You will now be aware of a news story detailing a widespread ransomware cyber-attack which has affected the NHS and a multitude of other organisations globally. This is yet another sombre reminder that anyone is a target and no one person or organisation is immune to an attack.
If you have not done so already, you should immediately remind all staff to be extra vigilant with emails received from unknown sources and make sure that they do not open any attachments or open any links if they are not 100% sure of the source and content.
Whose Responsibility Is it?
Many businesses are still viewing cyber-security solely as an IT issue. It is not. Cyber security is a business risk and requires engagement and ownership at Senior Management or Board level and must be embedded as part of a firm’s culture. Senior Managers within organisations must ensure that they have taken all steps possible to mitigate the risk of a cyber-attack. This includes, but is not limited to, having robust firewalls and internet gateways configured to protect against potential attacks, up-to-date malware protection software, installation of security patches / updates immediately to cover any vulnerabilities and training of staff.
Ransomware is often spread by an individual opening an attachment or clicking on a link within an email and can, as was demonstrated on Friday, bring organisations to their knees. It isn’t enough to simply train staff. Training must be followed by knowledge testing and, if there is any doubt as to understanding, further training and re-testing should take place. Senior Managers are responsible for their firm’s IT security and must be able to confidently answer yes when asked whether all staff understand the risks.
The Code of Conduct requires law firms to maintain systems and controls for monitoring financial stability and risks to money and assets entrusted to them by clients and others. In addition, they are required to keep clients’ affairs confidential, protect client monies and assets and continually consider business continuity risks including IT failures and abuses. There are further obligations under the Data Protection Act which require firms to take appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss or destruction or damage to personal data, breaches of which could result in significant fines.
Regulators have confirmed that they will take action against firms that are not proactive in protecting client monies and assets and the SRA have very recently issued a rebuke where a firm were subject to a cyber-attack which resulted in client monies being diverted to fraudsters. The reputational damage to your firm and the time taken to deal with a successful cyber-attack should not be under-estimated.
If you would like to know about the practical steps you can take, please visit https://www.legal-eye.co.uk/webinars/ to view our most recent webinar in our Compliance Bytes – Emerging Risks series which focuses on cyber-security.
If you don’t know the answers to, or can’t confidently answer yes to, any of the questions below, you and your firm are at risk and must take immediate action.
- • Have your reviewed your IT Security recently?
- • Do you have sufficiently robust firewalls and internet gateways configured to protect against attacks?
- • Do you install security patches immediately?
- • Are all staff trained and tested regularly on Cyber Security and re-trained and re-tested if issues are identified?
- • Do your staff understand the potential consequences of opening emails received from unknown sources, opening any attachments or clicking on any links if not 100% sure of the source and content?
- • Do you have Cyber-Essentials or Cyber-Essentials Plus?
- • Do Senior Management take ownership of Cyber-Security and can they confidently answer that they have done everything possible to mitigate against the risk of an attack?
- • Do you have a Cyber Incident Response Plan and is it regularly tested?
- • If you were subject to an attack, have you taken proactive steps to mitigate the risks of a cyber-attack being successful?
Be prepared, an attack can happen to anyone at any time and will happen when you least expect it. Implementing strong cyber risk management procedures, means you can mitigate the risk!
Need help? Call us to arrange a meeting on 0203 051 2049 or email firstname.lastname@example.org