Cybersecurity expert Michael Gazeley has tackled threats to businesses of all sizes. What worries him in particular is the legal sector, and the lack of security strategy in many law firms
Michael Gazeley is the managing director and co-founder of Network Box Corporation, a leading managed security service provider (MSSP) based in Hong Kong dedicated to protecting its clients from incoming threats from the internet such as intrusion attempts, zero-day threats, trojan infections, viruses and other malware, spam, denial of service, and more.
With more than three decades of experience in IT, Gazeley has established himself as a key figure in the cybersecurity landscape. He co-founded Network Box with longtime business partner Mark Webb-Johnson, and the company has grown to become one of the world’s leading MSSPs. Network Box has won more than 170 international awards for its security technologies.
Asia Business Law Journal: Can you tell us about your company?
Michael Gazeley: Network Box started back in 1999 with a clear mission: to offer reliable and effective cybersecurity solutions. We were a small team, passionate about helping businesses protect their digital assets. We faced numerous challenges but our commitment to this mission kept us moving forward.
In those early days, the concept of cybersecurity was still evolving. Many businesses did not fully understand the risks associated with cyber threats, or the need for comprehensive security measures. This presented both a challenge and an opportunity for us. We had to educate our potential clients about the importance of cybersecurity while also developing solutions that could effectively protect their digital assets.
One of our first major breakthroughs came when we developed a fully managed security service that provided continuous monitoring and protection against cyber threats. This service, leveraging our patented push update technology, was a game changer for many businesses, as it allowed them to focus on their core operations while we took care of their cybersecurity needs. This early success helped establish our reputation as a reliable and innovative provider of cybersecurity solutions.
As we grew, we began to expand our services to meet evolving needs. We introduced threat detection and response capabilities, which allowed us to identify and neutralise potential threats before they could cause significant damage. We also developed advanced firewall management services to protect our clients’ networks and digital perimeters.
Our journey from a small startup to a global company has been marked by continuous learning and adaptation. We’ve had to stay ahead of rapidly evolving cyber threats and constantly innovate to provide the best possible protection for our clients. Today we have a presence in multiple countries and serve a diverse range of clients.
ABLJ: Who does Network Box serve as clients and what services do you provide?
Gazeley: We work with a variety of clients, including businesses, government agencies, financial institutions, medical facilities, educational organisations, and of course law firms. Each of these sectors has unique security needs, and we tailor our services to fit those requirements. Our main services include fully managed security, threat detection and response, firewall management and security consulting.
Our managed security services offer continuous monitoring to protect against threats. This is especially crucial for businesses that cannot afford to have their operations disrupted by cyberattacks. With our managed services, clients can have peace of mind knowing that their networks are being monitored around the clock by experienced cybersecurity professionals.
One of the key factors that set us apart is our proactive approach to cybersecurity. Rather than just reacting to threats, we focus on anticipating and preventing them. This proactive stance is crucial in a landscape where cyber threats are constantly evolving, and new vulnerabilities are discovered regularly. By staying ahead of the curve, we can provide our clients with the highest level of protection.
Our clients come from a wide range of industries, each with its unique challenges and requirements. For instance, government agencies often deal with highly sensitive information and need stringent security measures to protect against espionage and cyber terrorism. Financial institutions handle vast amounts of personal and financial data, making them prime targets for cybercriminals. Educational organisations, on the other hand, need to protect student data and research information while ensuring that their networks are accessible to students and staff.
Tailoring our services to meet the specific needs of each client is one of our strengths.
ABLJ: Why are you so concerned about law firms you have dealt with?
Gazeley: The rise of sophisticated cyberattacks has made it essential for law firms to reassess their security protocols. This is not just about adopting new technology; it is about preserving the foundational values of the legal profession.
Confidentiality, the bedrock of the attorney-client relationship, is at constant risk in a world where data breaches can occur in an instant. Without stringent cybersecurity defences, the integrity of client communications and case details can be compromised, destroying the trust clients place in their legal representatives.
