Langley Twigg Law in Napier was hit by a cyber attack affecting internal and client documents. Photo / 123rf
By Delphine Herbert - RNZ
An internet watchdog has reminded small businesses they are not exempt from cyber-attacks, after a law firm in Napier was hit in January.
Langley Twigg Law said the January 11 cyber attack affected internal information about the firm as well as client documents.
The firm said it was working with digital forensics and cyber specialists over the attack.
Netsafe chief online safety officer Sean Lyons said the attacks were not always targeted and could be random.
“It can happen in two ways, it can absolutely be targeted, somebody could decide that a particular entity is holding information that they want.”
Lyons said attacks also occurred when a hacker took a scatter-gun approach to try to find places that were vulnerable.
“That might be sending out emails with fake invoices or attachments, it might be sending other messages, it might be getting them to click on pages on compromised websites.”
Lyons said once a hacker was in, their criminal intent took over.
“Once they are in they will be trying to find out just about everything about that organisation and see what’s of value in there, that they can take to either sell or exploit the original owners of that information to blackmail them into giving them money.”
He said it was often harder for small business to keep protected, as many bigger organisations had their own cyber-security departments.
“For smaller businesses, it is being aware that these things can happen, that the data they store is of value to other people.
“Some people might think ‘what could be the value, why could I be a target’ but, like I said, people aren’t always initially a target, but the information that is in there could be of value to somebody, and blackmailing organisations might be a good way for a criminal to make money,” he said.
The attack came not long after the Law Society sent advice to its members on how to best manage such threats, and how to keep safe.
Chief executive Katie Rusbatch said attacks were becoming more common.
“We’ve seen this on the rise recently and we have identified a need for some guidance and training in this particular area and that’s been a focus for us.
“So really in terms of the guidance that we’ve shared, it’s focusing on how these things like cyber attacks can happen, what those common threats to law firms are, whether that’s things like email compromise or phishing ...
“And then some also some guidance that law firms and lawyers can take to minimise the risk and create an environment for stronger security.
“So providing some really practical guidance in that space so that lawyers can be prepared and also create a culture where they have an awareness of what those risks are.”
Rusbatch said there were simple things firms could do to keep safe.
“So things like secure access and authentication, there is a lot talked about now about multi-factor authentication for things like emails, trust account systems that law firms might have, keeping systems up to date, so regularly applying software and security updates.
“Training, testing your people, so really making sure that staff have an awareness of phishing and safe email practices and running through some tests in that regard so that people are able to see how they respond if there might be a phishing email.
“So really creating awareness with your staff and then planning for incidents as well, if something does happen, making sure that you have an incident response plan that you know who to contact that who the cyber specialists are that you might need to contact.
“And then other things that backup and recover systems, making sure you have backups offline and the secure cloud and that sort of thing as well,” she said.
The Office of the Privacy Commissioner confirmed Langley Twigg Law had been in touch about the attack.
“We will continue to work with them as they further investigate this incident, including ensuring they are aware of their legal obligations in relation to a privacy breach that either has caused or is likely to cause anyone serious harm.
“We would expect Langley Twigg to provide any further detail they would want to share in relation to this,’’ a statement said.
The police said they were also investigating.
The attack came about a month after a major breach of patient health information portal ManageMyHealth.
The service connected patients with clinicians and allowed people to access their medical records.