Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including  for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes[1].

Advent IM HMG accreditation concepts trainingThe need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:

  • A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
  • Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
  • ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
  • Government Guide – for small businesses ‘What you need to know about cybersecurity’.

Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:

  • Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
  • Law Society sponsorship to join the Cyber Security Information Sharing Partnership.

iStock_000014878772MediumAll of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide

quality standard

mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.

[1] Source: http://www.lawsociety.org.uk/News/Stories/scams-against-solicitors-met-police-offer-advice-and-support-on-fraud-prevention/

Advertisements

ICO “Sounds the alarm” over escalating levels of law firm data breach

istock_000011991144medium.jpgRather than issue financial  penalties, the Information Commissioners Office (ICO) has opted for a subtler approach to law firm data breach. The information watchdog has the power to issue fines of up to £500k for serious breaches of the Data Protection Act but has chosen instead to issue a warning and reminder to law firms instead. This ‘warning shot across the bows’ comes after fifteen breaches over three months from UK law firms.

MP900175622The ICO has had its fair share of criticism when it comes to issuing financial penalties; many of those critics site the bias toward public bodies that have been singled out for fines. But this is a clear warning that the ICO has the personal data handlers of all sectors in its sights and fifteen breaches in three months is surely a trend that needs halting immediately.

Without a doubt, some of the information collected, stored, managed and deleted by law firms has to be among the most sensitive and personal of all data. The need for solicitors and barristers to be paragons of data protection virtue is clear. We are experiencing rising levels of cybercrime, fraud and hacking but there is also increasing awareness of how to report it and businesses are now looking to the law to support them and gain legal redress when their own or their supply chain data is breached or hacked. So the implications are far reaching; not only from the perspective of the data subjects who may be breached by their solicitor’s information handling practices, but from the commercial considerations for solicitors. Not only could they be facing an eye-watering and potentially practice-closing fine, but even a smaller fine or ICO notified undertaking could result in loss of credibility and therefore business.

Advent IM Data Protection Consultants

Law firms need to up their Data Protection game, according to the ICO

SMEs and Security, Data Protection and the potential UK Impact

Data Source: Department for Business, Innovation & Skills

Data Source: Department for Business, Innovation & Skills

2013 Over the Shoulder

Time for a bit of a look back…sort of

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isnt going to cover it all.

No doubt we will have some predictions for 2014 soon….