The 6 Pillars of cyber security
We’re delighted to welcome Andrew Stanton of PalisadeSECURE to the Client Communications website. Cyber security is becoming one of the most important aspects of running a law firm and who better to explain how to address this than Andrew, an expert in the field.
According to a 2017 PricewaterhouseCoopers Law Firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The financial and reputational damage of a cyber incident is significant. This makes cyber security an essential consideration for law firms.
In another recent study, just one organisation out of the top 100 law firms in the UK has “sufficient measures in place to fully protect against email fraud”.
Cyber Security in modern business has become as important as every other business function such as accounts, sales and operations. It is no longer something the IT department solely take care of. It is something that permeates throughout the organisation.
Attackers have evolved along with advances in technology through the years taking advantage of the latest tech to exploit weaknesses within IT environments. Attackers have different motivations and these motivations will dictate their target. Whether political, financial or just a newbie trying his luck, everyone is a potential target at some point.
Law firms are key targets for attackers
Law firms are seen as a particular key target for attackers because they hold sensitive client information, handle significantly large funds and are a key enabler in commercial and business transactions. The National Cyber Security Centre (NCSC) reports that over £11 million of client money was stolen due to cybercrime in 2016-17. Click here to read this report.
Protecting your business from attack is the primary focus of your Cyber Security function and there is no “one-size fits all” solution because it is not as simple as implementing a bit of technology, dusting your hands and waiting for the next time it needs to be upgraded.
The NCSC states that the most significant cyber threats that law firms face and should be aware of are:
- Data breaches
- Supply chain compromise
A good place to go for up to date information and best practice is the NCSC (which is part of GCHQ.) Their mission is to raise the cyber maturity and resilience of UK law firms.
Effective Cyber Security is a multi-layered approach
Effective Cyber Security is a multi-layered approach which touches not only technology but personnel too. Your workforce has a key role to play in protecting your business and your assets from a cyber-attack.
Following the six pillars of cyber security, you can significantly reduce your risk, demonstrate your commitment to your customers that you take cyber security seriously and that you actively protect their data from a cyber-attack.
The six pillars that we advise organisations work through are:
- Threat Defence
- Validation and remediation
- Evidencing, Auditing and Reporting
Industry standards provide a good basis and foundation for any organisation looking to implement, maintain and assure that they are mitigating cyber security risks. Aligning to a standard and implementing robust cyber security measures, significantly reduce the risk of your organisation being compromised and just as importantly, ensuring your business and customer data is safe.
An added advantage of aligning to a standard is the ability to demonstrate your commitment to protecting your organisations and your customers data. This is important because in the event of a breach happening, you need to demonstrate that you took appropriate steps to protect your organisation. This will help when you are being observed by regulators and will help to keep fines to a minimum.
Different industries will have and maintain different standards, from Health to Financial you should look to see what standards you currently maintain, to see if there is an element of cyber security within them.
A few standards to consider:
ISO27001 is an information security standard, part of the ISO/IEC 27000 family of standards. Achieving ISO27001 demonstrates that your organisation is following information security best practice whilst also providing independent, expert verification that information security is is managed in line with international best practice.
Cyber Essentials is a UK Government scheme that helps SMEs guard against the most common cyber threats and demonstrates your commitment to cyber security. By following and achieving Cyber Essentials your organisation will significantly reduce the risk of being breached by a cyber-attack as well as demonstrate your commitment to keeping your systems and data safe.
In 2016 there was a data breach reported to have been the largest data breach ever recorded – a total of 2.6TB. The company was Mossak Fonseca and the hack became known as the Panama Papers hack. The beach was so significant that the law firm could not recover and had to close. The breach occurred because the company had not updated its portal since 2013. The portal contained several security weaknesses. If the company had followed processes laid out by Cyber Essentials, the breach would never had happened.
If you are an operator of essential services (OES) you may fall under the NIS Directive. The NIS Directive is an EU Directive on the security of Networks and Information Systems. Network and Information Systems and the essential services they support, play a vital role in society. The NIS Directive is aimed at providing a security framework to essential services, from ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport. The NIS directive identifies operators of essential services “OES” which has to take appropriate and proportionate security measures to manage risks to their network and information systems.
