kate burt is the founder of high risk dot co dot uk kate advises law firms real estate businesses and reg tech verticals on compliance strategy and innovation she's an experienced solicitor with over 20 years experience in the legal sector and founded high risk dot code at uk boutique risk management consultancy i agree with so much that that's been said already um particularly kim in relation to the education of the staff but one thing i would just mention on on in relation to the education of staff is also educating your clients as well and because often it's the clients um emails that are intercepted and it's the clients that are being socially engineered to click on that link which the firm doesn't have um access or control around so so looking at actually creative ways of how can we educate educate our client whether it's in the retainer documentation in email footers in conversation to also drip read that information to clients as well and so i do have a few slides to uh to go through i think the if we could uh go on to the third slide with the agenda because there was a a lovely um comprehensive introduction of who i am and what i do so we won't we won't go over that but essentially i work with law firms on a a daily basis in terms of their risk and compliance so everything that kim said sort of uh resonating with me and what i'm hearing from my firms and what i would say is i think kim's firm is a particularly good example of a firm that's on top of things um and and has a really strong approach to that i wouldn't say that's across the board it is usual and i think there is a lot of of support that firms need to to really uh get to grips with this area i'd agree with what was said by both jonathan and duncan in relation to uh it's not when if it will happen it's when it will happen and you can have the best systems and controls in place um however that doesn't make you immune from these really sophisticated attacks so i'd like to cover um in my section a little bit about the what was found in the sra cyber security report to highlight some of the common data breaches that i'm seeing um with my clients some key areas of data security and also touching on the culture of privacy which kim kim's mentioned but really giving some top tips around that so we can move on to the next uh slide looking at the sra's outlook report this was published at the beginning of june um some of the headlines from that 50 of all the cyber crime reported to the sra uh related to the phishing scams so that's really that the highest proportion that we were seeing reported and as jonathan said the ma there's there's likely to be much more that goes on that's actually not reported but certainly most firms that i work with that this is this is a norm that that that they are seeing emails which are attempted to um socially engineer or to get via the staff into um into a conversation to to divert funds um another aspect that was was highlighted that conveyancing is still the main target for obvious reasons large transactions being moved but this is looking to widen this is widening out to other work areas most likely because conveyancing firms are getting more wise to this that actually they're going for the the easier targets voice impersonation systems are being used in other sectors outside legal but the prediction is that that's going to come in more and more um as the the attacks become more sophisticated on law firms um i've seen it in particular where the sophistication is to such an extent that a telephone call is made to the client where the the firm the number that flashes up on the client's phone is actually the law firm's number and then there's the voice impersonation pretending to be the fianna to say expect um a call from our accounts team uh this afternoon so from the client's perspective that's that is so sophisticated unless you have been educated um about the risk here or if it's completely unusual that you'd be asked for um to make a payment they may easily fall full file of that and ransomware was highlighted in the report to as a real risk and something that's really could can be debilitating for firms in terms of loss of system systems and a threat um that sensitive client information will actually be made public and i think jonathan you you explained um earlier about how your work you work with firms who are actually in that situation so if we move on to the next slide now do you just want to go a bit back to basics in terms of of data because we talk around data breaches and um but not every data breach is a personal data breach and not all data is created equally so what we're really concerned with and what the ico is really concerned with with these breaches is the personal data so we're looking at the personal uh the data protection act and 2018 and the uk gdpr which i think it's really useful just to go over what is personal data so it's back to basics so it's any data that um that identifies a natural person to a living person as opposed to an entity and this this definition is so wide it could be a credit card number it could be an ip address um it's not necessarily um the obvious and and within those personal data there's different categories of personal data so you've got the more sensitive data such as as the medical claims um that you your firm may deal with kim if you've got medical uh records that's going to be real sensitive data so i think it's really just useful to to set out personal data and then next slide what is a personal data breach defined by the the statute so it's a breach of security leading to an accidental unlawful destruction loss or alteration or unauthorized disclosure or access to data personal data so again it's really wide it just doesn't just include cyber breach when you're looking at your data protection as a whole so if we move on to the next uh slide so we've already discussed the um as we've been going through the session about the different sorts of breaches that are seen but coming from human error leaving bags on the train um sending emails to the wrong place actually in error usually in those situations it can be easily recovered say the email's gone to another solicitor for example by accident you can usually um work with them to contain that breach and recover from that if that if that um email goes to say um an opponent on the other side of um a a um a bitter uh family matter there may be much more serious recons repercussions we've also got natural disasters as well if your office is subject to a flood or a fire and you lose that data that's also um potential well likely data reach there and then malicious of intent and that's more what we're talking about today around that cyber um those cyber attacks okay next slide so for those of you who are familiar with the the data protection and data protection principles you'll know that there's seven principles we what i'd like to look at in this section is is one of the principles which is around integrity and confidentiality which is known as the security principle so it's really looking at confidentiality protecting unauthorized abs um access the integrity of that data protecting unorthodox unauthorized modification and the availability of those of that data so for example if there's a flood you've lost the data if there's a an attack a cyber attack and your sittings are locked down you know you you've lost the availability of that data you can't access it um so next slide please and you can really split these four four controls into four areas so we've got the technical side of it this is the really jonathan duncan's domain so the firewalls the network perimeter defenses antivirus solutions your two-factor authentication and then you've got the physical so it sounds obvious but locking filing cabinets locking offices alarms on the offices um personnel do you screen who's who's working on your data what protections have you got around that and procedural and this is my sweet spot in terms of making sure actually your firm has a a good handle and robust procedures around data protection so what your policies what's your your i.t security policy your gdpr policy have you done a data mapping exercise now this is so so valuable and i would suggest to to anyone this is really your first step what data do you hold so once you know what data you've got what category of data you've got where is it then from there you can work out okay how is this being protected where is it held and really working out from that your policies controls and procedures um and next slide please and that's exactly just reiterating what's already been said absolutely prevention is better than a cure have a good plan in place implement that plan regularly monitor um that plan because things are moving things are shifting so quickly and keep that under constant review and it's a constant and cycle to keep on top of that um next slide please and then really uh building upon what kim has said it's so important about having that culture of privacy that culture of um of compliance and you can really uh really that needs to be led from top down and leaving for with a really great example so so when staff see the the leaders of the business working in a way that is is um favorable to compliance they're more likely to follow suit um also sharing learnings when near misses when things go wrong don't hide them away do share those learnings with with the with with the firm appointing data champions is a really valuable thing to do and some firms do that uh training is the obvious one as as kim said it's that regular reinforcement to keep it top of mind yes do the annual training as well but just constantly re um re-emphasizing that the training and consider those security data security frameworks as well so we've mentioned today um about cyber essentials cyber essentials plus which most most firms will have heard of so the cyborg central's um is more of a um um self um where you fill it in yourself um sorry i was just distracted and and then cyber essentials plus is where you've got a uh a third party that's actually testing what you're like checking on your homework if you send if you like and we've also got the the nist framework as well which i know most firms won't have heard of but that's a really valuable framework as well but i think you really need to be ready to put in the time and resources to to achieve these frameworks and next slide please and then i'll i'll close up but there's so much information around here if you want to learn more about um cyber security we've got the law society's um resources these are i don't know if the sides are going out these are clickable um hyperlinks but we've also got um the ico's website as well is a valuable resource of the information about if you just don't know where to start go to the ico's website it's really easily laid out i think i'll i'll stop there because i am conscious of time and hopefully you heard me okay through the noise find us on linkedin