Both legal and accountancy firms by their very nature hold confidential and sensitive information. This often is digitized due to the convenience that this affords, however the implications of entering this data into computer systems is not always appreciated. Last year the Information Commissioners Office investigated 173 law firms for a range of incidents. This is a worryingly high number of firms that hold sensitive information that may have inadvertently been disclosed to other parties.
Increasingly sophisticated criminals are finding that banks and other areas that are traditionally of interest are protecting themselves. The introduction of the Payment Card Industry Data Security Standard has made comprising credit card details increasingly difficult. This has caused organised gangs of computer criminals to look further afield, searching for other information that can be profited from. Other industries have been slow to implement standards for information security leaving themselves open to a range cyber attacks, almost all with one aim; realizing a profit for the gangs.
Whilst historically physical security has been well understood computer security is more complex. The requirement for specialists within the IT security sector is not necessarily clear to those outside of the IT department. To those inside the department requesting specialists is often seen as being an admission of failure, or suggesting that their own skills are not sufficient. However the IT department and the IT security function should be in synergy, with the IT security team providing an audit function to demonstrate the level of diligence.
In a number of recent cases where PGI forensics has been asked to investigate cyber crimes involving businesses it has been impossible to demonstrate that the victim has performed due diligence, either to an internal standard or to the level required by an external audit. This has resulted in the victim being unable to demonstrate to their insurers that they had taken reasonable steps to prevent issues arising, making their policy void. Where two businesses are involved, the lack of demonstrable security standards on either side makes deciding which parties insurance should pay, in the event of a man-in the middle attack, extremely complicated.
Because of the obvious need for a basic level of cyber security assurance among the government suppliers the cyber essentials scheme was created. This is aimed to be a low cost, low barrier scheme which provides an independently verified level of security. For those at low risk of cyber attack this may be sufficient, and for those with a higher risk profile this may be the first step towards a fuller, longer term solution. In the event of a cyber attack or issue the possession of such an accreditation can be a vital factor in the demonstration of due diligence.
In recent weeks a number of suspected instances of e-mail interception and "bank account detail change" scams have taken place involving solicitors. This damages the reputation of the whole profession as well as the individual companies involved. In at least one instance the Solicitors Regulation Authority (SRA) may become involved and the question of whether there was sufficient due care on behalf of the law firms will inevitably be asked.
In the absence of an industry specific information security standard, PGI feels that cyber essentials is a vital demonstration that a company takes information security seriously and can be undertaken at a reasonable cost.