I recently read an interesting article by Catherine Baksi in Raconteur, 26th November 2015, Combating the cyber thieves who hack lawyers, which reported on the problem of law firms being targeted by cyber criminals. Attacks that result in costly and damaging confidentiality breaches.
Of course, law firms are not unique in these attacks, as we know from other high profile cases recently in the media. But, what makes them rich pickings for the unscrupulous hackers and hoaxers is the amount of personal information they hold about their clients.
Back in November, BBC Panorama reported on fraud resulting from email interceptions between solicitors and clients during property transactions. As if buying a house wasn’t stressful enough, there is now the threat of purchase funds disappearing into the ether.The risks are coming in thick and fast from many areas and nearly all the law sites I have visited recently display an alert to customers on the possibility of scam emails circulating.
But it isn’t just emails that law firms need to worry about. There is the growing use of mobile technology, employee awareness, disgruntled employees and even, according to the article, industrial sabotage. All seen as potential risk areas.
It’s a big threat to law firms. In the article, Steve Wilmott, director of intelligence and investigations at the Solicitors Regulation Authority (SRA), reveals cyber criminals have caused substantial losses to 50 law firms this year, ranging from £50,000 to £2 million, and a further 20 firms had fallen victim to e-mail redirection scams, involving very substantial amounts of money.
“So, how can firms minimise their exposure to risk and satisfy clients their data is in safe hands?” Baksi asks. The answers lie, as for any industry, in cyber security awareness and information security management. The article offers valuable advice on understanding the level of risk, putting in place a mitigation strategy, maintaining cyber security awareness among staff, regularly patching IT vulnerabilities and carrying out penetration testing to monitor the security of their IT networks. All routine hygiene matters for any business one would hope. It goes on to say, all these should be backed up by a plan to deal with incidents and a business continuity plan to minimise the impact should the worst happen.
Whilst this is all sound advice does it actually satisfy clients that their data is safe? How do we, as customers, know that our solicitors have systems in place to adequately address risk?
All the advice offered in the article, and much more, is covered by the ISO 27001: 2013 information security quality standard. Furthermore, the standard offers not just a structure to ensure information security has been thoroughly considered but that it continues to be considered and placed at the core of all relevant business activities and decisions. By introducing regular board reviews, and internal and external audits, there is the reassurance that risks and incidents are being monitored and that continuous learning takes place around the corrective actions identified. Surely such certification goes a long way to gaining client trust?
I have spoken to many law firms recently about how they manage their information security management system (ISMS) and I am happy to report that the majority either hold ISO 27001: 2013 accreditation or are considering embarking on it. However, there are many that still dismiss it as an unnecessary expense and too big a commitment, in terms of both both time and money, that they can ill afford. This, of course, doesn’t mean they don’t have an ISMS in place but, as potential clients, how can we be sure? Without the satisfying ISO 27001 stamp of approval that is so hard earned, what evidence is there that a law firm is committed to protecting client confidentiality, not just in the light of high-profile breaches, but continuously, consistently and satisfactorily?
So, is time and cost a big consideration? The certification itself is relative to the number of employees and for even a small law firm is more than affordable. For example, for 50-99 staff, it is estimated at just under £5,000, depending on your chosen certification body. In addition, there will be ongoing external audit costs and, more than likely, consultants to guide you through the process. But it appears that one of the biggest concerns for most businesses continues to be the time and resource needed to both implement and maintain the standard. This, until recently, has been an understandable objection. Even firms holding ISO 27001 certification continue to manage it through relatively manual processes involving vast amounts of Word & Excel documents shared, on a ‘need to know basis’, with staff through a company intranet.
Policy updates continue to be batted around by email between decision makers and ‘approvers’ or, worse still, involve those all too time consuming meetings! And, of course, there are the management reviews and audits… more time!
But, for those considering ISO 27001: 2013 accreditation, the good news is, there is now a comprehensive cloud software solution that will support a speedy, efficient and cost-effective route to certification. Fast because it includes preconfigured tools, frameworks, and relevant policies, already proven to succeed and guaranteed to impress an external auditor. Efficient because it provides one secure, always available, online home for all relevant documentation and communication. This reduces the need for complicated version controls, approval processes and also cuts down on duplication by simple document linking. It also has impressive modules for staff communications and learning plus full ‘in-life’ HR processes. And it will dramatically cut down your management time in implementation, reduce consultancy hours and leave you more time to focus on the very real and ongoing threats to security. It’s a win win win.
And for those already with the standard but struggling to manage that and maybe other, multiple standards, the benefits are similar. Because ISMS.online is modular, those with existing tools for functions such as risk management can continue until they are ready to make the change to something better.
Interestingly, The Raconteur followed their article with a second article Technology will be the new disruptor in legal services. It certainly seems so and, with law firms looking to technology for solutions to their needs, it would seem natural to look to products that can support increased efficiencies and improve information security management.
If you would like to learn more about ISMS.online as an accredited cloud software solution, visit www.isms.online or call us on 01273 704 500.