Both legal and accountancy firms by their very nature hold confidential and sensitive information. This often is digitized due to the convenience that this affords, however the implications of entering this data into computer systems is not always appreciated. Last year the Information Commissioners Office investigated 173 law firms for a range of incidents. This is a worryingly high number of firms that hold sensitive information that may have inadvertently been disclosed to other parties.
Increasingly sophisticated criminals are finding that banks and other areas that are traditionally of interest are protecting themselves. The introduction of the Payment Card Industry Data Security Standard has made comprising credit card details increasingly difficult. This has caused organised gangs of computer criminals to look further afield, searching for other information that can be profited from. Other industries have been slow to implement standards for information security leaving themselves open to a range cyber attacks, almost all with one aim; realizing a profit for the gangs.
Whilst historically physical security has been well understood computer security is more complex. The requirement for specialists within the IT security sector is not necessarily clear to those outside of the IT department. To those inside the department requesting specialists is often seen as being an admission of failure, or suggesting that their own skills are not sufficient. However the IT department and the IT security function should be in synergy, with the IT security team providing an audit function to demonstrate the level of diligence.
In a number of recent cases where PGI forensics has been asked to investigate cyber crimes involving businesses it has been impossible to demonstrate that the victim has performed due diligence, either to an internal standard or to the level required by an external audit. This has resulted in the victim being unable to demonstrate to their insurers that they had taken reasonable steps to prevent issues arising, making their policy void. Where two businesses are involved, the lack of demonstrable security standards on either side makes deciding which parties insurance should pay, in the event of a man-in the middle attack, extremely complicated.
Because of the obvious need for a basic level of cyber security assurance among the government suppliers the cyber essentials scheme was created. This is aimed to be a low cost, low barrier scheme which provides an independently verified level of security. For those at low risk of cyber attack this may be sufficient, and for those with a higher risk profile this may be the first step towards a fuller, longer term solution. In the event of a cyber attack or issue the possession of such an accreditation can be a vital factor in the demonstration of due diligence.
In recent weeks a number of suspected instances of e-mail interception and "bank account detail change" scams have taken place involving solicitors. This damages the reputation of the whole profession as well as the individual companies involved. In at least one instance the Solicitors Regulation Authority (SRA) may become involved and the question of whether there was sufficient due care on behalf of the law firms will inevitably be asked.
In the absence of an industry specific information security standard, PGI feels that cyber essentials is a vital demonstration that a company takes information security seriously and can be undertaken at a reasonable cost.
Your free Global Geopolitical Dashboard
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Weekly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.