Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including  for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes[1].

Advent IM HMG accreditation concepts trainingThe need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:

  • A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
  • Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
  • ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
  • Government Guide – for small businesses ‘What you need to know about cybersecurity’.

Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:

  • Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
  • Law Society sponsorship to join the Cyber Security Information Sharing Partnership.

iStock_000014878772MediumAll of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide

quality standard

mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.

[1] Source: http://www.lawsociety.org.uk/News/Stories/scams-against-solicitors-met-police-offer-advice-and-support-on-fraud-prevention/

Advertisements

ICO “Sounds the alarm” over escalating levels of law firm data breach

istock_000011991144medium.jpgRather than issue financial  penalties, the Information Commissioners Office (ICO) has opted for a subtler approach to law firm data breach. The information watchdog has the power to issue fines of up to £500k for serious breaches of the Data Protection Act but has chosen instead to issue a warning and reminder to law firms instead. This ‘warning shot across the bows’ comes after fifteen breaches over three months from UK law firms.

MP900175622The ICO has had its fair share of criticism when it comes to issuing financial penalties; many of those critics site the bias toward public bodies that have been singled out for fines. But this is a clear warning that the ICO has the personal data handlers of all sectors in its sights and fifteen breaches in three months is surely a trend that needs halting immediately.

Without a doubt, some of the information collected, stored, managed and deleted by law firms has to be among the most sensitive and personal of all data. The need for solicitors and barristers to be paragons of data protection virtue is clear. We are experiencing rising levels of cybercrime, fraud and hacking but there is also increasing awareness of how to report it and businesses are now looking to the law to support them and gain legal redress when their own or their supply chain data is breached or hacked. So the implications are far reaching; not only from the perspective of the data subjects who may be breached by their solicitor’s information handling practices, but from the commercial considerations for solicitors. Not only could they be facing an eye-watering and potentially practice-closing fine, but even a smaller fine or ICO notified undertaking could result in loss of credibility and therefore business.

Advent IM Data Protection Consultants

Law firms need to up their Data Protection game, according to the ICO

Treasury Solicitor’s Department falls foul of Data Protection Act

You can read the story here

In summary, Whitehall’s largest legal department, the Treasury Solicitor’s Department iStock_000014878772Medium(TSol) has breached the DPA four times between 2011 and 2012. These breaches were not system glitches, hackers or any kind of technical failure. They were the result of human error and a failure in process. this may be due to a lack of awareness or possibly a training issue.

Processes will now have to be totally overhauled, as staff learn exactly what they are required to do when handling information. This can happen to any organisation of course but the ramifications in legal matters are very serious.

The ICO found that in three of the cases, papers relating to various pieces of litigation were sent out to the claimants’ solicitors, while still containing the personal information of third parties that should have been redacted. In the fourth case, a bundle of case papers relating to an unfair dismissal case were sent to a complainant, but contained the personal data of an individual pursuing a separate claim.

The Human Effect on Data Protection v0.1Many data breaches are caused by non technical issues, yet our reporting and understanding of data breach seems still very IT-centric. If we continue to ignore the human factor in data protection, we continue to leave ourselves one for this kind of event.

You can click to enlarge the image above and click here for more examples of non technical breach.

Click here for infographics and stats on Data Protection and Information Security. You don’t have to sign up, just click on the ones that interest you. If you choose to use any please retain the original branding and source.

2013 Over the Shoulder

Time for a bit of a look back…sort of

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isnt going to cover it all.

No doubt we will have some predictions for 2014 soon….

 

Effective Employee Monitoring Or Snooping?

Monitoring employees for potential disciplinary reasons is a standard part of the HR role, however a lack of awareness of how to do this within ICO guidelines and Data Protection best practice could end up in a costly tribunal for employers. 

Advent IM Data Protection Consultants

CCTV? Vehicle tracking? Call monitoring? Web monitoring? Generated data has to be protected.

Do you monitor your employees? At a recent Employment Law Seminar1, I asked that question and hardly anyone showed hands. So I asked if anyone used CCTV, indoors or outdoors. I asked if their vehicles had trackers on them and if they did, were the vehicles allowed for personal use. I asked if they were allowed for personal use, did they switch the tracking off outside of business hours. I asked if internet use was monitored or restricted. Lastly I asked if they monitored phone or email use. I pointed out that even something installed for the safety and security of employees like CCTV is in fact monitoring them and the images could potentially form part of a disciplinary if required. Then I asked again if anyone monitored their employees and virtually everyone raised their hand.

