Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including  for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes[1].

Advent IM HMG accreditation concepts trainingThe need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:

  • A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
  • Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
  • ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
  • Government Guide – for small businesses ‘What you need to know about cybersecurity’.

Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:

  • Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
  • Law Society sponsorship to join the Cyber Security Information Sharing Partnership.

iStock_000014878772MediumAll of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide

quality standard

mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.

[1] Source:

Steep Rise in Data Theft Cases through High Court (visual)


Advent IM ISO27001 Consultants

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM

ABS – threat or culture change?

Will non legal ownership pose a threat to client data security?

Smaller practices may now have to start looking to attract more business or corporate-style clients as ABS opens the door for a whole new way for clients and potential clients, to consult the legal profession. Traditional clients for these practices may shift into the new approach. Whilst the business impact for the unprepared practice, may seem quite clear, there are other implications for private and business clients who decide to go the route of the ABS. There is also an opportunity for legally owned pratices to distinguish themselves and their offering further by leveraging a culture they already operate in.

We know that Solicitors have always taken security and Data  Protection very seriously. We have interacted with legal firms and this commitment to the safe storage, transfer or disposal of their valued clients’ highly personal information is reassuring. That is because it is part of legal  culture; its tradition. What will happen when the shape of the profession changes through ABS? To answer this we needed to know what kind of organisations are showing an interest in this opportunity and how that will feed down, culturally through new-style practices.

We also need to know how the PLC Legal as opposed to  the LLP, will look or feel once the impact of change really starts. Time will tell but for the moment, we are  assuming it will be a lot more online, one size fits all solutions along the  lines of the ‘no win no fee’ offerings already available.  Maybe there will be a grouping of services  with Insurance and Accountancy etc. potentially offering a one stop shop for services.

Going back to our question of what the impact will be, what disturbs us, as Security consultants, is that while the  Legal Profession has barely attracted a raised eyebrow from the ICO in terms of data breaches, other industries such as Insurance and Banking, have been marked out for consistent data breaches and bad practice.

Readers of our Gambling blog (
will also know that we have discussed the loss of 3.15m credit card account
details at, six months prior to its float. We hope that the change
in legal business model will not negatively impact this culture of security within
the profession. Given the involvement of ‘non-legal culture ownership’, online
presence (and presumably payment) and the now well explored corporate
difficulty with data security, it’s not difficult to be concerned.

According to  18.10.11, seven major brands are poised to
enter the UK legal market. One of the speakers at the Legal Futures Conference,
Andy Wigmore, policy director of the Claims Standards Council, revealed that he
is a director of a hedge fund which “has been hovering” over the personal
injury market. The fund is poised to back a claims management company and make
“some very strategic investments and acquisitions of very niche law firms”.

He said the claims management companies in which the fund  has – or is soon to have – an interest, have “mature, refined, technology-driven, efficient processes” and the companies have already built “direct and strong  relationships with brokers and insurers”.  Hopefully not ones that have data breach issues and are being singled out for criticism by the ICO. With the change in culture, comes responsibility and data protection may well prove to be a point of distinction for practices that need to distinguish themselves from the new breed.

Watch this blog and send us your thoughts.