It is said that there are two types of companies – those that have been breached and those that have been breached but do not know it yet.
How can you mitigate against a cyber-attack if you are not equipped with the tools and strategies to defend your organisation? Threat defence can be as simple as assuring your IT Security Strategy is robust and that users are forced into good habits when it comes to security, such as password hardening and user education.
Areas of threat defence that should be considered are pre-emptive as well as proactive intelligence, such as dark web threat intelligence. These are some of the threat defence areas that are worth considering:
- Password Hardening
- Implementing and penetration testing robust firewalls
- Implementing and updating robust Antivirus & Anti Malware
- Secure, encrypted email communication & encrypted file transfer
- Storage encryption
- Cyber Threat Intelligence – Dark Web
- Regular software and hardware security patching
It is reported that over one million leaked and hacked credentials from the UK’s top 500 law firms have been found on the Dark Web, leaving firms vulnerable to phishing campaigns and significant data theft. Carrying out regular Dark Web scans will ensure visibility over compromised credentials circulating the Dark Web.
Every member of your organisation has a part to play in mitigating the risks of a cyber-attack. The users of technology should be sufficiently trained and made aware of the risks and challenges they may face while going about their day to day tasks.
For example, phishing presents a significant risk to an organisation and users of your system are the key target for a phishing attack. Recognising a phishing attempt and dealing with it appropriately is your main line of defence. Technology can block a significant number of phishing attempts, but when the odd one makes it through, you need your users to be equipped with enough information to recognise an attempt and to deal with it.
Do not be complacent, attackers have mastered the art of running complex, targeted phishing campaigns. Phishing campaigns can be highly individualised, by-passing technology that has been implemented to prevent an attack getting through.
Most information security strategies will include an annual training plan, but you may also want to consider regular training sessions and ways to communicate and test your strategy. Poster campaigns for example can be a quick and easy way to get a simple message around the workforce.
Validation and remediation
Implementing robust cyber security controls is a critical component to managing cyber security in any organisation, but how do you assure that what has been implemented is working or that it has not been “worked around” and ultimately created another risk elsewhere or maybe someone has installed or updated some software that has ‘opened up’ a vulnerability.
Validating cyber security is critical to ensuring that controls are working and that there are no “holes” in your defence. Using AI technology can significantly increase your ability to spot weaknesses and implement effective solutions to close the gap. For example, 24×7 penetration testing allows continuous monitoring of your network and immediately demonstrates where risks are within your environment allowing you an opportunity to plug them before the weakness is exploited.
Validating that your employees are using strong passwords & following your standards is vital to a strong defence, a strong policy can be easily undermined by employees using easy to guess or dictionary-based passwords.
Regular vulnerability scanning can be performed to also detect weaknesses across the organisations environment, which allows for quick remediation and tightening of systems.
Spotting and fixing security holes in your environment takes up a lot of time which is why it tends to be put to the back of the queue when considering technology changes, however, it is critical to remediate issues as soon as possible. Implementing tools such as pen testing & simple to view security dashboards allows you to prioritise remediation by understanding critical attack paths and the points in the environment that need immediate attention.
In the very worst case, ensuring that backup and recovery is a central part of the cyber security strategy will help to reduce the overall impact of an attack. Backup and recovery needs to include both data as well as systems. Testing and timing procedures will give your organisation an overall understanding of the impact of a crippling system or data breach.
Evidencing, Auditing and Reporting
So, you have worked hard at implementing controls, technology and you have educated your users. How do you evidence this and how is this presented to the board of directors within your organisation? What happens when a breach is detected, particularly if the breach looks to have occurred months or years ago?
Auditing is critical when considering incident management and assuring cyber security controls are in place and working when communicating to the board.
Having a holistic view of logs and information will help you act quickly when an incident occurs or a threat rears its head. For example, when WannaCry became visible were you in a position to understand the impact on your environment and how quickly you could remediate the threat?
Directors are not going to want to sift through reams of log files and pdf reports – assuring your cyber security efforts is a key part of an organisation’s cyber security activity. Therefore, implementing online compliance, reporting capability and understanding what and how to evidence controls and incidents to external bodies needs to be considered up front. Addressing these 6 pillars are key to being able to deliver a sustainable Cyber Security strategy.