ARTICLE
privileged information, which is likely be of great interest to many parties, but also because of their interconnected nature with other high-profile targets. Termed “lateral movement”, the basic tactic is to compromise one legal firm in order to compromise one or more of that firm’s clients. What can legal firms do to manage their cyber risk? One of the established axioms of security is that if a system is 100% secure, then its 100% unusable. Making any usable system has to carry some risk of cyber compromise, and modern cyber security is about balancing risk against usability. For a law firm, it is about two things: 1. Taking appropriate measures to prevent an incident 2. Putting in place contingency to appropriately manage an incident Prevent … Clearly the best cyber incident is one that never happens. Investing in preventative measures is the one way to ensure that cyber risk is appropriately managed. Effectively implementing this sentiment is driven by a strategic approach to cyber security combined with operational budget allocation. An important first step is to understand what information you hold and what is the most valuable information to you is. This could be privileged client information or key information about your business. There is a not an objective standard to what is valuable, every organisation needs to understand what information it holds. The next step is to then apply the relevant controls to protect valuable data and systems. These controls range across multiple sub-disciplines such as cyber threat intelligence, networks security, patching strategy and security operations centres to name but a few. Respond … However, even with the best preventive measures in place, it is a case of when – not if – a modern business will be hit by a cyber incident, and it is important to be prepared when this happens. Of the 46% of businesses that experienced a breach in the last 12 months, only 68% of them had a response plan in place. For some of these organisations, plans were purely technical in nature with less consideration given to other crucial components of a response, such as media and employee communication. Clearly, there is a necessity for a cyber incident response plan that is realistic, wide-ranging, and well-rehearsed. This is the difference between a swift response to keep critical business processes running or facing significant downtime, losing customers, reputational damage. Developing such a plan is no small task. Many first-time planners instinctively feel that cyber response planning is purely an information technology problem. This is not the case, and while the problem is part technical, if an attack occurs, it will not be the IT department that has to answer your clients’ questions. A good cyber incident response plan should not only consider technical remediation but also capture how to mitigate the immediate threat to business operations. Who will speak to regulators? What is the communications plan to manage clients’ questions. It should also be clear about who is responsible for what during an incident. What decision making authority they have delegated to them to take action to mitigate the incident? The plan should
also be specific about the skill sets needed to action the plan. For some organisations employing people with all the technical specialties to respond might not be cost effective, so these skill sets will need to be brought in for the incident. Most importantly, the plan needs to be lived. It must be regularly rehearsed via exercises to ensure everyone knows their part and that assumptions are correct. Such exercises can be as simple as a round table where key stakeholders talk through a scenario, or very complex events with multimedia and technical injects to drive the exercise. Other than dealing with an actual incident and exercise is the only way to validate the effectiveness of the plan. In conclusion … Now is the time to act to protect your firm’s systems and data and put a solid incident response plan in place. As cyber criminals adopt increasingly sophisticated tactics, these measures could be the difference between a quick and effective response and a damaged reputation, lost customers, a hefty GDPR fine, or worse – such significant disruption that your firm is unable to recover. ■
Craig Hickmott
Manager, Cyber Incident Response Deloitte Craig Hickmott is a manager with Deloitte’s Cyber Incident Response team, which advises clients on how to respond to cyber incidents and offers live response services to afflicted organisations. Prior to joining Deloitte, Craig was an Officer in the Royal Signals, managing communications systems at various government classifications. 1. NCSC Cyber Security Breaches Survey 2020 – www.gov.uk/government/statistics/cyber-securitybreaches-survey-2020 2. www.forbes.com/sites/leemathews/2020/01/26/averagecost-to-recover-from-ransomware-skyrockets-to-over84000/#1d4b585913a2
Cybercare C
ybercare has focused on victims of cyber abuse and intends to extend its support through its charitable structure. Interest from lawyers to prepare documentation to register with the Charity Commission, on a pro bono basis, are welcome. There are also roles available as trustee. For more information please contact Maureen@cybercare.org.uk www.cybercare.org.uk ■ CENTRAL LONDON LAWYER | 21
