In September 2020, the SRA published its review of 40 firms who had suffered cybersecurity breaches. It makes for sober reading. It found that the results of an attack ‘were often catastrophic’. Our cybersecurity partner Mitigo highlights some key issues which emerge.
1 The importance of leadership
Cybersecurity and operational resilience is a serious business risk and a board level responsibility. It requires an influential and visible leader to set the tone and put in place the right protections. Yet the SRA found some senior figures in breached firms unable to answer even basic questions about cybersecurity. There should be a formalised approach to cyber risk management with proper record keeping. And it requires ongoing expenditure - most of the firms breached had failed to allocate a specific annual cybersecurity budget.
2 Be aware of the cyber risks facing your firm
The criminal ecosystem is sophisticated and methods of attack constantly evolve, as the bad guys look for new victims and weaknesses in defences. Off the shelf attack tools are now readily available on the dark web—the SRA found common attacks included email modification and account takeover, ransomware and spyware. Remote working and increased use of technology, including cloud-based systems, have opened up many more vulnerabilities to be exploited by attackers. Don’t think it won’t happen to your firm. Do you really understand how ransomware can get onto your system and the consequences for you and your clients? How would you detect you had suffered an email account takeover, or that spyware had been installed? Unless you take steps properly to understand these threats and the way in which breaches occur, you cannot begin to put in place the right defences or reassure your partners that the firm is safe from attack.
3 Don’t underestimate the impact of a breach
The loss of money (whether yours or your clients) and data is only one aspect of a successful cyberattack. The SRA found that firms experienced an impact on their operational capabilities and other financial implications. This included significant loss of management and fee earner time (one firm lost £150,000 worth of billable hours), damage to client relationships, increase in insurance costs, lost access to systems, stress, and more. Separate research indicated that last year, the average ransom payment had risen to £138,000. We know from our emergency recovery work just how frightening and disruptive a cyber breach can be.
4 Recognise the importance of people and governance in security
It almost goes without saying that a key aspect of security includes technical configuration and regular vulnerability scanning. The SRA highlighted that effective cybersecurity is not just a technology issue or about having the best security software in place. The biggest vulnerability (and potentially the best defence) lies in the day-to-day practices and awareness of people, since most attacks target people. Many breached firms had failed to provide proper cyber awareness training, lacked training records, and had inadequate policies and controls in place. Unsurprisingly, they suffered the consequences.
5 Do not confuse cybersecurity with IT support
The SRA considered that aspects of cybersecurity are complex and technical, yet found that three-quarters of breached firms had been relying upon their IT support for cybersecurity. Cybersecurity is a professional discipline which is distinct from IT support and the SRA has warned against reliance on third party IT providers to provide security. They also reinforced the need regularly to review and maintain policies, processes and systems, where possible by someone independent.
6 Be mindful of your regulatory obligations
Finally, the SRA issued a reminder that cyber and data security is not an optional luxury. Firms have regulatory obligations under the Code of Conduct and Accounts Rules to protect client funds and data, to run their practices in accordance with proper governance and risk management principles, and report incidents. They also have overlapping statutory obligations under data protection legislation to protect the personal data of their clients and their own staff. These requirements include documented risk assessments, identification of technical vulnerabilities, regular relevant cyber awareness training, appropriate policies and procedures, all reviewed on an ongoing basis, and documented to prove compliance.
More and more firms are taking the right steps to stay protected but those firms that lag behind will become the low hanging fruit for cybercriminals.