Maintaining the integrity of legal practice extends beyond the courtroom to include the protection of all data handled by law firms. A single cybersecurity lapse can lead to data manipulation or loss, jeopardising the fairness and accuracy of legal processes. Ensuring data integrity through advanced cybersecurity measures is imperative for upholding justice. Cyber threats test the legal profession’s commitment to these values, making comprehensive security strategies essential.
Ethical obligations demand rigorous protection of client information. Failure to meet these standards can result in severe legal and professional consequences, including breaches of confidentiality and loss of client trust. Proactive cybersecurity measures reflect a law firm’s dedication to fulfilling these ethical responsibilities and reinforcing the indispensable trust clients have in their lawyers.
One area that particularly concerns me is the cybersecurity posture of law firms. These organisations handle a wealth of sensitive and confidential information, making them prime targets for cyberattacks. Despite this, many law firms may not have adequate security measures in place, leaving them vulnerable to breaches. My interactions with various law firms have revealed a troubling pattern of complacency, underscoring the need for heightened vigilance and proactive security practices.
Law firms often deal with highly sensitive information, including client data, legal strategies, financial records and intellectual property. This information is valuable to cybercriminals, who can use it for financial gain, identity theft, or corporate espionage. The consequences of a cyberattack on a law firm can be severe, leading to data loss, financial damage and significant reputational harm.
One of the reasons for this complacency is that many law firms may not fully understand the risks they face. Cybersecurity can often seem like a distant concern, especially for firms that have not yet experienced a major breach. However, the reality is that cyber threats are very real and very immediate. Law firms need to be proactive in protecting their information and their clients’ information.
My concern stems from a deep understanding of these risks and a commitment to helping law firms strengthen their defences. I emphasise the importance of implementing robust cybersecurity measures, conducting regular security assessments, and providing ongoing training to employees. By adopting these practices, law firms can mitigate the risks of cyberattacks and protect their clients’ information.
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”4″ ihc_mb_template=”2″ ]
ABLJ: Can you give some examples?
Gazeley: Perhaps the absurdity of the situation can be best captured in a short, real, and profoundly sad conversation I had with a leading Hong Kong barrister. The barrister had requested a meeting at his chambers to discuss the need for cybersecurity. At the end of the meeting, as we walked to the lifts, the barrister remarked, “I didn’t realise how incredibly precarious our data security is.”
“So, you will actually implement effective cybersecurity measures to protect yourself?” I asked.
The barrister replied, “No need. We trust in the law. If a hacker dares to attack us, we shall simply sue them for damages.”
At first, I thought he was joking. Then, with growing despair, I realised the barrister was completely serious. Here stood a highly intelligent barrister, at the pinnacle of the legal profession, making no common sense whatsoever. It was a stark reminder of Voltaire’s famous axiom: “Common sense is not so common.”
Over the years, we have seen many incidents that highlight the importance of strong cybersecurity measures. One example involved a prominent law firm that fell victim to a phishing attack. The attackers managed to access sensitive client information, leading to severe repercussions for the firm. This incident emphasised the need for comprehensive cybersecurity strategies and regular training for employees.
In the case of the law firm, the attackers used a well-crafted phishing email to trick an employee into revealing their login credentials. Once the attackers gained access to the firm’s network, they were able to exfiltrate sensitive client data, including legal documents and financial records. The breach resulted in significant legal penalties and financial losses for the firm, as well as damage to its reputation.
This incident also highlighted the importance of employee training in cybersecurity. Phishing attacks are one of the most common methods used by cybercriminals to gain access to sensitive information. By training employees to recognise and respond to phishing attempts, organisations can significantly reduce the risk of successful attacks.
In another case, we helped a law firm deal with an insider threat. An employee had been leaking sensitive data due to weak internal security measures. This case highlighted the importance of monitoring internal activities and implementing strict access controls to prevent similar incidents. By conducting regular audits and monitoring employee activities, organisations can detect and mitigate insider threats before they can cause significant harm.
Insider threats are a growing concern in the cybersecurity landscape. Employees, whether intentionally or unintentionally, can pose significant risks to an organisation’s security. Implementing strict access controls, regularly reviewing user permissions and monitoring user activities are crucial steps in preventing and mitigating insider threats.
