In the webinar, we caught up with our panel of industry experts to bring law firms the answers to these three key areas. The panel featured:

• James Hood, IT Director, at LCF Law (bringing the customer perspective)
• Kirsty Stridfeldt, Service Delivery Manager at Access Managed Services
• Chris Morris, Legal IT Specialist at Access Managed Services
• Jon Cuthbert, Legal IT Specialist at Access Managed Services

This article brings you the key points covered in our Legal IT Clinic webinar and the extracts below from our experts have been paraphrased. The below questions were discussed:

Jump to section:

• What recommendations and best practices to consider when looking for an MSP?
• What would you expect your MSP to do to prevent the risk of a potential cyber breach?
• What are the best practices when building a response strategy?
• How do I know if we have been attacked and someone is scanning or information gathering on our laptops\365 tenant\network? What tools (apart from AV and Malware bytes) can I use to find this out?
• Why is it important to have cyber essentials and achieve the standards?

 

Let’s dive in…

Can you provide recommendations and best practices on what I should look for in my MSP?

Kirsty Stridfeldt starts off answering this question with a caveat stating firms should focus on legal cloud services aligned with their specific needs. However, typically, you’d expect MSPs to safeguard and encrypt assets and offer proactive monitoring of network security, vulnerability scanning, and penetration testing. Look for an MSP that provides recommendations on improving security scores and ensuring device compliance, and that looks at real-time data correlation and proactive threat hunting. This means establishing they’ve got tier-three SOC engineers who proactively hunt for potential threats, rather than waiting for the attackers to come for you (like Access Managed Services do).

However, recognise that MSPs have limitations, requiring specialised skills for comprehensive security. You should also consider:

• Industry expertisee. is your MSP aware of the regulations that you as a firm have to abide by?
• Customer testimonials – they can have all the accreditations, but getting feedback from existing customers to back up what the MSP can deliver and can do what they say they do is also important. Like this one here.
• 24/7 support matching your operational hours.

Strive for a balance between MSP specialisation and independence, acknowledging the evolving need for robust security measures in light of recent market incidents.

Kirsty Stridfeldt continues to emphasise the significance of aligning with regulatory bodies and ensuring the MSP's response to incidents matches the firm's security standards. The evolving role of the Senior Responsible Owner (SRO) involves reviewing cyber insurance, selecting appropriate service offerings, and maintaining alignment with the MSP's best practices. You should also consider the certifications and accreditations of the MSP, along with their operational best practices, given their access to your firm’s infrastructure.

What would you expect your MSP to do to prevent the risk of a potential cyber breach?

This has been such a hot topic recently and there is only one place to start with this question and that is there’s a misconception that the buck stops with the MSP or Legal IT Provider for all security incidents, Chris Morris states.

While MSPs manage IT systems and are on hand to advise on what technology to implement, security responsibility extends to everyone using and sharing data. Despite MSPs implementing measures, cyber threats often originate from seemingly genuine sources like malicious emails, emphasising the need for individual vigilance.

Ultimately, everyone has a responsibility to help keep systems secure and that is down to firms understanding whether their staff know they have a responsibility and whether that has been clearly communicated to them. When it comes to mitigating a cyber breach, firms should be asking themselves:

• Have I invested in training?
• Am I running security awareness campaigns frequently? And, are they randomised so that not everybody receives the same email
• What are the next steps for those who failed the training?
• What does my user policy say if they repeatedly fail – what action do I take?

Aside from the human element, cyber hygiene is equally as important. This includes implementing tools like:

• Ensuring devices are kept updated
• Employing intrusion detection
• Web security solutions (for those malicious email attacks)
• Network access controls (to ensure people can only log in from certain areas as a lot of attacks are engineered from foreign countries so need the functionality to block certain countries)
• Having a disaster recovery business continuity plan that is regularly tested.

 

James Hood, one of Access Managed Services’ customers, went on to say in terms of what the expectations of a cloud managed service provider are, it's not only advising on the best practice in terms of defence technology in place but it’s supporting with internal training and user awareness.

In the event of a security breach, you should expect MSPs to possess the in-house skills to aid the fallout process, collaborating with cyber insurers and contributing to the analysis of log files for a comprehensive response.

Ultimately, everyone has a role to play in mitigating cyber-attacks. Striking the perfect balance involves implementing robust defence technology, educating your team, and ensuring your MSP has the industry expertise and in-house skills to effectively handle any potential attack.

Cyber Incidents: Mitigation and Response Strategies

What are the best practices when building a response strategy?

Jon Cuthbert tackles this question by starting with some eye-opening statistics. According to GOV.UK, only 21% of businesses have a response strategy, highlighting a concerning gap in preparedness. This increases to 47% for medium-sized businesses and 64% for large enterprises, yet a significant portion of large businesses lacks a response strategy altogether.

The first thing to say is that a comprehensive response strategy can be categorised into four key aspects.

Firstly, defining the purpose and scope of the plan is crucial, outlining the type of incidents, parts of the system and what data is covered.  So, in different types of systems, the plan might be different. For example, if you've got an on-premise solution where an MSP looks after a certain part of the solution, the plan is going to be different to one that's in a full cloud environment, all managed by a single MSP.

Secondly, threat scenarios (type of incidents that may be affected). Threats can range from malicious or phishing emails to a full-blown system hack so your response strategy needs to cover all bases.

Thirdly, roles and responsibilities, designate key people for reporting and communication. Outline who should be taking action and who should be communicating back to the customer. Also, consider the incident response process and create a step-by-step guide on how to respond to a given incident. This is where your MSP can assist you.

