With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…
Traditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes.
The need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:
- A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
- Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
- ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
- Government Guide – for small businesses ‘What you need to know about cybersecurity’.
Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:
- Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
- Law Society sponsorship to join the Cyber Security Information Sharing Partnership.
All of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide
mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.