Martin Sutherland: 'The only scenarios we can test are those that we can anticipate, so be prepared for the unexpected.'
Allen Grubman, the most powerful lawyer in the music business, once told Vanity Fair: “I’m a big believer that success in business is 75 percent luck, 25 percent brains.”
In early May, his luck ran out.
Grubman Shire Meseilas & Sacks (GSMS), the law firm he founded, is used by a string of A-list celebrities including Madonna, Elton John and Lady Gaga. GSMS was hacked by cyber attackers who have not only encrypted GSMS’ IT systems, making them unusable, but who also claim to have siphoned off 756 gigabytes of data including contracts and personal emails.
The attackers are demanding a $42m ransom be paid. Professional service companies represent 18% of organisations targeted by attackers using ransomware — software used to encrypt files until a ransom is paid.
In this increasingly hostile digital age, law firms are sitting ducks and it is hard not to have sympathy for GSMS — like many boutique law firms cyber security is not an area of core business and so it’s hard to attract and retain the necessary skills and expertise in house to defend against ever more sophisticated cyber attacks.
GSMS’ options at this moment are stark: call the attacker’s bluff and run the risk of data disclosure, or reach a deal and pay up to $42m. Overnight GSMS’ key assets — its A-list clients — have become a potentially litigious liability.
The US national security authorities are on the case, but it is hard to see what federal fig leaves they can provide to prevent the full effects of disclosure. Whatever the outcome for GSMS, reputational damage like this will take a while to heal.
What can law firms do to avoid a similar fate?
The world is awash with advice on tactical things that law firms should do to manage cyber risk (awareness training, filtering suspicious emails, segregating and backing up sensitive data, patching software vulnerabilities, and so on).
The most authoritative advice is provided by national agencies like the UK National Cyber Security Centre, which is blissfully jargon free.
Here is some strategic cyber security advice for the executive management of law firms:
1. Understand your risks, don’t just follow the rules: cyber security based on compliance to rules or standards may make it easier to get through client audits, but it may not make you secure. Standards take many years to agree and implement, by which time the cyber threat has moved on, and they reflect the minimum capability that standard-setters consider to be generally appropriate, rather than a target capability. Excessive emphasis on codes of compliance rather than responsibility gives rise to complacency and raises the risk of failure. Independently scrutinise standards set by consensus and create a logical, defensible cyber risk strategy, specific and appropriate to your firm.
2. Have ‘skin in the game’: make those responsible for managing risk define the cyber risk management strategy: it can’t be outsourced - you have to own it yourself. Perhaps it’s a difficult parallel to draw, but the house of cards that was the financial crisis of 2007 is an example of risks associated with new and complex financial products such as collateralised debt obligations being widely misunderstood, misplaced and mishandled. Law firm executive partners need to understand their own risks and have ‘skin in the game’.
3. Compensate for the biases that mar our risk judgements: we trust celebrity endorsements, people in suits, anything printed - especially charts and precise numbers even when they are wrong. We are prone to the illusion of certainty. Our risk perception frailties are well documented. Recognise them and compensate for them.
4. Adopt a security strategy focused on your most valuable assets: a combination of high and low-risk management strategies works well. Do the basics really well to frustrate the efforts of any would-be attacker. Don’t make their lives any easier. But focus your investment on your critical assets. Identify and then protect to the maximum extent possible the IT systems that host your most valuable data.
5. Rehearse what you would do when a security incident happens: periodic testing of your security incident response playbooks effectively vaccinates your firm against a breach and makes it 'less fragile'. This is not just an exercise for the IT team, but at all levels in the firm. Companies that have shown the greatest resilience in the face of a security incident are those that have learned how to operate without internet access or even without IT. Make provisions for re-building your IT from scratch.
6. Expect the unexpected: the only scenarios we can test are those that we can anticipate, so be prepared for the unexpected. Have a trusted partner on standby to help with incident response if needed. Do the work ahead of time to ensure you have the agreements in place so that time isn’t wasted when the crisis hits. Also consider cyber insurance as the last line of defence against the unexpected.
Bookshop shelves groan under the weight of books dissecting in dramatic detail the latest disaster and explaining 'why the thing we don’t really understand and didn’t predict was bound to happen and how next time we will spot it sooner'.
Perhaps the best way to cultivate good risk management behaviour is to let market forces punish those who fail. French philosopher Voltaire remarked how the Royal Navy achieved this, by the example it made of Admiral Byng; “It is good to kill an admiral from time to time ‘pour encourager les autres’”.
Martin Sutherland is chief executive of Reliance acsn. One of the early pioneers of cyber technology, he was involved in cutting edge digital technology projects at Accenture and BT. He also served as managing director at Detica, a UK leader in AI and counter measures (later acquired by BAE).