By Norman Denton at Legal Eye.
Effective Business Continuity Management (BCM) is not just about IT systems recovery. However, with the increasing reliance we all place upon IT to function effectively and new cyber threats emerging, is it time to give IT a little more prominence?
Increasing reliance on processing power
The legal sector, like many others, places ever greater reliance on processing power for efficiencies and differentiation. Look no further than the widely publicised benefits coming to the consumer of conveyancing services as Veyo, the online portal, prepares to launch.
Ranged against firms are a variety of threats to business continuity, but IT and telecoms disruption, lack of energy supply and computer virus and cyber-attack, routinely feature in the top five most common causes of disruption to businesses. Amongst other regulatory impacts from a prolonged lack of IT access is the often overlooked financial cost of staff downtime.
According to the Information Security Breaches Survey 2014, commissioned by the Department for Business Innovation and Skills, information security breaches affecting UK business decreased over the last year, but the cost of individual breaches has almost doubled.
As a sector, we are facing unprecedented levels of cyber-attack from individuals and others, intent on a range of damaging raids, be it intercepting client funds, gaining access to confidential information, or simply to highlight shortcomings in weak defences.
Countering threats and the risks
To counter these threats, the volume of alarm bells from regulators and others is continually increasing:
- The SRA has issued guidance notes, warning of very real accountability if clients suffer financial loss, alongside numerous scam alerts and extensive coverage in very informative publications like the Risk Outlook, Spiders in the Web and In the Shadows;
- The ICO is threatening to make examples in the sector in the sad, but often not unfounded, belief that many firms are unable to cope with the protection of paper files, let alone the complexities of cyber-crime; and
- Lexcel Version 6, arriving in May 2015, is introducing several new requirements that include procedures for the secure configuration of network devices, managing user accounts, detecting and removing malicious software and training for staff on information security, alongside the existing inclusion of an effective business continuity plan which considers ways to reduce, avoid and transfer the risks.
It is also worth remembering that mandatory SRA Principles have a wide coverage including the requirement of:
- Providing a proper standard of service to clients;
- Behaving in a way that maintains the trust the public places in firms and in the provision of legal services;
- Complying with legal and regulatory obligations and dealing with regulators and ombudsmen in an open, timely and co-operative manner;
- Running a business or carrying out roles in the business effectively and in accordance with proper governance and sound financial and risk management principles; and
- Protecting client money and assets.
All of the above underpin the important role that IT plays in meeting a firm’s obligations.
So what should firms do? Heed the warnings? Take action to strengthen defences? Dust down their Business Continuity Management (BCM) Plan?
The answer is, all of the above. And, perhaps most important of all, build capacity for an effective response through a comprehensive Disaster Recovery (DR) plan.
Ignore the warnings and you risk serious, and potentially fatal, damage to your stakeholders, reputation, brand and value-creating activities.
Disaster Recovery as a service (DRaaS)
So what is DRaaS and why is it important?
The process of business continuity management involves an evaluation of the potential risks that could lead to business interruption. Disaster recovery is your response to an event – whether a potentially minor impact, such as restoring from a back-up some corrupted data files, or at the other end a catastrophic attack by hackers, or a failure of your internal servers. It will also include how you handle media relations, your clients and the public at large.
How you deal with disaster recovery – your ability to detect a problem, assess its impact, readiness and speed of response – will determine the overall reputational damage that is a key component in your business. Lose the confidence and trust of your marketplace and you may as well shut your doors for good!
Lexcel as a Practice Management Standard and the Law Society have reacted to the growing threats to business continuity including a useful BCM toolkit, which I understand includes signposting towards information on the Governments Cyber Essentials scheme launched in June 2014, the ISO27000 series of International Standards on Information Security Management and useful Law Society Practice Notes and on-line webinars.
However, many of us are aware of the issues, but consider ourselves not sufficiently IT savvy to be able to deal effectively with the solutions. After all, we’re lawyers with a business to sustain and a priority to service our clients. Time is precious! This is where DRaaS, or Disaster Recovery as a Service, comes in.
DRaaS replicates and hosts your physical servers through a third-party to provide immediate back-up availability in the event of a man-made, or natural catastrophe. This is very useful for small to mid-size businesses that lack the necessary expertise to provision, configure and test an effective disaster recovery plan. DRaaS means your firm doesn't have to invest in, or maintain, your own off-site IT DR solution. Contracts can be flexible as your business needs change and include additional data transmission security.
Outsourcing and the handing over of your precious data to others, of course, introduce other very important risk assessment requirements. However, there are a number of established UK based DRaaS service providers working with the legal sector. Many have access to UK based Data Centres, which are compliant with far higher Internationally recognised security standards and with power back-up systems in place than your server has in the cupboard in the corner.
Can you afford not to consider using an experienced professional in combatting these growing threats to your IT leaving you safe to compliantly get on with other tasks such as fee earning?
Norman Denton is a Senior Associate at Legal Eye, the legal market’s best practice, risk management and compliance services provider