Every business in the world has to abide by rules set by one regulatory body or another. In the following two blogs we will be specifically concentrating on the SRA (the Solicitors Regulation Authority, the regulatory body for Law Firms) and the FRC (the Financial Reporting Council, which is the regulatory body for Accountants). We will delve deeper into some of the regulations and find out what you and your firm can do to guarantee that you are compliant 100% of the time.
In this blog we will specifically be concentrating on the SRA regulations for Law Firms.
The Regulations
The SRA information and cyber security rules expect firms to:
- “Review and assess cyber risks and level of exposure to cyber crime”.
- ‘Have staff trained on cyber crime and information security – especially how to recognise phishing attempts.’
- “Have policies and procedures in place to protect information and money”.
These are just some of the many regulations that Law Firms must abide by to ensure they remain compliant. Let’s take a look at what you can do to achieve this in your organisation.
The actions you can take
1. “Review and assess cyber risks and your level of exposure to cyber crime”.
To achieve this, you need to conduct a cyber security risk assessment in your organisation. A lot of people will be asking how to do that, so we will walk you through it now.
As a practice that likely outsources IT to a third party, it is essential that your current IT provider is strategically aligned with the way you do – and want to do – business. Considering the amount of influence they have on your organisation you would be right to expect them to know and understand the SRA regulations down to the finest detail, but unfortunately this is rarely the case – most won’t even know what the SRA is let alone know their rules. So, what does a good – well equipped – IT provider need to be best placed to support you in staying compliant?
A good IT provider will have the three key pillars of cyber security covered; these are as follows:
- Technical defences
Your technical defences must include Firewalls, Anti-Malware software, and password management, along with privilege-based access controls, and other components that define who has access into and out of your network. All of this needs to be configured to best practice and maintained by keeping software and hardware as up-to-date as possible.
- Policies and procedures
Do your staff have guidelines to follow when handling sensitive business data?
The policies and technical controls you choose for your organisation must mirror one another to ensure that your team can not only use them as effectively as possible but also ensure that they handle data compliantly. These policies and rules could include a variety of different things; a check list for logging on and off, or secure passwords, for example, in an effort to bestow a security first approach when navigating your systems.
- Education
Arguably the most important of all is education. How do you expect your team to use the tools you provide efficiently and securely if you don’t teach them how?
You should ask yourself questions about your team – such as “Are my team able to detect, avoid, and know when to report, a cyber threat?” and “Are my staff comfortable reporting that threat without the worry of being blamed?” Educating your team is the most important factor in the mitigation of cyber risks in your organisation, as all the money you have spent on industry leading technical controls and well thought out policies will be wasted if your team has little or no knowledge on cyber threats.
Your team must also feel comfortable that there is a ‘no blame’ culture in your organisation. They must know that they will be offered the support and whatever training is needed to guarantee that should a cyber threat arise they will be confident in dealing with it in the safest way possible.
2. ‘Have staff trained on cyber crime and information security – especially how to recognise phishing attempts.’
Education is key to achieve this. You must first highlight the most common threats that your team is likely to face when completing daily activities. They must know the dangers they are likely to face, and the action needed to prevent them from becoming a problem. Let’s take a look at some of the most common of cyber threats and what you must teach your staff to mitigate them as a threat:
- Malware – Malware is malicious software designed with the sole intention of stealing data, or sometimes simply to cause carnage on your systems. Often cyber criminals will create a Malware virus and sell it on the Dark Web to other criminals from all around the world.
- You must ensure your team understands that the technological landscape they are navigating is not a safe place, and that they cannot trust anyone Hackers are clever – they use many different methods to entice your employees to open the malicious software files.
- Ransomware – Ransomware is the process of a criminal locking you out of your own system and demanding a ransom in order for you to be allowed to re-enter. The ransom must be paid in full in a specified time limit or else you risk the loss of your data forever. Firms often pay the ransom out of panic and desperation – DO NOT do this! You are very unlikely to get your data back either way, and by paying you are putting a bigger target on your back by showing you are not only able but willing to pay.
- Tell your staff to never open email attachments or attached links without thoroughly analysing them first. Teach them to exercise caution when checking email attachments as they are the most common vessel for malicious software to access your system – if they do manage to gain access then stopping the infestation is almost impossible to stop.
- Phishing – Phishing is the most common method of cyber attack globally. Using an email as a disguised weapon, the cyber criminal will trick the recipient into believing the email is in need of urgent attention. The cyber criminal is often clever in the way you are forced into allowing an attack – they use emotive language and different techniques to pressure the recipient to decide quickly without allowing time to make a revised decision. In their haste the cyber criminal hopes the recipient will click the attachment which will redirect them elsewhere, or, in the worst-case scenario, allow them un-bridled access to the system.
- Combatting Phishing scams is futile, so therefore education based around learning how to spot them is the more beneficial route. It is all about attention to detail – teach your employees that if they receive an email from an individual or organisation that arises even the slightest of suspicions, they should contact the sender via a ‘new email’ instead of using the ‘reply’ function – this will give them peace of mind that they are definitely contacting the correct person.
- It is also beneficial to instruct your staff to dissect the emails they receive. Teach them to check for grammar and spelling mistakes – often the cyber-criminal will not check for spelling or grammar, which is something that a trusted source (like a bank or a colleague) would always do.
3. “Have policies and procedures in place to protect information and money”.
How do I go about creating and implementing policies and procedures in my law firm? A common question that we are asked. It can be difficult to know where to start – let’s break it down step by step.
- Identify the risks in your organisation
Ask yourself as many questions about the business as you need to. No question is a bad question – the intention is to highlight gaps that need filling. Those gaps could be nothing or they could be the pit that your business’s money seems to be disappearing into.
- Learn from your rivals
If your opposition are doing well why not learn from them? This also applies when a competitor isn’t doing so well, when you can learn from their mistakes and not repeat them.
- Mirror levels of security with levels of risk
Having assessed your team and made the judgement that they are mature individuals with the correct approach toward the security of your IT landscape – there is such a thing as overkill. However, it can be beneficial to write a mandatory code of conduct alongside the technical measures you have in place. But also bear in mind that too much security can cause problems with workflow, which can result in things taking longer than they should.
- Include your team
Often, your team are the experts, as much as you are the boss, as they are the ones that use the tools daily and need them to work properly in order to complete their daily tasks. Your team are by far the best people to consult – and under no circumstances preach to – about the best tools and methods they need to complete their job.
- Train your team
It is essential to train your team. As we have said previously, they are the ones having to use the tools and adhere to policy surrounding them daily. They must know what is expected of them otherwise there is no point in implementing the policy in the first place.
- Write the policy down
‘Read it and sign it if you understand it’. This, along with six monthly checks to ensure they are still familiar with the policy, is important – with a signature of understanding every six months you can be sure that your team are fully up to speed with any changes you have made to hone the policy.
- Install the correct tools
Provide your team with the tools that allow them to complete their jobs to the best of their ability. Internet and e-mail content security products with customisable rule sets can ensure that your policy, no matter how complex, is adhered to. Yes, depending on the level of security you need it can be quite expensive, but the investment – in comparison to the damage a cyber attack can cause to your system – is a relatively small one.
Compliance made simple
We offer specialised IT for Law Firms, Accountancy, and the Professional Sector. We assist firms looking to grow, or just needing peace of mind, to move forward confidently by having their technology and security aligned with their development plan. Working with leading law and accountancy firms for over 14 years and integrating closely with their key application vendors has gained us a unique set of skills and knowledge which is not easy to find. Please don’t hesitate to get in contact and see what we are able to do to assist you and your team.