OK so there were some areas of monitoring employers might not have realised they were doing as they had not actively instigated them for monitoring employees with a view to disciplining them. There are other areas of monitoring that are started for clear improvement or disciplinary reasons. It might be an employee using company email for more than the occasional personal purpose or an employee constantly online shopping or browsing porn in work hours on a work computer, or an accusation of physical intimidation of one employee by another. These are example scenarios that might require a business to start surveillance on its employees. However, before swinging into action a business needs to be absolutely certain how to proceed or there may be unintended consequences for the business. These unintended consequences could prove to be costly, not only financially but reputationally.  

iStock_000015534900XSmallCertain things need to be in place before effective surveillance can take place. Robust policy is obviously the first place to start. For instance, if employees are allowed to use laptops for personal use and an employee uses it to view porn outside of work hours, have they contravened the policy? Was the policy absolutely crystal clear as to whether or not this would be a disciplinary offense? Do they understand it? The other part of the equation is the policy on monitoring. Are both employers and employees clear on the policy and procedures around monitoring? If you are going to monitor them, you have to be certain. You also cannot simply blanket monitor all employees.  You cannot covertly monitor them, your intention or objectives must to be clear and consistent. You must be able to explain to employees:

  • Why you are monitoring
  • What the process is
  • What you are monitoring – systems, applications, hardware etc
  • When you will be monitoring
  • Who will be responsible for monitoring
  • Who will have access to the data generated by the monitoring
  • How that resulting data will be held, managed  and eventually destroyed

It is vital that the last four points are not overlooked.  In our IT driven environment, it frequently falls to IT to roll out the software to carry out monitoring or surveillance. This may be the most practicable solution to initiating the monitoring process, but is it appropriate for IT to have access to the resulting data? Any resulting data from surveillance is sensitive and so employees have every right to expect it to be treated with the same care of duty that their other sensitive or personal information is treated. The data generated from monitoring will be covered by the Data Protection Act (1998) and so clear understanding of who can access it, when they can access it or when it should be destroyed, is vital. Remember, employees have every right to request the data (through a Subject Access Request and this would include CCTV images) that employers hold on them or demand that it be destroyed, if it is felt that retention is not appropriate and in accordance with the Act and local policy. This is because the Act states that the data and images are their property and not their employers. Interestingly a recent survey3 on Insider Fraud indicated CCTV surveillance as a new monitoring means being enabled by businesses, specifically to combat fraud by employees and not, as has traditionally been, to ensure their safety and security.

Emails or browser histories are fairly obvious data generators, as is call-monitoring.  It is worth noting that this kind of information is possibly best routed directly to HR, rather than monitored by IT. Serious misconduct such as viewing child pornography could be inadvertently compounded if it is handled by someone unaware of the law around such matters. In the case of something like child porn, then a well-meaning person accessing whatever images had been viewed or downloaded and saving or downloading them as proof would perhaps not realise that every time they are viewed or downloaded it is an offence…

 

So making sure that employees know, understand (and confirm they understand) relevant policies relating to their conduct is the start. Ensuring they know, understand (and confirm they understand) the employee monitoring policy is the next stage and presuming the policy is fit for purpose, monitoring can commence. Employers need to be absolutely certain they are conducting monitoring in accordance with the ICO guidelines and within the Data Protection Act (1998). A simple guide exists on the ICO website2, which is a good place to start.

Clarity, openness and best practice – the cornerstones of good business are the bywords for effective employee monitoring and also help keep a business out of Employment Tribunals.

Additional: since initial publication a case arose I wanted to share with you http://nakedsecurity.sophos.com/2013/08/01/malware-alert-while-seeking-child-abuse-images-at-work-earns-us-man-5-years-in-jail/?utm_source=Naked+Security+-+Sophos+List&utm_medium=email&utm_campaign=ee66968c9f-naked%252Bsecurity&utm_term=0_31623bb782-ee66968c9f-454804325

This man was trapped by a malware alert on his employers system and monitoring was set up. This is an example of the circumstances in which it is vital to do surveillance within the law and so much depends on it.

 

_________________________________________________________________________

1 Waldrons Solicitors Breakfast Seminar Employment Law – available on Slideshare  http://www.slideshare.net/Advent_IM_Security

2 Quick Guide to Employment Practices Code http://www.ico.gov.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Practical_application/quick_guide_to_the_employment_practices_code.ashx

3 Ponemon Institute – The Risk of Insider Fraud – Second Annual Study.

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM bestpractice@advent-im.co.uk www.advent-im.co.uk

Data Protection: A Necessity, Not An Option

We are delighted to have a guest post from Peter Harthan of  Riverview Solicitors

The news that the Information Commissioner’s Office (ICO) has served its highest-ever civil monetary penalty (CMP) is the starkest warning yet of how severely it will punish businesses who fail to take their data protection responsibilities seriously.

