No. Hello? Hello, everybody. Like we're just waiting at the moment, we're just starting the event. But we're just gonna wait for a few more people to join, and I can see how many people have got in the room. So hello. Those people who have just joined us. We are just waiting for people to join. The room and the weapon are at the moment. Um, hello. For the people that can't hear me, there is a link that Tom house to YouTube. Um, so ah, but so for those people. Hi, everybody. We're just waiting for more people to join us on the numbers Still going up at the moment. There is a documents for you to download, So there are slides on There are also, um Ah. There are also her documents available to support the session that we're doing today. Andi, um, those are available in the file showing area, so if you want to have a look at those, you can just download those while we're waiting. So we just waiting for these numbers to go up a little bit on. I'll start the session in a couple of minutes. Just once. We've given time for everybody to to get so to join us with the session. So I think we've got about 50 people in the room at the moment. There's also ah, weaponize. Also available on YouTube. Andi Thomas supplied the link. This if you're having any issues in respect of hearing me or seeing me, I'm seeing what's going on in the webinar than you can join us on you, Chief, instead. Okay. Um, so I'm just waiting for those numbers to go up, Um, a little bit high. Yep. I'm just waiting. You're a couple of minutes while people are still joined in the room. I can see people coming in slide to available in the file sharing area on documents to you. Support the weapon arm would just get started in a minute when the numbers have gone up a little bit more. I still see people joining us at the moment, so just gonna give it one more minute before we get started? Okay. Hi, everybody. Um, So those documents are available, as I've said in the fall showing area, we also have and we're gonna win the pole in a minute. Is also just familiarize yourself where things are. There's gonna be a poll available in the polling room. Um, on and we just get started in a minute. I'm just waiting for people to join us in the session. Okay. Hello. Hello, everybody. Documents on slides available. I'm just waiting for people to join us at the moment on book. It started in just a minute. Okay? Eso people are still coming into the room at the moment, so I'm just waiting for them to join in, and then we'll get started in a minute. Okay? People still coming in and joining us, Those people who just joined us. There are documents available just waiting for people to finish. Join in the session on Done. We'll get started. Okay. So I'm just gonna wait a couple more seconds. There are people watching. I think our new tubas Wells we won't get the same numbers into the rumors. A So we might have before eso Well, we're gonna go ahead in just a couple of seconds. There were documents available in the file sharing area feeding you to download while you're waiting. So there's notes to support this session on a copy of the slides. Okay. Okay. So Okay, We're gonna get started then. So hello on. Welcome to today. Session on cybercrime in supply chains. What today session is really about is thinking about outside because I'm in the context of your supply chain. So we're gonna take those traditional, um, notions of supply of cyber crime on. We're gonna put them in the context of your supply chain and think about whether or not we can explore your supply chain in different ways on how cybercrime my ex affect that. So I've been doing talks and discussions, Webinars training sessions, those kinds things in supply and eso in cybercrime for about four, maybe five years. Now something like that on a lot of them focus on traditional definitions of cybercrime. What we mean by cybercrime links with cyber com into other Ford's within your firm and how you can spot that on insider threats and those constants. We're gonna touch on some of those things today. But what we're going to do is take a different angle in terms of cybercrime on call that into thinking about the firm's around you, those that you do business with on how those links in digitalization can influence our response, sister cybercrime and how we can manage our risk in respect of those things. So today session is thinking about the highlights in terms of the supply chain that has been highlighted as a key risk in legal services. We're gonna have to think about why that is, what kinds of things are happening at the moment in legal services in that increased digitalization in legal services on how that looks, we're going to have a look at the concept of a supply chain. So what do we mean by a supply train on? How can we begin to map that supply chain on? How can we begin to evaluate that? And what people say generally when we start down this road is that there's not enough time. I don't have enough time to map my supply chain. I don't have enough time. Teoh think about whether or no, you know my supply chain has appropriate systems in place or know what we're going to do as part of today's session is an exercise for you to have a go and mapping part that supply chain thinking about who the critical actors are within the on to answer some key questions around that on to take some of that of a You know, some of those points away with you so that hopefully if you act on those things after the weapon are once we've made those lists where they relate to you that relate to your firm, you can take that away and very quickly start to fill some of those gaps in on. It should be a case of job