Under reported, under adopted … and now under the spotlight
To date the scale of the email impersonation problem has been understated meaning adoption of the essential DMARC protocol has been slow except for the world’s biggest brands. But with today’s security conscious clients demanding law firms show they’re taking steps towards protecting them against phishing it’s time to take it seriously.
Under reported: The trouble with phishing is that it’s bigger than you think
Last year the FBI’s reporting body IC3 admitted a mistake in how they collated and presented cyber crimes. The error was this: IC3 had reported Business Email Compromise (BEC) and Email Account Compromise (EAC) as two separate crimes. Whereas criminals exploit the same vulnerability that ought properly to be reported as a single crime. But it doesn’t end there. The error is further compounded as BEC and EAC are achieved by using the same exploit that is used in email phishing attacks. For the sake of accurate reporting, at a minimum the figures for phishing, BEC & EAC ought to be combined.
Think that’s it? It isn’t. An additional layer of complexity is introduced because the same exploit is used in email impersonation, CEO Fraud & Friday Afternoon Fraud. Despite the fact that the Solicitors Regulation Authority (SRA) treated them as separate crimes in their Risk Outlook Report 2016/17, the same technical vulnerability is being exploited in both CEO Fraud & Friday Afternoon Fraud. The only difference is the text contained in the email. Resolve the underlying technical vulnerability, remove the entry point for cyber criminals and the text becomes redundant.
But if solving email impersonation doesn’t give you sufficient pause to start taking email security seriously, consider this: 91% of ransomware is delivered by way of an impersonated/phishing email. This means that if ‘active security’ measures as encouraged and promoted by NCSC are adopted, and firms configure DMARC correctly then it is possible to solve not only the following problems: phishing, spear-phishing, business email compromise, email account compromise, Friday afternoon fraud and CEO fraud, but also reduce the threat of ransomware being delivered, by some considerable margin.
For cybersecurity personnel trying to identify the biggest threat to their firms being able to rely on the accuracy of these reports is crucial and such reporting errors has significantly impacted their ability to make an informed decision.
Under adopted: DMARC the essential protocol for securing your email, your domain and your brand
In 2012, a group of the world’s leading companies including PayPal, Google, Facebook and Yahoo formed a working committee to solve the spam and phishing problem. By building on two existing mechanisms these firms sought to protect themselves, their customers and their stakeholders from fraudulent emails through the correct configuration and maintenance of a DMARC record.
The DMARC protocol, trusted by the world’s leading companies to protect their email, domain and reputation against phishing attacks, is the categorical line of defence against phishing attacks. By correctly deploying the DMARC protocol there is no maybe, there is no uncertainty, there is no grey area, about your level of protection. It gives firms back control over their primary communication channel.
Dr Ian Levy, Technical Director at the National Cyber Security Centre (NCSC), encouraged firms to develop ‘active security’ measures explaining that one way is to adopt a domain-based message authentication, reporting and conformance (DMARC) system. So if you thought that deploying the DMARC protocol was optional, think again. The NCSC categorised the ‘widespread adoption of the DMARC protocol’ as ‘essential to defend against targeted cyber threats.’ Simply put, it is the only way to protect against email impersonation attacks.
In fact, the operational risk to law firms is now so well understood that addressing cyber matters is now a board level responsibility and is no longer the province of the IT department or a single entity within a firm.
Under the spotlight: Law firms are increasingly under pressure to prove their security credentials
Whether you’re currently part of the DMARC cohort or not, the universal adoption of the protocol is well under way. The world’s largest companies, those who take their brand reputation as seriously as their cyber security, such as Apple, Netflix, Twitter and eBay, not to mention those who formed the original problem-solving committee have all implemented DMARC to great effect.
A recent attack on one of the world’s leading law firms evidenced the business disruption caused by lax cybersecurity as the firm was still grappling with the problem 10 days after the attack. Such a high profile incident has begun to prompt more and more prospective clients to ask some pretty probing questions about their security practises and protocols. Nowadays trust is something firms have to earn, not just expect from clients.
From a regulatory perspective besides the recommendation by the NCSC to implement active security measures, the roll-out of General Data Protection Regulation (GDPR) across Europe will undoubtedly act as a significant catalyst to drive the implementation of DMARC irrespective of sector or size.
Provisions contained in the GDPR will require law firms to demonstrate that good data protection is a cornerstone of business policy and practices. The penalties alone for data breaches are set to rise from a maximum of £500,000 to £20 million or 4% of annual global turnover, whichever is higher. The real pain point for firms lies not so much in the penalties which are at eye-watering levels but in Art 82(1) which grants permission for a course of civil action to ‘any person who has suffered material or non-material damage… to receive compensation’. With persons affected by such attacks running into hundreds of thousands sometimes millions, simply collating and dealing with those persons affected could grind law firms to a halt.
So what next?
With such a straightforward way for consumers and regulators to check compliance, the DMARC protocol is proving itself to be the easiest way for clients to assess a law firm’s external cyber security posture. For any firm not yet investigating how DMARC can protect both them and their clients from the fallout of successful email impersonation it’s only a matter of time before their hand is forced.
Law firms are urged to be proactive and begin to evaluate the plethora the cybersecurity solutions in the market to understand how they can help them meet their DMARC requirements.
And just to turn the tables, the easiest way for firms to evaluate DMARC solution providers is to double-check the cybersecurity firm’s own DMARC record. Have they configured the DMARC protocol on their own domain? Are they making sense of their reports? Are they ISO/IEC 27001: 2013 accredited? The absence of a correctly configured DMARC would raise fundamental questions as to the legitimacy of those so-called cybersecurity experts.
Simply put, the implementation of DMARC is cybersecurity 101 for everyone. Law firms and cybersecurity vendors alike.