Lastly, involving your MSP in your cyber response strategy is crucial to ensuring a seamless partnership in the event of an attack. It ensures alignment between your internal capabilities as a law firm and the MSP's capabilities. At Access Managed Services, we go beyond being just a software provider – we consider ourselves your strategic partner, a reliable source of technical expertise. We recognise you entrust a huge amount of data to us and that if an incident were to occur it could result in total loss of service. That’s why as your technology partner, our specialist IT support team is on hand to help guide and build your cyber response strategy. Hear more about how we helped a customer during an IT challenge here.

Having confidence in the response plan is key. Whether addressing a suspicious email or a potential breach, clear processes and communication channels are vital to giving you peace of mind. Even if it’s a suspicious email knowing the process of how to report it and knowing it will get investigated to mitigate any risks is crucial. This gives your user base and staff confidence to report on the things they deem suspicious, fostering a culture of vigilance.

Also, don't just assume your MSP has all your IT responsibilities covered. Look into the nitty-gritty of being proactive versus reactive with IT security and do you know how to identify the difference? For example, just having an antivirus isn't the same as having a proactive security service. A proactive security service means extra resources and costs, with specialised skills to prevent incidents. It's not just part of the regular MSP service. Continuous improvement is also key – keep updating your cyber and response strategies in line with new threats.

 

How do I know if we have been attacked and someone is scanning or information gathering on our laptops\365 tenant\network? What tools (apart from AV and Malware bytes) can I use to find this out?

Using AV and Malware bytes is a good way to start but we’d recommend leveraging the Microsoft 365 suite to correlate data from devices, applications, and data feeds, Chris Morris states.

He goes on to say: One of the reasons we talk to customers about leveraging the suite model is as an MSP or IT provider we can look up devices, applications and data, take feeds from each of them, build a journey of what's happening across the landscape, look at your security posture as a whole, which will include your 365 tenants and laptops. But like anything it’s only as good as the people who are monitoring that data and responding to those potential breaches.

For a proactive approach, you’d expect your MSP or Legal IT provider to use Security Information Event Management (SIEM) systems (like Access Managed Services do). For example, we can set it so that if you see this, take this action or if you see this account log on from these countries, ask for an additional MFA step and or block the account depending on the risk profile.

Even traditional antivirus software, even under the new label of endpoint detection and response, is just one piece of the puzzle, with the need for a more comprehensive strategy.

To reinforce that, Jon Cuthbert mentions, that we’ve seen more and more regulator's expectations for law firms to proactively assess their security landscape, signalling a shift towards Managed Detection and Response (MDR) solutions. As we know, detecting attacks manually is difficult so consider an outsourced security operations centre or a combination of tools, to understand and report on the security posture effectively.

The key thing is defining what "normal" looks like in your environment to identify and respond to potential threats effectively. This is where Access Managed Services can lend a hand, we can assess your IT infrastructure and advise what proactive measures you can put in place to detect a sign of a breach or cyber-attack.

Chris Morris, Jon Cuthbert and Kirsty Stridfeldt all stress the importance of a thorough review and renewal of processes and policies. Why? Things like multifactor authentication weren't a requirement a few years ago, and the drive towards that is largely been driven by insurers who are mandated to provide public liability insurance. And there’s a good chance that cyber essentials might follow that same path. We could see a shift in focus on achieving a cybersecurity standard that aligns with industry expectations and may become a regulatory requirement in the future so worth thinking about getting now.

Cyber Essentials Standard: Compliance and Best Practices

Why is it important to have cyber essentials and achieve the standards?

From a law firm's perspective, James Hood shares his perspective, highlighting how it reassures stakeholders, insurers, regulators, and clients that the firm prioritises cybersecurity especially when relying on numerous third parties. By having Cyber Essentials it helps to show all stakeholders you know what the best practices are as far as security is concerned, giving them peace of mind and this in turn could potentially open up other work for you that you would otherwise wouldn’t get without Cyber Essentials. 

It could also mean that insurers offer you a better premium if you adhere to the standard and you can demonstrate that throughout the 12-month cyber essential cycle that you’re doing what you say you do on the IT.

Kirsty Stridfeldt echoes the sentiment, emphasising Cyber Essentials Basic as a crucial first step for firms to achieve and apply policies seriously giving your clients peace of mind their data is secure. She also touches on the growing trend of firms moving towards Cyber Essentials Plus for a more audited approach, aligning with insurer requirements.

Kirsty Stridfeldt goes on to say: For anyone outsourcing any digital data processing, in my view, it's an absolute must. One of the biggest benefits for non-IT people or less tech-savvy people is that it helps you gauge your overall cybersecurity status and understand your security posture. It has the potential to uncover surprises, even for IT professionals, revealing issues that may have gone unnoticed. Addressing these problems becomes crucial once identified, for example, there may be a device with a default password or an outdated network device that you didn’t even know about.

Key takeaways

To sum it up, the key consideration when selecting a legal cloud managed service provider (MSP) is to ensure the alignment with your firm's needs. Think of it like choosing a trusted ally rather than just a service provider. However, typically you’d expect an MSP to safeguard and encrypt assets and offer proactive monitoring of network security, vulnerability scanning, and penetration testing (like Access Managed Services do).

The expert panel stressed cybersecurity was a shared responsibility, advising firms to invest in training, awareness campaigns, and cyber hygiene to foster a culture of individual vigilance. Though, a collective, joined-up approach with the MSP is equally as important especially when it comes to your cyber response plans and ensuring they are tested regularly.

Ultimately, it's not just about finding an MSP; it's about building a partnership that ensures your digital strategy is robust, responsive, and ready for whatever the cyber world throws your way.