done. We've sorted out and created a map of your supplies going on. You might be able to do some evaluation, a swell as to whether or not those systems in place, you know, whether they have systems in place, what they looked like, those kinds of things. So we're going to do that as part of today sessions. So that's gonna be the interactive element in today's session. I'm sorry to hear somebody isn't able to download the file of, so I'm just got the chap function appear in front of me. And if you have a discussion with Tom, I'm sure we can sort that out or email a copy over to you. I'm going to keep the chap function open. We're gonna just keep an eye on whether or not people have any questions as we go along, but also, as I've done with the other webinars that we've been doing in this series, I'll also do a frequently asked questions after the webinar as well, so that people can post questions. And if I'm not able to answer them, then we can send a document out with all of those things there. So the numbers are still going up. So hello to those people who just joined us, we, ah, in the midst of the webinar. Now do be aware that there were documents to download in the file showing and include the the the slides for today's session. But also, there's, ah, notes that company today, session on Poles and a quiz on those kinds of things. We're gonna have a look when we're talking about what's in today session. We're gonna have a think about your supply chain. As I've said so what it is and how we can begin to map that we've. And as I've said, we're going to do that mapping exercise with you. So you get the opportunity to have a go at that. We're gonna have a think about what kinds of things the regulators are highlighting as being key issues within cyber com, but also how to respond to that and what the increased digitalization of legal services means We're gonna have a look at some data from the i C E O that thinks about on looks up where some of the key points of come from in terms of breach of personal data breaches on whether they're sober data breaches or ordinary data breaches. Um, so I'm there are. So if anybody's having problems with the file, don't download, please put it into the chat, and I'll let Tom respond to that. There are also within the webinar best practice ideas. So to take that mapping exercise and to go where, maybe have a chat with the you know, your groups of your suppliers or people who in your supply chain. So, for example, if you meet with your local law society, if you have informal networking meetings with people, you can bring this to the table and say, What kinds of services are we buying in? How can we reduce our risk and understand what kind of security measures people have in place. We're going to do some interactive elements. So there is the chap function here for you toe deal with. But there's also the opportunity to participate in the polls. Undo this mapping exercise as well. So, really, today's session is about thinking about the context of sorry, because I'm thinking about supply chains and why that Why, that's important. And we're gonna see some examples of different breaches on how a breach off data in your supply chain or breach within your supply chain can effectual firm on the importance of measuring, you know, then evaluating the systems off those around you. So this build on and takes a new angle on those additional talks around cybercrime. So let's have a look at just start with the poll s so people can start to get a bit involved. So we're just gonna bring a poll now on. In your view, what are the key issues in cyber kind? So I have a vote on that. So we've got on their fishing, um, which is where people send spam emails. You might have experienced this yourself. Have a look, a poem wrote. Now we've got phishing spam phone calls or I'm swishing. So that's fake text messages. Mao, where we've got, which is where people can download, um, malicious documents, for example, files onto their system ran somewhere on which is a form off malware that can be downloaded onto the system on. Then, you know, you have to pay a ransom in order to get the client data back or where people have been hacked. So somebody could be trying to maliciously hack your firm passwords, for example, by five codes those kinds of things in order to obtain access to the firm. S o have a vote on that. So people are voting now, so we've also got CEO spoofing. Um, you know, if anybody has fallen victim to that CEO spoofing is where people can, um ah, send an email saying I'm you know, this is the chief executive. I'm the senior partner. The accounts. Ah, you know, Manager, can you please send this money out to this person immediately? As a matter of urgency on, Actually, that's not really them Sending the email. I'm fired. Afternoon forward. Is that a big deal? In your opinion, where client information can be hacked, Okay. And then, you know they're sending completion monies in conveyancing cases out to the wrong out to the wrong person. So we've got some votes coming in in respect to this. So interesting to see what people think of the main issues of day and fishing. Um, e mail. So people do get a lot of phishing emails. At the moment. We've got a malware on their 29%. People also have, you know, concerned about external hacking on then a significant amount of people there are also concerned about five afternoon Ford. So get your votes in now on, then I'll just end the pole in the second. So just another minute to have a vote and see which kinds of issues. Mao, where people concerned really concerned about that. So get your votes in now, and I'll just them. I'm just gonna