The scale of the cyber threat to business is startling. Ken McCallum explains what law firms must do to manage the risks.
Every week you can find media stories about cyber threats and the consequences for businesses which have been cyber-attacked. Some of the world’s biggest companies have reportedly been attacked in recent years. And yet we know that these stories represent just a fraction of the cyber-attacks taking place.
The scale of the cyber threat to business is startling. In April, the Department for Business, Innovation and Skills released its annual Information Security Breaches Survey. This showed that security breaches have reached extremely high levels – 93% of larger businesses suffered a security breach in the last year. With 87% of small businesses suffering a security breach – a jump from 76% in 2012, and the highest figure ever recorded – cyber security is no longer just an issue for larger businesses. Both external attacks and insider threats are significant. Well over half of all businesses were both attacked by an unauthorised outsider in the last year and had staff-related security breaches.
What does this lead to? There are direct costs, arising from system downtime and money spent dealing with incidents. These can be significant. But indirect costs tend to be larger, such as those arising from reputational damage if clients, customers or the media are informed of the breach. These could be even greater than the direct costs. It is difficult to put a reliable estimate on the cost to business of cyber-attacks, but we know that it is billions of pounds a year. A growing proportion of companies are reporting incidents which have had a financial or disruptive impact. Our survey found that the average cost to a small business of its worst security breach of the year was between £35,000-£65,000, and for large businesses this was between £450,000-£850,000. Clearly, these are losses that companies can ill afford. And it is worth bearing in mind that in June last year, the director general of MI5 highlighted the case of a major London-listed company that estimated it had lost £800m in revenue as a result of cyber-attack.
As businesses and government move more of their operations online, and our networks and systems become more interconnected, the scope of potential targets will continue to grow. In terms of who is at risk, the cyber threat is now far wider than government and the traditional parts of the critical national infrastructure. Companies in a wide range of sectors, especially those which are high-tech and have valuable intellectual property, are being targeted by criminals.
Law firms are attractive targets for cyber criminals. They hold business-critical information on client companies, from the biggest and most cutting-edge corporates to niche organisations with valuable intellectual property. Law firms often use open IT systems to facilitate remote working and encourage flexible movement of staff – undoubtedly serving business needs, but also increasing vulnerability to a breach or an attack. Business-critical information about a company being targeted by criminals may therefore be easier to access from the networks of its law firm than from the target company’s own systems, and in this way a law firm could be used as a stepping stone to attack the actual target. We know, for example, that law firms have been targeted during clients’ takeover bids.
This is a risk because, as we all know, however large or small, a law firm’s business and prosperity relies on its reputation. This can also present an opportunity. It is to your commercial advantage if your firm is prepared to be – and seen to be – on the front foot and working on cyber security, and prepared to protect clients’ information as well as your own.
What should a law firm do to manage the threat?
Different parts of industry – including the Law Society – are collaborating with government to identify a preferred organisational standard for cyber security, which if implemented properly and proportionately in their own business will help them to manage their cyber risk.
The Government Communications Headquarters (GCHQ), which has a uniquely in-depth perspective on this issue, advised that basic information risk management could stop up to 80% of the cyber-attacks seen today. The government’s 10 Steps to Cyber Security guidance provides a comprehensive framework for taking action, making clear that this is an effort that should be led by the board or company management. You can implement these steps at a level that is appropriate for your firm, and advise your clients to do likewise. Alternatively, if you work with smaller clients whose resources to deal with this issue may be more thinly spread, the government’s Cyber security: what small businesses need to know could be a more effective tool for your clients, and enable them to familiarise themselves with how cyber risk-management can be treated like any other business management process.
Starting to think about management of your organisation’s cyber risks can be as simple as answering the following key questions:
- Have you identified your organisation’s key information assets? These assets could be financial details, client lists, business plans and processes. They could be held on your equipment and servers or remotely in the cloud.
- Have you considered the impact on your organisation if critical information were compromised or your online services disrupted? These could be financial losses and costs, as well as loss of business and reputation.
- Have you identified the threats to these information assets? You could be at risk from adversaries out to steal from you or your clients. Business competitors could be looking to gain an economic advantage by finding out information about your clients. And current or former employees, and any third parties you do business with, could compromise your information by accident or with malicious intent.