The ICO’s penalty of £325,000 on Brighton and Sussex University Hospitals NHS Trust for what it describes as a serious breach of the Data Protection Act follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV – on hard drives sold on an internet auction site in 2010.

The Trust plans to appeal the decision but it is a timely reminder that complying with the Data Protection Act is not optional. If you’re ever unsure of your responsibilities then consult your solicitor or even seek advice from the ICO.

Believe it or not, the ICO aren’t here just to investigate and punish businesses when things go wrong. They also offer invaluable ways to help businesses improve their processing of personal data with audits – aimed at larger businesses that are likely to have a basic understanding of the Act but would benefit from some assistance in meeting their obligations. While for small to medium sized businesses who may be struggling to understand what they need to do about data protection and need some practical advice, they offer advisory visits. Both audits and advisory visits are free and more information is available on the ICO website.

In the meantime, remember these six best practice tips for handling personal data:

Carry out a risk assessment

Treating Risk – Raising Security

Carry out a risk assessment to identify the areas where the data held by the business may be at risk.

You’ll need to think about issues such as:

  • Physical risks, for example, damage to data or systems caused by fire, theft or vandalism; and
  • The potential impact of human error, such as the careless disposal of data by your staff.

Consider not only information which is held on the business premises, but also any that is taken off-site, such as on staff laptops. Don’t overlook data which is handled elsewhere by a third party, for example outsourced to a payroll administrator.

Draw up a data handling policy

Ensure that you have a written policy for staff regarding data handling, so that they are aware of the Data Protection Act 1998 (the Act) and how its requirements affect their daily working practices. Staff awareness and training are key to ensuring compliance with the Act.

Your data handling policy should cover issues such as:

  • which staff members have access to particular kinds of information;
  • whether that information is password-protected, or in the case of physical data such as files, whether they are kept in a locked cabinet;
  • whether data held on your systems is encrypted or protected by other means such as a firewall or anti-virus software; and
  • the way in which data is securely disposed of.

Put in place a business continuity plan

You should put in place a business continuity or contingency plan that your staff can follow if disaster strikes and you suffer a serious loss of data. This should be reviewed and updated on a regular basis to ensure that it remains adequate to meet the changing requirements of the business and its operations, and the evolving risks to which it is exposed.

The contingency plan should identify the business functions and assets (including personal information) that would need to be maintained in the event of a disaster, and set out the procedures for protecting and restoring them if necessary.

Keep up-to-date

The BS ISO/IEC 27001 Standard is the defacto international Standard on information security and a useful source of information on good practice for data security, although it’s not in itself a legal requirement. It offers a business-led approach to best security practice and provides a framework to implement and maintain effective security within a business.

The Information Commissioner’s Office (ICO) has also published guidance on good practice in relation to data security, and a note on encryption which you can find on their website.  In relation to encryption, the ICO recommends that any portable and mobile devices including magnetic media, which are used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

Monitor external data processors

The Act requires businesses or ‘data controllers’ to ensure that there are adequate safeguards in place regarding any processing that is carried out on their behalf by external, third party, data processors – for example, outsourced functions such as HR administration.

As a business you should take care when selecting a third party processor:

  • choose a data processor which provides sufficient guarantees with regard to its technical and organisational security measures;
  • take reasonable steps to ensure that the data processor complies with these measures; and
  • ensure that the processing takes place under a written contract which stipulates that the processor will act only on your instructions, and that they will have security measures in place that ensure compliance with the seventh data protection principle and the Act generally.

Review your security arrangements

You must notify the ICO if you process personal data of any kind, unless you are exempt from doing so. Failure to notify is a criminal offence.

When completing a notification form, you will be asked to give a general description of the measures you are taking to protect the personal information the business deals with. Use this as an opportunity to review the adequacy of the safeguards you have in place and consider whether more needs to be done in order to comply with your obligations under the Act.

If you would like further information about data protection and other legal matters, register for free on the Riverview Law website for access to over 650 plain English advice pages and over 450 documents, letters and templates.

UK’s leading Independent Holisitc Security Consultancy

Sincere thanks to Peter and Riverview for this valuable input.

For consultancy on Data Protection, Business Continuity, either accreditation or help with compliance with ISO:27001, you can talk to Advent IM . We take a Risk-based holistic approach to Security.