Wednesday, 6 January 2016

Timothy Hill



The Law Society’s Timothy Hill wants to stop preaching to the converted. The people most keen to sign up to the conferences, lectures, seminars he organises on protecting firms from cyber-crime, are by definition usually the ones who need it least: delegates will always be those who recognise the risk already; he wants to reach those who don’t. 

Tim is the Law Society’s Technology Policy Adviser, responsible for helping to support the Society’s members tackle cyber security and cyber-crime. Solicitors, amongst other professionals, are prime targets for cyber hackers because, aside from the obvious attraction to criminals of the client monies they hold, they are repositories for clients’ intellectual property and other commercially sensitive (for which read valuable) information. Moreover, sorry to break the news guys, but law firms are often seen as the “weak link” in the information chain according to some cyber risk experts.  

We met at a Cyber Risk round table discussion hosted by Weightmans EC3 team. The event was chaired by BBC business correspondent Joe Lynam, the man who broke the story of solicitor and sole practitioner Karen Mackie’s plight at the hands of “vishing” fraudsters (she was tricked by an elaborate cyber scam into transferring some 750,000 pounds of client money to the criminals). She has since been declared bankrupt, struck off and faces losing her home. A salutary tale if ever there was one.   
“This is a massive issue for the profession. Hackers are circling law firms on a daily basis and it’s my job to make all solicitors aware, and provide them with the tools and guidance they need to protect themselves. Awareness of risk is still low. You may think this surprising, given how often cyber risk headlines legal press. But the more the topic is pushed in the media the more it can actually be counter-productive; I do think that the more scare mongering the statistics and stories, the more the reality of the risk is undermined. Yes there’s a very real threat and yes people experience losses. But it’s hard to convince people who’ve not experienced it themselves, nor witnessed anyone else’s in their own network experiencing it.”

But what should law firms do to protect themselves from this new category of threat? I was keen for Tim’s advice. “First and foremost, appoint someone with specific responsibility for cyber risk. This should be a senior person, although exactly who this is in terms of job role will of course vary from firm to firm. It could be a Managing Partner, or someone close to that level, who takes ultimate responsibility and promises oversight of the issue, but delegating to someone with greater specialist insight (and spare time).

Second, firms should have a written policy, even if just a brief one, to crystallise the thinking around these issues. I’d go so far as to say even a sole practitioner should have a policy. It’s in the writing of it, i.e identifying and articulating the issues, that firms will find the benefit. The new EU data protection regulations have just been confirmed, which will bring in a new duty around compulsory data breach notification. Drafting a policy will help firms think about what data they hold and how it moves through the firm/business. Once firms have pinned this down, it’s that much easier to think about the risks to that data, how to limit and/or manage certain risks… even accept some risks…..the point being that they would be doing this consciously.

Third, although this applies more to the larger firms, training is an important element in the mix. A good option might be to join the Cyber Security Information Sharing Partnership, a forum for government and industry to exchange information on cyber threats and vulnerabilities that was set up in 2013 by the Cabinet Office. The Law Society can sponsor firms to join. Membership is free. The Law Society has a veritable library of cyber security resources for law firms and I am keen to make sure everyone who needs to know, (not just want to know), knows they’re available. See here for a comprehensive list. Highlights include:

·        Law Society Consulting: Nick Podd, who has over 20 years experience in both physical and data security within the military, as well as in industry and The Law Society.

·         Data Protection: Advice on protecting personal data in online services: learning from the mistakes of others.

·         Encryption to Protect Data: Information Commissioner’s guidance.          


Firms would also be well advised to check out the government backed Cyber Essentials scheme, designed to guide businesses in protecting themselves against cyber threat and providing free-to-download documents that can use as guidance to implement essential security controls
Fourth, firms shouldn’t forget the human factor; the tightest, most encrypted IT routines will not help you if your cyber-criminal is actually a staff member who hasn’t been vetted properly in the recruitment process, and is now supplementing their salary by the sale of confidential data on the black market."

So if your firm has so far only half-heartedly taken on board that cyber threats are real, make it a New Year’s Resolution to dig into these resources and put some proper protections in place.

Thanks for the wake-up call Tim!    



***
Encouraging news to start the year with, that the British Government is finally going to do something about the parallel Sharia court system that undermines British women's rights to justice. Thanks to The Times' The Brief  for bringing the story to me. The Government is taking action at last because it is concerned that Sharia courts in the UK are effectively creating a parallel system of (in)justice, with women discriminated against in particular. Undercover TV documentaries have shown that some women seeking divorce from violent husbands through the Sharia courts are unaware of their legal rights to leave the marriage. They are sometimes even pressurised to attend reconciliation sessions with their violent husbands present, despite injunctions from British courts in place to protect them from violence.

Congratulations to all the investigative journalists and campaigners who worked hard to raise this issue. The Inquiry will be set up in the next weeks and months.