By John Corfield – Cloud Product Manager at Peppermint Technology
When the National Cyber Security Centre (NCSC) published a report with The Law Society on The Cyber Threat to UK legal sector in July, the four primary risks were clear:
- Data Breaches
- Supply chain compromise
As a supplier to and a hosting partner of the sector, we at Peppermint are very aware of the responsibilities that we hold on our customers’ behalf.
We recognise the importance of maintaining a secure environment for customer data and we recognise the risks that could impact our customers.
As an organisation, we have put in place several technical and organisational controls that help mitigate these risks, demonstrating our commitment to cyber security by holding the Cyber Essentials Certificate.
Key to our approach is ensuring our environment is as secure as possible. This means that:
- Firewalls exist between Peppermint’s network and the outside world; the firewalls have default Deny-All rules to ensure that only traffic we want is exposed to our network
- All devices have anti-malware/anti-virus software installed, running and up-to-date
- All device operating systems are up-to-date and have all security patches applied as soon as they become available
- We prevent installation of unauthorised programs and have whitelists of approved executables set-up to only permit the software we want to be run to run
For our hosted environment, we take a similar approach to ensure that our customers’ data is as secure as we can make it with measures including the following:
- Firewalls exist between the outside world and the hosting services, only ports which we want to be open are open (typically limited to web traffic alone)
- Ensuring all network traffic into and within the environment is encrypted
- All servers, firewalls, routers and other network components are up to date with security patches
- Wherever possible, weak security algorithms and protocols are disabled
- All websites are secured with certificates and HTTP sites are either redirected to HTTPS or disabled.
- Website hardening is undertaken to reduce the number of threat vectors
- Regular vulnerability scans are undertaken to ensure that the perimeter is secure
Technical Controls are only part of the story, however, as user education is equally as important.
Cyber security training of staff should be a regular undertaking, with continual reinforcement to make cyber security as natural as locking doors.
In the supply chain, the legal sector should be asking suppliers to demonstrate a commitment to security by holding some form of accreditation.
An excellent starting point and as a minimum requirement, the UK Government backed Cyber Essentials offers a set of basic technical controls to help organisations protect themselves against online security threats.
Companies with well-developed strategies and processes can opt for the international standard ISO 27001/27002 which includes independent and regular auditing of the controls that are in place.
Peppermint’s key partners Pulsant (Hosting Provider) and Microsoft (Software and Cloud Partner) both hold ISO27001 along with other audited accreditations.
Download your copy of the NCSE report.
Read more about legal innovation and the importance of data security in The Times Raconteur Legal Innovation publication featuring Peppermint Technology.