With the risk of cyber-attack now the norm and not the unusual, digital security should be an integral part of Chambers operations.
In this article we are looking at two topics, the first is how even the simplest of steps with our own personal devices can have a big impact on cyber security whilst the second looks at how the Governments’ Cyber Essentials Scheme is starting to shape (and dictate) how Chambers and other legal services interact with it.
Security Starts at your desk
A recent survey highlighted ‘Cyber Security’ as one of the greatest concerns of businesses within the UK. Software and technology today is, in many instances, a source of competitive advantage and, at the very least, a driver of efficiency and innovation. It is also often the mechanism by which many in the legal industry share information both between themselves and between themselves and their clients. Thus, it is fair to say that the majority of information within a modern solicitor’s firm or barristers chambers is held in a digital form and is, therefore, a potentially lucrative target for digital criminals.
Many such criminals target these firms because they believe they will hold some extremely valuable data. The question being asked across the sector is what can be done to reduce this threat? To properly understand what can be done, it is first necessary to understand from where the threats emanate.
Traditionally ‘Security’ was predicated on the notion of erecting an impenetrable exterior and only allowing known people through, an approach based on the assumption that threats were primarily external. In IT terms, this meant having a firewall to prevent unauthorised entry to the systems and protecting the systems with passwords.
In a world where sharing information is second nature to increasing numbers of people, many otherwise diligent workers can create situations where the data held by a firm is placed into less than secure environments. Research indicates that the majority of security breaches emanate from within organisations rather than from external attacks and that many of these are inadvertent rather than malevolent.
Many staff will access information from a variety of devices and a proportion of these staff will use the same passwords for their work accounts as they do for personal, less secure accounts. It is human nature to adopt repetitive simplicity when selecting passwords and it is this behaviour that creates the perfect opening for cyber criminals. The modus operandi for many cyber criminals today is the gathering and analysis of fragments of data which they can then use to launch very specific attacks.
For example, many firms will use an employee’s e-Mail account as their primary identifier for systems. Establishing a valid e-Mail address is a relatively simple task and so the cyber-criminal already has half the information needed to access a system. And the password? Some of the most common passwords in use are 123456, password, qwerty and letmein.
Even where more complex passwords are used, users often make it relatively simple for cyber criminals to uncover this last line of defence by using the same password for multiple accounts both personal and work related and the personal ones are often much easier to breach. Staff may send work to personal accounts to enable them to work out of the office or carry data on portable devices which are easily lost. We have become careless in our use of technology and this carelessness is the source of much valuable information to cyber criminals.
So is it all about the users? Absolutely not. There is still a requirement by the business to invest in proper security systems and processes, and to review where data is stored, how it is accessed and by whom.
The government is prepared…
The government has recognised that for many businesses managing all of this is not only a challenge but to the uninitiated it can be overwhelming and simply just not clear where to start and what to do. In 2014 the Government announced its Cyber Essentials Scheme (and the more advanced Cyber Essentials + scheme) – designed to help businesses protect themselves against common cyber-attacks.
The overview for the scheme is available at the link at the end of this article. Essentially the scheme provides guidance on the basic controls organisations should have in place to protect against common internet based threats. It also provides a structure to allow organisations to prove to their suppliers, clients and insurers that they have taken the essential precautions against cyber-attack.
Cyber Essentials defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online.
Risk management is the fundamental starting point for organisations to take action to protect their information. However, given the nature of the threat, Government believes that action should begin with a core set of security controls which all organisations – large and small – should implement. Cyber Essentials defines what these controls are.
Extract from Government published Cyber Essentials guide
Since its inception the scheme has been adopted by insurers and auditors as a guide when assessing risk. Closely aligned to the “10 steps to cyber security” – a list of recommendations published by the Government to help reduce an organisations vulnerability to IT attack – it unsurprising that the Government is now expecting any organisation that deals with it in a digital manner or handles personal information with them to be certified against the scheme.
This could have big implications for Chambers;
- If you and your suppliers are not CE and CE Plus compliant you may not be able to deal with the CPS and the MOJ. If the UK Government legislates (which is a significant possibility), you definitely won’t be able to
- It dictates an absolute obligation to ensure Chambers and all their IT Suppliers Comply with the scheme
- To do business with a government body, Local or National, the Cabinet Office has mandated that CE and CE Plus by held by all suppliers. ISO is not enough
- The scheme stipulates repeat checking for compliance – it’s not a ‘One Shot Deal’ and is recommended yearly
- If you aren’t compliant, and your competitors are, then they could take your business
Of course its good practice to follow basic principles and as a minimum adhering to the scheme will mean you are less likely to be a victim of a cyber-attack or suffer a loss of client data. It would be prudent to speak to your IT team/suppliers to understand how you can address this. When doing this ensure that you also request a review of data access points, such as any software or website that has connection to the internet or uses a web browser as an interface. Penetration testing (the process by which websites and software are tested for hacking vulnerabilities) can quickly help identify any chinks in your IT system armour.
There is no panacea for cyber security. The threat landscape is constantly evolving and so establishing good security requires vigilance, constant education of the users, closing down the sources of information to potential hackers and frequent auditing and testing of the solutions that are in place. Simple steps like improving password security, conducting penetration tests on your infrastructure and following the governments Cyber Essentials scheme help to fight cybercrime immensely but above all it is a constant process and not something that should be treated as a one off activity.
By Brian Curtis, Advanced Business Software and Solutions Limited