Last week the UK Government and The Law Society released a joint assessment of cyber threats to the uk legal sector. The report was created following a request from the legal sector to government. It forms part of the National Cyber Security Centre’s (NCSC) mission to raise the cyber maturity and resilience of organisations in the UK.
The NCSC stated that the combination of client money and sensitive information, as well as the increasing automation within the legal sector create a struggle in maintaining a secure technology environment, meaning that legal firms remain an attractive target for cyber criminals. Furthermore, the scramble to comply with GDPR as well as the 2018 Data Protection Act, has meant that the Solicitors Regulation Authority and the Information Commissioner’s Office are also taking a more active role in how the sector protects data.
The challenge of cyber threat to the legal sector
The report from the NCSC categorises the threats into four main areas:
- Phishing
- Data breaches
- Ransomware
- Supply chain compromise
Each of these threats require a separate assessment and treatment plan. Not every law firm will be exposed to the same level of risk across each of the four. However, law firms can manage the overall process through a recognised best-practice approach or ‘framework.’
The solutions to address cyber threat
The government-recommended Cyber Essentials scheme provides a solid foundation for organisations looking to grow their maturity. Paul Gribbon, Consulting Services Lead for 2|SEC Consulting states,
“The combination of technical controls within Cyber Essentials, along with a basic risk assessment framework provides a clear guide for even the most technology-phobic firms. In our view, law firms should be looking at adopting the Cyber Essentials Plus level of the scheme. The external validation and penetration testing included provides far greater assurance to the Managing Partner that the organisation is securely controlling the I.T. estate and mitigating the threats effectively.”
Where organisations have already established some controls, NCSC recommend they should be looking at a formal management system for information and cyber security, as well as leveraging at the opportunity for incorporating data governance into this. ISO 27001 (the International Standard for Information Management Systems) is well established and becoming a de facto requirement for organisations within the supply chain, with certain institutions insisting that any third-party handling personal data or financial information demonstrate compliance to this standard.
You can find further information about our cyber security frameworks and compliance services at twosecstaging2.wpengine.com. If you would like to speak to one of our consultants, please contact us at our offices on 020 7877 0060.