Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including  for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes[1].

Advent IM HMG accreditation concepts trainingThe need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:

  • A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
  • Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
  • ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
  • Government Guide – for small businesses ‘What you need to know about cybersecurity’.

Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:

  • Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
  • Law Society sponsorship to join the Cyber Security Information Sharing Partnership.

iStock_000014878772MediumAll of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide

quality standard

mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.

[1] Source:

SMEs and Security, Data Protection and the potential UK Impact

Data Source: Department for Business, Innovation & Skills

Data Source: Department for Business, Innovation & Skills

Cloud: 60% Believe Cloud Provider Responsible for Sensitive or Confidential Data Security. (Image)


Advent IM Cloud Risk 2013 Poneman data

Advent IM Security joins the Government’s Procurement Framework -G-Cloud.

Advent IM Supplier to Government, G-Cloud
Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director 

If you are a public body and are interested in procuring security consultancy direct, you can search us here.

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM

Data Protection: A Necessity, Not An Option

We are delighted to have a guest post from Peter Harthan of  Riverview Solicitors

The news that the Information Commissioner’s Office (ICO) has served its highest-ever civil monetary penalty (CMP) is the starkest warning yet of how severely it will punish businesses who fail to take their data protection responsibilities seriously.

The ICO’s penalty of £325,000 on Brighton and Sussex University Hospitals NHS Trust for what it describes as a serious breach of the Data Protection Act follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV – on hard drives sold on an internet auction site in 2010.

The Trust plans to appeal the decision but it is a timely reminder that complying with the Data Protection Act is not optional. If you’re ever unsure of your responsibilities then consult your solicitor or even seek advice from the ICO.

Believe it or not, the ICO aren’t here just to investigate and punish businesses when things go wrong. They also offer invaluable ways to help businesses improve their processing of personal data with audits – aimed at larger businesses that are likely to have a basic understanding of the Act but would benefit from some assistance in meeting their obligations. While for small to medium sized businesses who may be struggling to understand what they need to do about data protection and need some practical advice, they offer advisory visits. Both audits and advisory visits are free and more information is available on the ICO website.

In the meantime, remember these six best practice tips for handling personal data:

Carry out a risk assessment

Treating Risk – Raising Security

Carry out a risk assessment to identify the areas where the data held by the business may be at risk.

You’ll need to think about issues such as:

  • Physical risks, for example, damage to data or systems caused by fire, theft or vandalism; and
  • The potential impact of human error, such as the careless disposal of data by your staff.

Consider not only information which is held on the business premises, but also any that is taken off-site, such as on staff laptops. Don’t overlook data which is handled elsewhere by a third party, for example outsourced to a payroll administrator.

Draw up a data handling policy

Ensure that you have a written policy for staff regarding data handling, so that they are aware of the Data Protection Act 1998 (the Act) and how its requirements affect their daily working practices. Staff awareness and training are key to ensuring compliance with the Act.

Your data handling policy should cover issues such as:

  • which staff members have access to particular kinds of information;
  • whether that information is password-protected, or in the case of physical data such as files, whether they are kept in a locked cabinet;
  • whether data held on your systems is encrypted or protected by other means such as a firewall or anti-virus software; and
  • the way in which data is securely disposed of.

Put in place a business continuity plan

You should put in place a business continuity or contingency plan that your staff can follow if disaster strikes and you suffer a serious loss of data. This should be reviewed and updated on a regular basis to ensure that it remains adequate to meet the changing requirements of the business and its operations, and the evolving risks to which it is exposed.

The contingency plan should identify the business functions and assets (including personal information) that would need to be maintained in the event of a disaster, and set out the procedures for protecting and restoring them if necessary.

Keep up-to-date

The BS ISO/IEC 27001 Standard is the defacto international Standard on information security and a useful source of information on good practice for data security, although it’s not in itself a legal requirement. It offers a business-led approach to best security practice and provides a framework to implement and maintain effective security within a business.

The Information Commissioner’s Office (ICO) has also published guidance on good practice in relation to data security, and a note on encryption which you can find on their website.  In relation to encryption, the ICO recommends that any portable and mobile devices including magnetic media, which are used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

Monitor external data processors

The Act requires businesses or ‘data controllers’ to ensure that there are adequate safeguards in place regarding any processing that is carried out on their behalf by external, third party, data processors – for example, outsourced functions such as HR administration.

As a business you should take care when selecting a third party processor:

  • choose a data processor which provides sufficient guarantees with regard to its technical and organisational security measures;
  • take reasonable steps to ensure that the data processor complies with these measures; and
  • ensure that the processing takes place under a written contract which stipulates that the processor will act only on your instructions, and that they will have security measures in place that ensure compliance with the seventh data protection principle and the Act generally.

Review your security arrangements

You must notify the ICO if you process personal data of any kind, unless you are exempt from doing so. Failure to notify is a criminal offence.

When completing a notification form, you will be asked to give a general description of the measures you are taking to protect the personal information the business deals with. Use this as an opportunity to review the adequacy of the safeguards you have in place and consider whether more needs to be done in order to comply with your obligations under the Act.

If you would like further information about data protection and other legal matters, register for free on the Riverview Law website for access to over 650 plain English advice pages and over 450 documents, letters and templates.

UK’s leading Independent Holisitc Security Consultancy

Sincere thanks to Peter and Riverview for this valuable input.

For consultancy on Data Protection, Business Continuity, either accreditation or help with compliance with ISO:27001, you can talk to Advent IM . We take a Risk-based holistic approach to Security.