Phil Limb and Marianne McWilliams from Miller’s Solicitors team recently spent time with Nic Miller of Aedile Consulting to discuss the cyber threat landscape for law firms. In the final of our four-part series, Nic shares his top three tips on what firms can do in advance to protect themselves.

1. Don’t treat this as just an IT problem. 

You have to make sure that as a business owner, you understand and own these risks. If you try to take a technology-led view and leave it to your IT team or your outsourced IT company, you will fundamentally only look at technical controls. For the case of financial transfers being redirected, the majority of your actual resilience comes from the process by which you verify and approve payments. Nothing to do with technology at all.

A business wide response to a cyber-attack is paramount. You must truly think about what could go wrong and what processes needs to be in place to both prevent and respond.

2. There are some basic controls that that every firm should have in place.

Multi-factor authentication should be in place on all your internet logins, emails, CRM, if you're logging into your systems remotely, etc. But there is also a place for something like cyber essentials, which is not perfect, but can help you to define a core set of technical controls that should be implemented, managed and applied universally. If they are disruptive, and people request special privileges to bypass them, then there's normally ways to improve them rather than granting potentially risky alternatives.

3. Testing.

The final piece is around testing. If you spoke to firms the day before they were attacked, I suspect most would have said that they believed their cyber risk was well managed through technical controls and completed risk assessments and audits. However, what they've never done is a technical audit, like a security or penetration (pen) test. 

This involves having a third party come in to review your technical and systems configurations and find any gaps. This will help uncover any potential exposures, such as an obsolete system that’s never been deactivated and is still accessible. Things like that can be easily missed by an audit, but the exact sort of things attackers will look for to provide routes in.

Technical testing is your way of saying we understand the risk, we’ve got a suite of technical controls in place to help us manage that risk, which we’ve tested so we know they are implemented appropriately and are working. 

Finding the right pen testing company for your firm is important. Personally, I'd want to work with a company that starts with a conversation about what are you looking to learn from the test and then guide you through the various options and outputs. There are lots of different types of pen tests available so finding the right match will make all the difference. 

If you have the budget, and these do get a bit more expensive, there is a professional association called Crest where their registered penetration testers are accredited to a higher standard. That's normally a good starting place.

Cost is always a big concern and ultimately, to some extent, it's a "how long is a piece of string" scenario. The more you test, the more issues  you will find to fix; but even for small clients, I’d typically expect it to be a three to five days exercise to review your Microsoft Cloud services, your end user devices, etc. For big clients it may be a lot more, but ultimately, if it's a five-day test at perhaps £850 a day, it’s not the biggest of expenses given the type of risks we’re talking about.

You can even start with basic tests and negotiate with your testing company based on what they can test in an allocated number of days. They should be able to justify why they need the time they need and for you to decide whether it feels reasonable and proportionate.

Also understand that a good security tester will never come back with nothing to report. That's not the goal here. It's to understand, are your IT company doing a good job, or are there significant risks that aren’t visible to you. There will always be some low, medium points to address and that’s a positive not a blackmark against the firm. Lastly, most testing companies, whilst they have to report everything they find, can give you that opinion in the form of an executive summary to say overall security of the network is good, medium, poor, etc. 

If you have any further questions about anything discussed in this article, or wish to discuss your cyber insurance arrangements, please email solicitors@miller-insurance.com or contact any of the team below.

GET IN TOUCH