Lexel – Resurrections and Second Comings

Lexcel and ISO27001 still enjoy a good relationship. Here, Advent IM Security Consultant, Steve Foley, has a look at the updated Lexcel…

A number of years ago a colleague published a blog addressing the ‘Rumoured’ death of Lexcel. The title to that piece was a little tongue in cheek as the content actually pointed to the continued increase in uptake of the accreditation within legal practices. Looking at present day and figures published by the Solicitor’s Regulation Authority and the Law Society suggest that of the 10,393 (May 2018) law firms registered in England and Wales 1,732, some 16 percent are accredited to Lexcel as a standard. As Information Security Consultancy is one of our core business deliverables, the blog continued to cover the correlation between that quality management standard and how it mapped across to a number of clauses within the globally recognised ISO/IEC 27001 – Information Security Management System.
Well here we are in July 2018 and the latest Lexcel Quality Management System publication has arrived to allow firms to consider and manage the impact of the following regulations and Act upon their business;
• The General Data Protection Regulation (Regulation (EU) 2016/679);
• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;
• The European Union Financial Sanctions (Amendment of Information Provisions) Regulations 2017; and
• The Criminal Finances Act 2017.
Although the standard launched last month, members of the law society applying for initial or re-accreditation will not be assessed against the new standard until November of this year to allow time for policies to be updated and to be embedded within organisational business as usual.
Certification to recognised standards is becoming increasingly relevant to service providers as organisations look to outsource more and more of their business. As part of due diligence and adherence to relevant regulation, the level of assurance that certification can provide, certainly becomes a business enabler in assisting the tender process.
Also, customers are now savvier in regard to Data Privacy Regulation following the introduction of GDPR this May, the increase of and reporting of data breaches throughout large organisation’s and the no doubt soon to follow headline grabbing data breach fines somewhere throughout the EU. This will no doubt have an impact on which organisations the more astute choose to do business with.
On the subject of GDPR or more appropriately the UK implementation, the Data Protection Act 2018, the application of a management system will help address a number of articles contained within and will demonstrate a strong attitude to Data Privacy, Information Security and the continual improvement of such areas that in turn would help organisations be compliant against such legislation and reduce the threat of an incredibly hefty monetary charge from the ICO.
Whilst they do not marry up entirely, a large number of the requirements of Lexcel do map to ISO/IEC 27001, this relationship between the two standards will be strengthened later this year with the introduction of ISO/IEC 270552 – Enhancement to ISO/IEC 27001 for privacy management.
The overall take away is to choose a suitable standard to certify against as the benefits must be considered to outweigh the risk of having nothing in place. The benefit of demonstrably setting your organisation apart from other legal practices within the country, demonstrating that the sensitive nature of the data you hold is recognised and you treat it safely and securely and being certified to a recognised standard will allow you to tender for numerous contracts where certification is a pre-requisite.

Advertisements

Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including  for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes[1].

Advent IM HMG accreditation concepts trainingThe need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:

  • A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
  • Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
  • ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
  • Government Guide – for small businesses ‘What you need to know about cybersecurity’.

Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:

  • Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
  • Law Society sponsorship to join the Cyber Security Information Sharing Partnership.

iStock_000014878772MediumAll of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide

quality standard

mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.

[1] Source: http://www.lawsociety.org.uk/News/Stories/scams-against-solicitors-met-police-offer-advice-and-support-on-fraud-prevention/

No more Safe Harbour….or Harbor

European Court of Justice has ruled that transatlantic data sharing agreement is invalid. What does this mean for UK businesses that utilise US datacentres or Cloud services?

Advent IM Director Mike Gillespie, “There are issues arising from this ruling that require the urgent attention of UK businesses and they need to be aware of the legislative implications of how they plan to store and manage data”.

For some time now, hosting companies, system support and system management companies, contact centres and most recently cloud providers have been selling their services, some or all of which reside in the US, into the EU. These companies have consistently cited Safe Harbor as the assurance that EU citizen data would be afforded the commensurate level of protection that it would receive from an EU/EEA member state.

The inception of Safe Harbor predates the US Patriot Act, legislation which, many people feel made a nonsense of Safe Harbor. This has been widely documented and discussed by Data Protection practitioners for some time now and, whilst there have been ongoing negotiations, the European Commission appears to have made little progress. Meanwhile any EU Citizen data resident in US servers remained vulnerable to release to US authorities.

In one fell and rather final swoop, the Court removed the blanket approval for data transfers to the US. This now allows for individual national Data Protection Authorities (ICO in UK) to scrutinise any proposed transfers to ensure that transfers guarantee the rights to privacy and freedom from surveillance afforded each of us by the Charter.

Of course one way to attempt to get round the issue could be by following the EU Model Clauses route, an option often deployed by organisations in the past wanting to transfer data to/allow data processing in non-EEA or other trustworthy countries ie India. This option required the inclusion of a series of model clauses into contracts which effectively bind the Data Processor to abide by the principles of EU Data Protection. However, which takes precedence, contract law or the Patriot Act? Can a commercial contact ensure the privacy of EU Citizens personal data and guarantee it to be free from disclosure to US Authorities? This seems highly unlikely. 

A further option could be implementing Binding Corporate Rules (BCRs) which are “designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA”. So far so good as this sounds just the ticket especially for multinational hosting providers and cloud computing providers?

However for BCRs to work, applicants must demonstrate that their BCRs “put in place adequate safeguards for protecting personal data throughout the organisation”.

How can any company hosting data inside the US offer this? In reality they probably cannot. 

The truth is, EU Citizens data protection cannot be guaranteed once it’s transferred to the US, this has been acknowledged so finally that the EU Commission and member states’ Data Protection Authorities have an imperative to do something about it.

The fallout from the decision is yet to be felt but could have far reaching for some organisations. The ICO has been at pains to point out that the ruling does not mean there is an increase in threat to people’s personal data. However, companies will need to review how they ensure that data transferred to the US complies with legislation. Safe Harbor was not the only regulation available for transfers between the US and EU but it was the most widely used.

So what does this mean in the short term? Immediately little will probably happen. The ICO are considering the judgement and will be issuing guidance in due course. A new Safe Harbor agreement is also currently being negotiated between the EU and US, and has been in negotiation for the last two years, following the Snowden revelations. Once various authorities have cogitated over the ruling we will then need to assess the full impact on organisations moving forward as more guidance is released. In the meantime, a review of current practices is recommended by those organisations transferring data to the US.

Issued:  08.10.15                             Ends                                     Ref: safeharbor-01-Advent -MG

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats.

 
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project management methodology widely used within the public sector, CISSP qualified and Home Office trained physical security assessors.

**PRESS RELEASE**

Media Contact: Ellie Hurst

+44 (0) 121 559 6699,

bestpractice@advent-im.co.uk

Date : 08.10.15

SMEs and Security, Data Protection and the potential UK Impact

Data Source: Department for Business, Innovation & Skills

Data Source: Department for Business, Innovation & Skills

Cloud: 60% Believe Cloud Provider Responsible for Sensitive or Confidential Data Security. (Image)

Image

Advent IM Cloud Risk 2013 Poneman data

Cyber Attack and Hack – Is Our Use of Language Creating Security Vulnerabilities in Our Thinking?

Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.

When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can

cube

apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing.

According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.

The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story

Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.

So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts.  But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.

A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces  in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight.

So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.

It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first.  An old vulnerability being enabled in a new way – language.

Advent IM Cyber Threat and security consultants

Advent IM Security Cyber Security experts

Advent IM cyber security experts