Essential security by Doug Hargrove, Advanced Legal
This article was also featured as a column in the June 2016 issue of LPM. To read the issue in full, download LPM.
Cybersecurity, hacking and data theft are all hot topics at the moment, but while we all feel we should be doing something about them, there is a fair proportion of the market that either hasn’t the resources or simply doesn’t know where to start. The government has recognised that this is a very real issue, and that for many businesses managing security in a digital world is not only challenging but overwhelming – especially to the uninitiated.
In 2014, the government announced its ‘cyber essentials’ scheme and the more advanced ‘cyber essentials plus’ scheme (CE and CE+), designed to help businesses protect themselves against common cyberattacks.
Essentially, the scheme provides guidance on the basic controls organisations should have in place to protect themselves against common internet-based threats. It also provides a structure to allow organisations to prove to their suppliers, clients and insurers that they’ve taken the essential precautions against cyberattack.
Since its inception, the scheme has been adopted by insurers and auditors as a guide when assessing risk. Closely aligned to the ‘10 steps to cybersecurity’ – a list of recommendations published by the government to help reduce an organisation’s vulnerability to IT attack – the government is now expecting any organisation that deals with it in a digital manner or handles personal information with it to be certified against the scheme.
What does this mean for law firms? Well, if you (and by extension the firms you use to supply your IT infrastructure) are not CE and CE+ compliant you may not be able to deal with the CPS and the MoJ in the future. If the UK government legislates on this scheme (which considering the everincreasing cyber threat is a significant possibility), you definitely won’t be able to. The Cabinet Office has already mandated that CE and CE+ are held by suppliers if they want to do business with any government body, local or national, and no longer sees ISO accreditation as enough.
The scheme also stipulates repeat checking of systems for compliance – it’s not a ‘one-shot deal’ – which is recommended yearly, because a cybersecurity system is only as good as the last attack it blocked.
Of course, the scheme is not designed to be a barrier to business – it’s there to assist and provide structure. After all, it’s good practice to follow basic principles. And as a minimum adhering to the scheme will mean you’re less likely to be the victim of a cyberattack or suffer a loss of client data.
We recommend to our clients that they should speak to their IT team and/or suppliers to understand how they can address this. When doing so, we also suggest a review of data access points, such as any software or website that has a connection to the internet or uses a web browser as an interface. Penetration testing (the process by which websites and software are tested for hacking vulnerabilities) can quickly help to identify any chinks in your IT system armour.
There is no panacea for cybersecurity. The digital threat landscape is constantly evolving, and establishing good security requires vigilance, constant education of users, closing down the sources of information to potential hackers, and frequent auditing and testing of the solutions that are in place. Simple steps like following the government’s CE scheme can help to fight cybercrime immensely – but above all, we have to remember that it’s a constant process and not something that should be treated as a one-off activity.