Cyber (Information) security challenges that face Solicitors (and any other type of law firms)

With thanks to one of our highly experienced, Senior Security Consultants, Mark Jones…

istock_000011991144medium.jpgTraditionally in our experience law firms, such as solicitors, have relied on compliance with Lexcel regulations, and the Data Protection Act, to provide adequate security measures to combat threats from say typically malicious insiders or burglars to their attractive data and information databases. In these days of cyber-based threats these traditional defences are clearly inadequate to deal with far more complex and persistent threats posed by external individuals and groups (such as Serious and Organised Crime) that have far more capability and motivation than ever before out in the Internet. Perhaps this is due to increased (or in many cases new) connectivity of law firm systems to being online 24/7 to the outside world and the additional threats that it poses and typically no single individual within the business having responsibility for information security? It is certainly the case that attacks on law firms are on the increase including  for example, scam ‘mandate frauds’ where a fraudster impersonates a known contact, such as a bank or a client, and asking the law firm employee to change the sort code and account number, either for making a known payment (e.g. in a conveyancing transaction) or else, ‘to safeguard the client account against a fraud’. Monies will then leave the business account and go to an account controlled by the fraudster and the liability of the financial loss will normally be with the Solicitor say for authorising the changes[1].

Advent IM HMG accreditation concepts trainingThe need for robust and effective cyber security controls for small to medium sized business including legal firms has been recognised by Government’s National Cyber Security Strategy with their recent investment in a wide range of supporting measures, including:

  • A Cyber Incident Response (CIR) service – to provide help after the attack (and you will be attacked, not a question of if, but when);
  • Cyber Essentials – a cybersecurity assessment to provide assurances to other business stakeholders;
  • ICO’s IT Security Top Tips – to help ensure compliance with Principle 7 of the DPA98 in securing personal information; and
  • Government Guide – for small businesses ‘What you need to know about cybersecurity’.

Also, it is good to see that the Law Society itself has not been standing still and recognises the significant threats to its members with initiatives such as:

  • Cyber Security for Legal and Accountancy Professionals – a one hour online awareness course developed by the Government with the support of the Law Society and ICAEW; and
  • Law Society sponsorship to join the Cyber Security Information Sharing Partnership.

iStock_000014878772MediumAll of these initiatives and measures are good in increasing awareness of the risks that solicitors and other law firms face but at the same time the businesses themselves must think seriously about how they can continuously mitigate the increasing cyber threat by ensuring that they have implemented best security practices such as appointing senior management / partners with a specific responsibility for all security matters including the traditional physical and personnel measures but now expanded to include organisational, policy and procedures, IT operations and communications, 3rd party service providers, security incident management and more besides. Compliance with Cyber Essentials is a must for all businesses especially small businesses (for suppliers to Government it is mandatory) but for the medium-sized and above business it may be time for them to contemplate implementing a more robust and comprehensive information security management system or framework as provided by the International Standard Organisation’s ISO27001:2013. Law firms that Advent IM have engaged with to provide

quality standard

mentoring support, guidance and advice to eventual certification have acknowledged the competitive advantage it provides as currently there are not many law firms certified to the ISO. More importantly, Partners are re-assured that their business has now the correct Governance, Risk and Compliance (GRC) management processes in place to face the increasing and ever more dangerous threats from Cyber Crime. It is appreciated that many legal SMEs don’t have the necessary subject matter expertise within the practice and that is where Advent IM excel by providing that aspect and having worked with other law firms to understand their business practices and how better cyber security can support their legal business processes.

[1] Source: http://www.lawsociety.org.uk/News/Stories/scams-against-solicitors-met-police-offer-advice-and-support-on-fraud-prevention/

SMEs and Security, Data Protection and the potential UK Impact

Data Source: Department for Business, Innovation & Skills

Data Source: Department for Business, Innovation & Skills

2013 Over the Shoulder

Time for a bit of a look back…sort of

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isnt going to cover it all.

