In the legal world, when a client shares confidential information with his or her lawyer, they can rest easy in the knowledge that this information will be protected.

Legal professional privilege protects confidential communications and documents shared between a lawyer and client.

If a lawyer breaches this confidentiality without the client’s permission, they may be liable for a breach of contract and could face ramifications.

But what happens if this sensitive information falls into the hands of someone else?

When it comes to cyber security, that someone could be a penetration tester – employed to “ethically” hack a system to find unknown vulnerabilities.

If a law firm hires a penetration tester, there’s a risk that information protected under professional privilege may be exposed as part of the testing.

Is this something that then needs to be disclosed with the client? Does the penetration tester now have a duty to protect the confidentiality of this information?

These are the kinds of questions that Georg Thomas grapples with daily.

Based in Melbourne, Thomas is the National Security & Risk Manager at commercial law firm Corrs Chambers Westgarth.

Speaking with Information Age, he broke down this ethical question piece by piece.

“Maintaining client legal privilege is extremely important and it’s what clients expect,” he says about this ethical issue.

“Law firms handle a lot of sensitive information, and it is of the utmost importance that the confidentiality of their clients is maintained.”

Experience in the field

Having worked in penetration testing earlier in his career, both as a tester and a manager, Thomas understands that sometimes you might gain access to something that is not for your eyes.

From there it comes down to good management, he says.

“A penetration tester may inadvertently gain access to such [sensitive] information and it really comes down to how that is then handled and what controls are in place to deal with those scenarios.

“For example, before the engagement commences, it’s fundamental to ensure a non-disclosure agreement has been executed. Testers must also be required to immediately notify the firm if they gain access to anything that is potentially sensitive.”

But handling data that is not your own is becoming increasingly complicated and regulated.

Recent law and regulation changes, such as the Notifiable Data Breaches scheme and EU General Data Protection Regulation (GDPR), require an organisation to know where its data is and how it is being used.

As well as facing such issues at a professional level, Thomas also has an academic perspective on the topic.

Currently completing a PhD through Charles Sturt University, his thesis looks at the issue of professionalism and ethical hacking in law firms and as part of his research he is speaking with relevant professionals.

“We’ve had discussions about what the requirements of penetration testing are, should be, and whether disclosure is required,” he noted.

“From a client perspective it comes down to the age-old question of: ‘what comes first? The chicken or the egg?’

“There's the expectation that a firm is doing its due diligence, conducting security reviews, and getting the appropriate tests done to help provide some level of assurance that its security is adequate.

“On the flip side, there may be a requirement to notify in the potential event of disclosure.

“Solid vetting of the security professionals themselves, appropriate contractual requirements, and also making sure that scoping of engagements is undertaken to ensure that anything that is sensitive is excluded from the engagement is key.”

Security on Wall Street

Thomas’s current role with Corrs Chambers Westgarth has him assessing information security risks at the leading independent Australian law firm.

He explains that this largely involves broadening security approaches beyond a technical focus.

Only returning to Melbourne recently, it was four years in New York that showed Thomas the high stakes of cyber security.

Beginning his security role as Director, Information Security Management at technology consultancy firm Kraft & Kennedy in 2013, he arrived in New York just in time for one of the most significant breaches ever seen.

“I think the JP Morgan breach for me was the breach that really stood out,” he says about the 2014 attack that was believed to have compromised data from 76 million households.

“Because at the time that I moved to the US, I was consulting to law firms, and a lot of the financial institutions had started to really focus on supply chain management. These financial institutions were starting to conduct thorough risk assessments against their third parties, something that we are now starting to see more of here.

“I had actually been engaged by a lot of firms in the US to assist them with these overwhelming [compliance] questionnaires and it became fairly evident at that stage that there was a lot of work to be done in that area.”

Think like a hacker

Following his law firm consultancy work with Kraft & Kennedy, Thomas changed beats in 2015 when he joined leading tax and advisory firm Grant Thornton in a role that saw him consulting to SEC-regulated companies and Fortune 500 companies.

It was in this role where he led a team of ethical hackers to test the security controls of these colossal companies.

And the experience of replicating the mindset of a hacker has been invaluable, he says.

“It helped me understand how a hacker thinks,” he explains.

“When you understand that technical level of detail ‘if I want to get to from point A to my target at point B, how am I to go about doing that? I need to consider what security controls are in place and how to get around them as well as what systems I can exploit to meet my objective.’ That knowledge helps me identify vulnerabilities and risk areas that I can then work to remediate.

“I think it has been invaluable having that very deep technical background in the security field.”

Then versus now

With law firms, financial institutions and tax advisories all in his repertoire, Thomas has spent much of his career working in industries with clients that can’t afford to be breached.

And through this career he has seen dramatic change in the cyber security industry and in the attitude of his clients.

“It's chalk and cheese,” he says about then versus now.

“Where they are now is far more advanced than they were four or five years ago.

“I wonder whether a lot of that change had been client driven. That’s certainly been my experience – that the clients have helped drive change in security culture in many instances.

“As I observed in the US when I was there, we are starting to see an increase here from clients to complete security assessments so they can validate that everyone in their supply chain has an appropriate level of security controls.”

He also believes we are on the verge of an industry-wide change when it comes to management.

With the focus now broadening beyond purely technology security and risk, security managers will take on further responsibility.

“I think in the next probably six to 36 months, we're going to start seeing the CISO (Chief Information Security Officer) role transitioning to CSO (Chief Security Officer),” he says.

“Security executives and managers are now not solely focused on technology security, but are branching outside that and becoming more generalist.

“It has started already happening, but I think we are going to see an increase in that the focus isn't just on information security; it's on security in general.

“It's a big job, but someone has to do it. I think that it's going to really benefit the security of an organization with this much broader view.”

Georg Thomas is an ACS Certified Professional (Cyber Security).

In our CYBER EXPERTS SERIES, Information Age talks to cyber security leaders across Australia and beyond about the biggest threats facing the industry, how they got into cyber security, and what keeps them up at night.