ABLJ: What are your observations on the preparedness of law firms in various jurisdictions throughout Asia?
Gazeley: The level of cybersecurity preparedness among law firms varies significantly across different regions. In places like Singapore, firms generally have better security measures due to stricter regulations and greater awareness. Hong Kong also has the Personal Data (Privacy) Ordinance, which provides a framework for data protection and privacy. However, in developing regions, limited resources and less stringent regulations often lead to weaker security postures.
Singapore has established itself as a leader in cybersecurity in the region. The government has implemented the Cybersecurity Act, which provides a regulatory framework for critical information infrastructure owners to protect their systems against cyber threats. The act also mandates regular security assessments and incident reporting, ensuring that organisations are prepared to respond to cyber incidents.
In Hong Kong, the government is about to implement new comprehensive cybersecurity regulations for critical infrastructure that require organisations to adopt robust security measures. These regulations include mandatory data breach notifications, regular security assessments and strict access controls.
Conversely, law firms in developing regions often face challenges in implementing effective cybersecurity measures. Limited resources, lack of expertise, and less stringent regulatory requirements contribute to weaker security postures.
These firms may struggle to keep up with the rapidly evolving threat landscape, leaving them vulnerable to cyberattacks. My work with law firms across different jurisdictions has given me valuable insights into these disparities and the need for tailored approaches to cybersecurity.
In some developing regions, there may be a lack of awareness about the importance of cybersecurity, leading to complacency and inadequate security measures. Additionally, limited access to advanced security technologies and resources can make it challenging for law firms to implement robust cybersecurity frameworks. Addressing these issues requires a concerted effort to raise awareness, provide education and build capacity in these regions.
ABLJ: What do you say to law firms that may complain about the cost of security?
Gazeley: It is utterly illogical for any law firm to disregard the critical necessity of robust cybersecurity measures. From a purely financial standpoint, the cost of employing a fully managed, certified cybersecurity service provider is negligible – no more than a few hundred US dollars a month. This amount equates to the hourly billing rate of a single lawyer, yet it safeguards the entire law practice.
Managing partners must evaluate the catastrophic consequences of a data breach: lost data, disrupted operations, legal penalties, and irreparable damage to client trust. When compared to the minimal investment required for proper cybersecurity, the stark contrast is undeniable. It transcends mere financial implications; a firm’s reputation, painstakingly earned over decades, can be destroyed in a single, preventable incident.
Immediate action is imperative. Implement comprehensive cybersecurity measures now. Failing to do so is not only irresponsible but should be considered legally negligent. One day, it likely will be.
Law firms must recognise that cybersecurity is not just an IT issue but a fundamental component of their business operations. The legal profession has a responsibility to safeguard client information and maintain the trust placed in them. As custodians of highly sensitive data, law firms need to be at the forefront of implementing robust security measures.
The first step is to conduct a thorough assessment of the current security posture. This involves identifying potential vulnerabilities and understanding the risks specific to the firm. Once these risks are understood, firms can develop and implement a comprehensive cybersecurity strategy that addresses these vulnerabilities.
Building a culture of security within a law firm is crucial. This means that everyone, from senior partners to junior staff, must be aware of the importance of cybersecurity and their role in maintaining it. Regular training and awareness programmes can help instil this culture. Employees need to understand how to recognise potential threats, such as phishing emails, and know the proper protocols for reporting and responding to them.
Investing in the right technology and expertise is essential for maintaining a strong cybersecurity posture. This includes deploying advanced security technologies that can detect and respond to threats in real time. Additionally, law firms should consider partnering with cybersecurity experts who can provide guidance and support in managing their security infrastructure.
Regular security assessments and audits are also critical. These assessments can help identify any weaknesses in the security framework and provide recommendations for improvement. By continuously monitoring and updating their security measures, law firms can stay ahead of emerging threats.
Collaboration and information sharing are vital components of an effective cybersecurity strategy. Law firms should participate in industry forums and networks where they can share information about threats and best practices. Collaborating with other firms and organisations can provide valuable insights and help build a collective defence against cyber threats.
[/ihc-hide-content]