- How could you manage the risk? The 10 steps below tell you how. Bear in mind that, should you outsource any of these functions to third parties, for example hosted cloud services, you should check that these third parties are taking these steps, and therefore how they are protecting your information.
1. Information risk management regime
Risk is an inherent part of doing business, and can be managed proportionately and appropriately. Organisations should apply the same degree of rigour to assessing the risks to their information assets as they would to legal, regulatory, financial or operational risks. An information risk management regime should be embedded across the organisation, actively supported by senior management and communicated to staff.
2. Secure configuration
Establishing and actively maintaining the secure configuration of IT systems is a key security control. By putting in place policies and processes to develop secure standard builds of equipment and manage the ongoing functionality of all IT systems, organisations can greatly improve their security. IT systems that are not locked down or patched will be particularly vulnerable to an easily preventable attack. Unnecessary functionality should be removed or disabled, and IT systems should be patched against known vulnerabilities.
3. Network security
Your organisation’s networks need to be protected against internal and external threats, policing both the network perimeter and protecting your internal network. The degree of protection you apply will be governed by the assessment of risk, your organisation’s appetite to take on risk and the security policies in place. Managing the risk can include installing firewalls and preventing direct connections between internal systems and untrusted external networks.
4. Managing user privileges
It is good practice for firms, no matter how many staff they employ, to manage the access privileges users have to IT systems and the information held. A failure to manage privileges appropriately, including when staff join and leave, may result in an increase in the number of accidental and deliberate attacks. Therefore it is good practice for all users to be given only the access they need to do their job.
5. User education and awareness
Because many attacks are perpetrated through an organisation’s employees, it is critical for all staff to understand the risks and be aware of their personal security responsibilities. Security training and awareness can prevent attacks, increase levels of expertise and knowledge, and foster a security-conscious culture. Learning should be introduced as part of a staff induction process within an overall security policy and updated regularly. Pre-employment screening and background checks should be carried out, commensurate with the individual’s role and access to sensitive information.
6. Incident management
Security incidents are inevitable and will range in their business impact. All organisations will experience an information security incident at some point. However, preparation is invaluable. Establishing effective incident management policies and processes will help improve resilience, support business continuity, improve customer and stakeholder confidence, and reduce any financial impact. Managing the risk could include establishing an incident response and disaster recovery capability, nominating an incident response team and testing incident management plans.
7. Malware prevention
Any information exchange risks exposure to malicious code and content (malware) which could seriously damage the confidentiality, integrity and availability of an organisation’s IT. Malware infections can be transmitted through email, web browsing, social media access, and use of removable media and personal devices. They can result in disruption to business services, unauthorised exports of sensitive information and financial loss. Managing the risk could involve implementing corporate policies for use of the above, establishing anti-malware defences and scanning for malware across the organisation.
Monitoring IT activity allows organisations to detect attacks and react to them appropriately, while providing a basis upon which lessons can be learned to improve the overall security of the business. Without the ability to monitor effectively, organisations will not be able to detect attacks, react to attacks or account for activity on their networks. Managing the risk could involve establishing a monitoring strategy, and monitoring relevant IT systems, network traffic and user activity.
9. Removable media controls
Using removable media to store or transfer significant amounts of personal and commercially sensitive information is an everyday business process. It is good practice to carry out a risk/benefit analysis of the use of removable media and to apply appropriate and proportionate security. This could involve limiting or preventing their use, or scanning all removable media for malware.
10. Home and mobile working
Mobile working offers great business benefits but, in extending the security boundary to the user’s location, also presents risks that are challenging to manage. Organisations should establish risk-based policies to cover all types of mobile devices and flexible working, and plan for an increase in the number of security incidents. Managing the risk could involve protecting the data at rest by minimising the amount of data stored on a mobile device to that which is needed to fulfil the business activity being delivered offsite, and in terms of protecting data in transit, protecting information exchanges using an appropriately configured virtual private network.
Ken McCallum is head of cyber security at the Department for Business, Innovation and Skills
For more information on the above steps and how to implement them within your organisation
For small business guidance