Cyber assurance planning

The myriad of cyber threats facing all organisations, including law firms, is astonishing, and unfortunately no IT solution will safeguard against each and every one of them.

The age-old approach of train and train again often leaves staff cold. IT managers and directors are shouting from the rooftops about the same old material, but too often fall foul of repeating the usual IT inductions and using the same PowerPoint slide deck, which can be unengaging and monotonous.

A potentially better approach lies in an interactive and engaging IT cyber training plan and user training program.

This approach should dovetail into regular, day-to-day working practices and IT processes already in existence within the firm. Remember that a clued-up workforce, honed in to the threats faced daily, is the greatest and best IT security asset.

The key lies in educating staff members to know exactly what can be treated as legitimate content, and what threats are bogus and should be reported to the IT team, supported by a robust incident management process. This does eat into valuable fee-earning time, so it is important to devise an IT cyber plan that is agile and flexible enough to respond to the ever-changing threats we as custodians of the IT systems face, as well as educate, engage, and resonate with all staff.

The cyber plan in my view should comprise the following components:

• Perimeter security, for example firewalls and routers; ensure you are using current and supported technology;

• Have a patch management policy in place and ensure it is rigorously adhered to; the policy should cover firmware and application patching, not just conventional security patching;

• Train your IT team to ensure they know how to use and act upon intercepted threats;

• Implement a threat detection system (intrusion prevention or detection software), and my advice is to outsource this activity to a security provider, rather than asking your IT team to manage security end to end. Remember an attack can happen at 7pm on a Friday evening, so potentially your IT team won’t act on this until 9am on Monday;

• Have end-point protection (your conventional anti-virus software) in place and up to date;

• Remove local administrative rights;

• Look at remote desktop services (for example, virtual desktop infrastructure) or adoption of a cloud service;

• Undertake regular user training, and make this interactive;

• Implement a robust disaster recovery strategy plan;

• Ensure regular backups of both data and server infrastructure, and ensure these are regularly tested;

• Invoke the disaster recovery plan (even if in part) to test different aspects of your cyber plan, including types of regular testing undertaken to document the threat, the expected outcome, and the actual result;

• Regular penetration testing and an action plan to ensure you act immediately on any vulnerabilities found; and

• Have robust anti-virus and anti-spam services, and always look at best of breed if budgets permit, such as Mimecast and Forcepoint.

The plethora of providers offering all of these services can be a minefield to navigate, so key questions are always who to choose, and how to go about selecting the right partners to meet your objectives.

My advice is simple – do your research, speak to your counterparts in various industry sectors and professions, and understand their challenges and what they have done to ‘de-risk’ or to overcome threats. Go to security conferences and events, network with IT leaders and business owners, undertake proof of concepts, take advantage of service and solution trials, find solutions that are innovative (for example, users’ machine learning), and speak to your existing vendors, who after all should also be your strategic partners, not just a supplier.

Once this has been undertaken and the right system for your firm implemented, as with any solution approach, constant monitoring is vital. Implement the IT cyber plan, starting with a ‘do, check, act’ approach.

Alongside this, review all solutions regularly, listen to your vendors to establish if a product has fallen below acceptable standards, or its support, product enhancements, or overall capability and effectiveness have dwindled, and then be prepared to swap it, and argue the possible contractual obligations afterwards. You have a duty of care to manage IT security, so make sure contractual disagreements don’t get in the way.

IT keeps your firm in business, so stay focused on the overall IT and security objectives.

Alex Loquens is IT director at Lodders

@LoddersLawyers www.lodders.co.uk