firm of external auditors doing work in Target, or a management consultancy – a corporation the size of Target surely had a few management consultants working on something at any one time. Or even more lethal, the law firm(s) used by Target.