Why Broken Windows Can Explain the Legal Sector’s Growing Cyber-Crime Problem

Throughout its comparatively brief history, there have been a handful of key moments at which entire industries have been jolted into viewing the problem of cyber crime in an entirely new light.

For the legal sector, this moment arrived in July 2018 with the publication of a joint National Cyber Security Centre (NCSC) and Law Society report revealing that not only had three in five law firms reported an information security incident in the previous 12 months, but £11 million of client money had been stolen via cyber crime over the same period.

These stats remind us that it’s far easier to scale a firm’s virtual walls than it is to break into their physical headquarters. But rather than being alarmist about an issue that has grown steadily for years already, it’s worth remembering that this shift to the virtual domain is in part because we’ve grown very good at physical protection. Actually, we’re pretty good at real-world crime prevention in general.

So, rather than dwelling upon our virtual vulnerabilities, let us ask what lessons firms can draw from real-world crime fighting in order to develop a more robust approach to cybersecurity?

Displaying broken windows

Broken Windows Theory first rose to prominence back in 1982, but it rings true in today’s cyber domain. The theory is that a building with a few broken windows is more likely to be subject to further vandalism. The broken windows provide an indicator as to the strength/weakness of overall security, and thus signal the ‘exploitability’ of the building. Repair the broken windows quickly and the vandals are much less likely to break more or escalate their crimes.

While, in the virtual world, the broken windows may not be quite as obvious to passers-by, they still exist and they still give criminals a vital insight into whether a particular target is worth pursuing.

Flat-earthers and scam susceptibility

Ultimately, these crimes are being carried out by humans, and humans select their ‘victims’ in pretty much the same way online as they do offline – by examining demeanour and behaviour.

Criminals don’t want to waste time targeting people who won’t be susceptible to their scams, so they devise ways of filtering out vulnerable. Take the flat earth scam, whereby criminals push out insupportable claims about the earth being flat to see who responds. Anyone who proves amenable is effectively showcasing that either their critical faculties – or their broader ‘social’ networks – are below par. The criminals then ask for donations to help fund an experiment to build a rocket and, amazingly, it works.

The same logic explains why Nigerian Prince scammers send emails with obvious spelling errors, to separate the wary from the credulous. It’s why the old and lonely are so frequently preyed upon. They are identified as more vulnerable and, just as these targets might be more likely to invite a stranger in for a cup of tea, they’re also more likely to take the bait in an email.

Are you viewed as a difficult target?

Alongside demeanour sits behaviour – not just what people say, but the way they conduct themselves. For example, we never intentionally leave our smartphone on their car seat in plain view because we know that an opportunistic criminal might spy it and grab it. When it comes to keeping our homes safe, we lock the windows and doors and we clearly signpost the presence of an alarm system – a show of strength to would-be burglars to encourage them to move on.

We can better protect ourselves from such incidents in the virtual world by improving our external security posture. If we convey a signal that we’re robust (i.e. a difficult target to steal from) then we’re less likely to be targeted in the first place.

Doing the basics well goes a long way

Broken Window Theory was implemented during the 80s by New York police commissioner Bill Bratton, who successfully targeted minor disorder on the city’s transit system to help reduce more serious crime.

Bratton singled out fare evasion as the biggest broken window in the system. By targeting this, the police prevented many criminals from getting on the trains and platforms in the first place, reducing muggings, robberies and pickpocketing, while picking up a significant number of people with other outstanding arrest warrants in the process.

The lesson is clear: your external posture is a beacon indicating your ‘exploitability’ to criminals, so you should start with your biggest, most visible problem first. And, by consistently doing the small things well, you’ll greatly reduce your exposure to a whole array of other potential risks.

So here are four best-practice tips to help fix those broken windows:

  1. Check your supply chain. Research suggests that half of attacks involve supply chains, so it’s worth mapping your supply chain to determine how far it extends, and insisting that everyone within it has the basics covered, for example, adherence to Cyber Essentials or the Minimum Cyber Security Standard.
  2. Keep up with patching. Patching devices can be a pain for large organisations to manage. But these patches are designed to stamp out software vulnerabilities that may not even be publicly disclosed. Not only are you closing down attack vectors, but you’re giving criminals a clear indication that robust internal security practices are in place.
  3. Implement global standard protocols. Many vendors are now collaborating to create security ‘fixes’ that can be baked into everyone’s technology. You need to get up-to-speed on which standards are relevant to your organisation and consider how to implement the right technical solutions to deliver against them. Organisations that fail to uphold these standards are more likely to be attacked, as they’re visibly an easier target.
  4. Follow best-practice and spread the word. It’s hard to keep on top of such a fast-changing security environment, so look to credible, independent sources – such as the NCSC or The Law Society – that are doing a fine job of sharing best-practice guidance. In addition, reference what other law firms are doing, and don’t be afraid to promote the work you’re doing to defend your organisation. It all helps. For example, many of the security standards above will only achieve their true potential once there’s widespread adoption. DMARC is case in point – a vital protocol that entirely prevents fraudsters from sending spoof messages from your email domain. By spreading the word and getting DMARC more widely implemented, we can stamp out the problem for good, leaving us one less broken window to worry about.

Join up to 300 delegates at Europe’s elite cyber security event