Effective Business Continuity Management (BCM) is not just about IT systems recovery. However, with the increasing reliance we all place upon IT to function effectively and new cyber threats emerging, I ask is it time to give IT a little more prominence?
Increasing reliance on processing power….
The legal sector, like many others, places ever greater reliance on processing power for efficiencies and differentiation. Look no further than the widely publicised benefits coming to the consumer of conveyancing services as Veyo prepares to launch.
Ranged against firms are a variety of threats to business continuity, but IT and / or Telecoms disruption, lack of energy supply and Computer virus / cyber-attack, routinely feature in the top 5 most common causes of disruption to businesses. Amongst other regulatory impacts from a prolonged lack of IT access is the often overlooked financial cost of staff downtime.
According to the Information Security Breaches Survey 2014 commissioned by the Department for Business, Innovation and Skills, information security breaches affecting UK business decreased over the last year, but the cost of individual breaches has almost doubled.
As a sector, we are facing unprecedented levels of cyber-attack from individuals and others, intent on a range of damaging raids – be it intercepting client funds, gaining access to confidential information, or simply to highlight shortcomings in weak defences.
Countering threats and the risks….
To counter these threats, the volume on alarm bells from Regulators and others is continually being increased:
- The SRA issues guidance notes, warnings of your very real accountability if clients suffer financial loss, alongside numerous scam alerts and extensive coverage in very informative publications like the Risk Outlook, Spiders in the Web and In the Shadows;
- The ICO threatens to make examples in the sector in a sad, and often not unfounded, belief that many firms are unable to cope with the protection of paper files, let alone the complexities of cyber-crime; and
- Lexcel Version 6, arriving in May 2015, introduces several new requirements that include procedures for the secure configuration of network devices, managing user accounts, detecting and removing malicious software and training for staff on information security, alongside the existing inclusion of an effective Business Continuity Plan which considers ways to reduce, avoid and / or transfer the risks.
Worth also remembering the mandatory SRA Principles have a wide coverage requiring you to, amongst other things:
- Provide a proper standard of service to your clients;
- Behave in a way that maintains the trust the public places in you and in the provision of legal services;
- Comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner;
- Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles; and
- Protect client money and assets.
All of the above underpin the important role that your IT plays in meeting your obligations.
This won’t go away anytime soon and it may only be a matter of time. So what are you doing?
- Heeding the warnings?
- Taking action to strengthen defences?
- Dusting down your BCM Plan and, perhaps most important of all, trying to build capacity for an effective response through your Disaster Recovery (DR) Plans?
Ignore the warnings and you risk serious, and potentially fatal, damage to your
- Stakeholders
- Reputation
- Brand
- Value-creating activities
Disaster Recovery as a service…. (DRaaS)
So what do I mean by DRaaS and why is it important?
The process of BCM involves an evaluation of the potential risks that could lead to business interruption. DR is your response to an event – whether a potentially minor impact, such as restoring from a back-up some corrupted data files, or at the other end a catastrophic attack by hackers, or a failure of your internal servers. It will also include how you handle media relations – your clients and the public at large.
How you deal with DR – your ability to detect a problem, assess its impact, readiness and speed of response – will determine the overall reputational damage that is a key component in your business. Lose the confidence and trust of your marketplace and you may as well shut your doors for good!
Lexcel as a Practice Management Standard and the Law Society have reacted to the growing threats to Business Continuity including a useful BCM toolkit which I understand includes signposting towards information on the Governments Cyber Essentials scheme launched in June 2014, the ISO27000 series of International Standards on Information Security Management and useful Law Society Practice Notes and on-line webinars.
However, many of us are aware of the issues, but consider ourselves not sufficiently IT savvy to be able to deal effectively with the solutions. After all we’re lawyers with a business to sustain and a priority to service our clients. Time is precious!
DRaaS replicates and hosts your physical servers through a third-party to provide immediate back-up availability in the event of a man-made, or natural catastrophe. This is very useful for small to mid-size businesses that lack the necessary expertise to provision, configure and test an effective disaster recovery plan. DRaaS means your firm doesn’t have to invest in, or maintain, your own off-site IT DR solution. Contracts can be flexible as your business needs change and include additional data transmission security.
Outsourcing and the handing over of your precious data to others, of course, introduce other very important risk assessment requirements. However, there are a number of established UK based DRaaS service providers working with the legal sector. Many have access to UK based Data Centres compliant with far higher Internationally recognised security standards and with power back-up systems in place than your Server has in the cupboard in the corner.
Can you afford not to consider using an experienced professional in combatting these growing threats to your IT leaving you safe to compliantly get on with other tasks such as fee earning?
Norman Denton, Senior Associate, Legal-Eye Ltd – 22 April 2015