The Law Society’s Timothy Hill wants to stop preaching to the converted. The people most keen to sign up to the conferences, lectures, seminars he organises on protecting firms from cyber-crime, are by definition usually the ones who need it least: delegates will always be those who recognise the risk already; he wants to reach those who don’t.
Tim is the Law Society’s Technology Policy Adviser, responsible
for helping to support the Society’s members tackle cyber security and cyber-crime.
Solicitors, amongst other professionals, are prime targets for cyber hackers
because, aside from the obvious attraction to criminals of the client monies
they hold, they are repositories for clients’ intellectual property and other
commercially sensitive (for which read valuable) information. Moreover, sorry
to break the news guys, but law firms are often seen as the “weak link” in the
information chain according to some cyber risk experts.
We met at a Cyber Risk round table discussion hosted by Weightmans EC3 team. The event was chaired by BBC business correspondent Joe Lynam, the man who broke the story of solicitor and sole practitioner Karen Mackie’s plight at the hands of “vishing” fraudsters (she was tricked by an
elaborate cyber scam into transferring some 750,000 pounds of client money to the
criminals). She has since been declared bankrupt, struck off and faces losing
her home. A salutary tale if ever there was one.
“This is a massive issue for the profession. Hackers are
circling law firms on a daily basis and it’s my job to make all solicitors
aware, and provide them with the tools and guidance they need to protect
themselves. Awareness of risk is still low. You may think this surprising,
given how often cyber risk headlines legal press. But the more the topic is
pushed in the media the more it can actually be counter-productive; I do think
that the more scare mongering the statistics and stories, the more the reality
of the risk is undermined. Yes there’s a very real threat and yes people
experience losses. But it’s hard to convince people who’ve not experienced it
themselves, nor witnessed anyone else’s in their own network experiencing it.”
But what should law firms do to protect themselves from this
new category of threat? I was keen for Tim’s advice. “First and foremost,
appoint someone with specific responsibility for cyber risk. This should be a
senior person, although exactly who this is in terms of job role will of
course vary from firm to firm. It could be a Managing Partner, or someone close
to that level, who takes ultimate responsibility and promises oversight of the
issue, but delegating to someone with greater specialist insight (and spare
time).
Second, firms should have a written policy, even if just a
brief one, to crystallise the thinking around these issues. I’d go so far as to
say even a sole practitioner should have a policy. It’s in the writing of it,
i.e identifying and articulating the issues, that firms will find the benefit.
The new EU data protection regulations have just been confirmed, which will
bring in a new duty around compulsory data breach notification. Drafting a
policy will help firms think about what data they hold and how it moves through
the firm/business. Once firms have pinned this down, it’s that much easier to
think about the risks to that data, how to limit and/or manage certain risks…
even accept some risks…..the point being that they would be doing this
consciously.
Third, although this applies more to the larger firms,
training is an important element in the mix. A good option might be to join the
Cyber Security Information Sharing Partnership, a forum for government and
industry to exchange information on cyber threats and vulnerabilities that was
set up in 2013 by the Cabinet Office. The Law Society can sponsor firms to join. Membership is free. The Law Society has a veritable library of cyber
security resources for law firms and I am keen to make sure everyone who needs
to know, (not just want to know), knows they’re available. See here for a comprehensive list. Highlights include:
· Law Society Consulting: Nick Podd, who has over 20 years experience in both physical and data security within the military, as well as in industry and The Law Society.
· Data Protection: Advice on protecting personal data in online services: learning from the mistakes of others.
· Encryption to Protect Data: Information Commissioner’s guidance.
· Law Society Consulting: Nick Podd, who has over 20 years experience in both physical and data security within the military, as well as in industry and The Law Society.
· Data Protection: Advice on protecting personal data in online services: learning from the mistakes of others.
· Encryption to Protect Data: Information Commissioner’s guidance.
Firms would also be well advised to check out the government
backed Cyber Essentials scheme, designed to guide businesses in protecting
themselves against cyber threat and providing free-to-download documents that
can use as guidance to implement essential security controls
Fourth, firms shouldn’t forget the human factor; the
tightest, most encrypted IT routines will not help you if your cyber-criminal
is actually a staff member who hasn’t been vetted properly in the recruitment
process, and is now supplementing their salary by the sale of confidential data
on the black market."
So if your firm has so far only half-heartedly taken on
board that cyber threats are real, make it a New Year’s Resolution to dig into
these resources and put some proper protections in place.
Thanks for the wake-up call Tim!
***
Congratulations
to all the investigative journalists and campaigners who worked hard to raise
this issue. The Inquiry will be set up in the next weeks and months.
Encouraging
news to start the year with, that the British Government is finally going to do
something about the parallel Sharia court system that undermines British
women's rights to justice. Thanks to The Times' The Brief for bringing
the story to me. The Government is taking action at last because it is
concerned that Sharia courts in the UK are effectively creating a parallel
system of (in)justice, with women discriminated against in particular.
Undercover TV documentaries have shown that some women seeking divorce from
violent husbands through the Sharia courts are unaware of their legal rights to leave
the marriage. They are sometimes even pressurised to attend reconciliation
sessions with their violent husbands present, despite injunctions from
British courts in place to protect them from violence.