end the poll now. We'll see where we are so that they, um ah, the top issue there that people found was malware followed by hacking. So some of the, uh, more significant issues there on then, with, you know, a good amount of people also voting for fishing. Manson, where I'm fired. Afternoon forward. So what? We're focusing on today is thinking about some of these key threats in legal services, what different people have said about them on why the focus has been pulled in in terms off supply chains. So when we think about all of these things that happen within all of those different examples there Friday afternoon for CEO spoofing hacking Bunsen, where mall where they can all affect different people within the firm. But they can also affect different our supply chain different years. Well, if we in our firms are subject to a cybercrime attack, this can also affect the firm next to us so it can affect the other person in our convince and change or the other defendant on the, you know, personal near the side. Who's doing business with us. We might be exchanging emails with them. We might be sending documents if they were malicious programs operating on our computer that can also be used as a method of transmission to them as well. So our supply chains are vulnerable to the cyber crime that happens to us on this. Webinar is building on those traditional concepts and threats of cybercrime, which we've just seen there. We're pulling out some of those issues to think about who's in our supply chain, whether we can evaluate their systems on what some of those issues are. The National Cybersecurity Center published a report on legal services that set out key threats for legal services as being fishing data breaches. So the idea that people can come in on obtain data in different ways the sensitivity off the data that is held by legal services firms. They also I looked at van somewhere as a key consideration. So this data is so sensitive and so valuable that people are prepared to pay out for in order to obtain that data back again. Onda also supply chain compromise. So this idea that there were different players within our supply chain on if you look at the legal services market is dominated not in terms of monetary value, necessarily, although the big deals that focused on the city, who can, you know, afford this. So I t provisions. But there are lots and lots of small firms, so this public they are number the large firms, if you like so in terms of physical numbers, affirms that the market is dominated by smaller firms who you know have to make their own provision in terms of i t services. Andi There has been significant amount of client money lost, usually, and large amounts. Fit has been lost through Friday afternoon forward. So we're thinking about 11 million. I mean, that's a huge, amounting in client money that's been stolen 2016 2017. On a large proportion of that, there was a significant problem with fried afternoon forward. So where the client email is being hacked on, that client monies are being diverted off, you know, they're being told to send it to a different account. Those monies are being diverted off to a different place. People have lots of different motivations. Those can be economic, so to obtain flying money. But law firms also hold a highly sensitive client. Data on people can be holding its sensitive client data about very high profile individuals as well. And so state actors and people with different ideological perspectives could also be targeting firms in order to obtain that data as well. So it's important to think about the security aspect of what you're dealing with within a lawful ah, lot of the information that law firm deals with and could be considered to be highly sensitive and could be the target off side of the coin. What the s away have said on their focus. If you look at their reports, those kinds of things, their focus has been on the traditional sources of cyber threats. So they haven't as yet thought about the links between firms set any standard, if you like in terms of evaluation off what's going on in terms off supplies aside from. And we build on this later thinking about cloud security and car provision. Well, they have focused on its traditional sources of cyber threats. So thinking about fishing, dishing, malware, want somewhere, Andi, as I've said, any of those things could cause difficulty in the supply chain. Yes, our way said that in 2017 they received reports of 512 breaches of confidentiality. Now, some of these breaches of confidentiality are going to come form. Um uh, some of these breaches of confidentiality are going to come from non cyber sources, So some of them might be people being overheard talking on the train about client matter, or you've left document on the train about client matter. I had a situation in a coffee shop a few weeks ago where somebody left a contract in in a coffee shop in front of May so people can breach personal data in different ways rather than just do so before it. But the increased digitalization in legal services means that we have to see so before it as being a particular focus on a particular threat. When we're talking about confidentiality. So Oh, yes, I've also seen we've got some other responses in ah, in the chat function there. Just ah, OK, so that's other people having conversation. So let's move on then, to having a think about, um, data breaches. Now if we have a think about data from the information commissioner's office and the types of personal breach that are out, the cybercrime is beginning to make inroads into this. So we are seeing with the increased digitalization in