No doubt we will have some predictions for 2014 soon….

 

Cyber Attack and Hack – Is Our Use of Language Creating Security Vulnerabilities in Our Thinking?

Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.

When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can

cube

apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing.

According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.

The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story

Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.

So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts.  But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.

A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces  in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight.

So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.

It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first.  An old vulnerability being enabled in a new way – language.

Advent IM Cyber Threat and security consultants

Advent IM Security Cyber Security experts

Advent IM cyber security experts

Advent IM Security joins the Government’s Procurement Framework -G-Cloud.

Advent IM Supplier to Government, G-Cloud
Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director

www.advent-im.co.uk-G_Cloud.aspx 

If you are a public body and are interested in procuring security consultancy direct, you can search us here.

http://govstore.service.gov.uk/cloudstore/search/?q=advent+im

Guest post from Darlingtons Solicitors: Holistic and practical approach to business risks is best

We would like to thank Darlingtons for this guest post on a business imperative.  Its always reassuring to have a legal perspective on Security.

“As a law firm offering specialist advice in areas including employment law and fraud, at Darlingtons Solicitors, we see on a day to day basis the impact of legal and security threats which turn into issues causing at best, significant damage, in financial and other terms to a business, and at worst, which can literally put a business out of business.

In our experience, all clients, big or small, do have a sense of threats to their businesses, internal and external, but many tend to somehow try and put these to the back of their mind, and this ties in with the general problem both legal and security professionals face – we are not selling something which clients see as a clear benefit to their business.

Benefit has a traditional sense of a positive outcome, generally financial, and in that sense, preventing damage does not fit with the traditional sense of the word. However, when thinking of bottom line figures, preventing or mitigating losses does have a real impact on any business.

Failing to advise is failing a client

Accepting as a starting point that pushing an argument, however correct, too hard on the lines of “failing to plan is planning to fail” will be unlikely to result in a client handing over a blank cheque to either lawyers or security consultants, what perhaps differentiates the better companies is an ability to understand proportionate threats, limited budgets and to provide advice to clients tailored for that client and based on experience.

Take data protection as an example. Most businesses know that there are laws about data protection, most also understand that their business data, client lists, product information, suppliers and other data are a critical part of their business, but a smaller business with a limited budget may not know which are the biggest threats and what options there are which they may be able to afford to limit the potential damage that could be caused by doing nothing.

It makes sense for professionals to work together when advising clients on risk prevention, something which lawyers should frankly embrace more than most have in the past.

For example, it is all very well advising a client that they need a data protection policy, a social media policy, a contract of employment with strong restrictive covenants and so on, but ultimately, these are pieces of paper. A determined, desperate or foolhardy employee intent on stealing business or vindictive damage on an employer may not even care whether they get sued later and are quite possibly not worth suing.

However, if lawyers work closely with security professionals, the legal paperwork can more easily dovetail with practical safeguards which may prevent loss, such as IT security controls.

In turn, security professionals need to take on board legal issues, such as, for example, where a business decides to monitor it’s employees online activities. In that situation, serious legal consequences would result if the business does not advise the employees it is monitoring them, which can be criminal as well as civil.

Solution ?

In our experience and view, the best approach to legal and security threats, particularly for small businesses is to consider seriously an annual security and legal audit. Progressive law firms and security companies are now offering these at low cost or in some cases even free. A composite report, identifying threats based on risk level and potential ramifications, both legal and practical, presenting the commercial and legal argument for taking action, based on priority and cost is reasoned, proportionate method and good business sense.

For further advice or assistance on legal risks, legal problems you currently have or to discuss a legal audit, we would be happy to assist, please get in touch.” –  Darlingtons Solicitors.

And if you need support, consultation or mentoring with Data Protection or Information Security including ISO27001, contact Advent IM bestpractice@advent-im.co.uk www.advent-im.co.uk