different sectors, and this is across all sectors. So we're going to do so analysis in a minute to have a look out where we're seeing some different reaches, both in terms of non side but on cyber threat. So what the what? Their key threats have been in terms of this are where people have made non cyber, generally speaking, non cyber disclosures. So we're thinking about data email to incorrect recipient data posted or faxed into correct recipient or other non cyber incidents. We are seeing the vast majority of data data breaches across all sectors. I'm going up there above 600 were late to above five and 600 in respect of these kinds of things were late to non cyber incident. However, we do see significant amounts related to cyber instance. So, for example, there or north wised access or their fishing Okay, we also see them in terms of things like failure to use. Ah, BC sees failure to redact, but we can also see them in respect of cyber instant that run somewhere. We are seeing significant amounts off cyber incident in respective data breaches. Although we do have to remember we're talking about confidentiality those kinds of things and making sure the assistance in place so but is not the only option respect of those. We do also have to have our policies and procedures in place in respect off data, you know that that could be disclosed accidentally. So, for example, if we're sending the email to the wrong person of were faxing something across to the one person okay, just turn this quite bored off. So let's have a look at what's happened in terms of sex. And I've just done a brief analysis of this on you can see in respect of this, this is non cyber data. Uh, data breaches on you can see here legal down there in the sort of orange. Now the data breaches generally speaking, I mean, we've got quite a lot. You can have a look. Their health has been highlighted there in blue that, you know, there's quite a lot. You know, we do see the highest amounts for legal services. We're looking at data email to the incorrect recipient or data posted or faxed to the incorrect recipient when we're talking about so but do put it into context and also make sure that people are aware that there were other ways in which people might be, for example, breaching confidentiality. Let's have a look at what's happened in terms of the most significant cyber personal data breaches and where they've come about in legal services or just turn this boy boredom in legal services, the most significant data breaches have been in respect off northwards access that this will be hacking. Okay, Here. Come on. Fishing. Um, her just there. OK, so we'll see what we're talking about. On the previous light. The data breaches in terms of, you know, email into the incorrect recipient was about 65. Something like that on. And here we're talking about data breaches in respect to fishing and all unauthorized access. We're talking about less than 20 in respect of those. So why has there been this focus on legal services in supply chains? On why has it been this focus? Overall, I'm on cybercrime in legal services. Well, when we look at the amount of money lost incline the amount of money So we talked about this already, 11 million has been lost in client money in 2016 2017. It's a huge amount of money on Also, we also need to bear in mind the sensitivity off that data that has been stolen on that people might be doing this for particular motivation. Okay, So what is being stolen on? How it's being stolen is what's important on. We need to think about how that's being I thought about in our supply chains. Overall, we might see fried afternoon forward as being part of a supply chain attack on a law firm. So you know that supply that's being thought about in that way. So it really is the mounds of the money being lost on the sensitivity off the data that's being stolen. What we're also seeing is an increased use of digitalization. People are increasingly servicing clients on def. You look at the makeup of law firms you doing analysis. I did this several years ago. You can see that law firms Gemini cluster around towns where people are. People are increasingly now seeking out non high street law firms. Or they might be seeking a law firm quite a long way away, for example, so we're increasingly seen remote clients use of email, and it gives people the opportunity to disrupt a legal services supply chain in different ways. Now, individual law firms might have secure systems and we might have raised the awareness within legal services of cybercrime quite significantly over the last few years. However, what we now need to think about is securing those supply chains on stopping the weak points within any supply chain from being exploited by cybercriminals. It's just clear this, and here we go. So what? When we're thinking about a supply chain and what are we thinking about? In respect of our supply chain is the entire process of making and selling commercial goods is what is to find out in the dictionary. And when I've looked for traditional definitions relating supply chains, they generally do talk about goods and so bothered in services we do. You think about them in terms of maybe an industrial production, those kinds of things. But we can think about it in terms off the way in which we within legal services provide advice and guidance decline So the end out might be a convince it might be litigation matter. It might be producing a contract for. Somebody might be reaching a deal or an agreement. But what we're still doing is working with other people in order to provide that we have seen some high profile breaches within people supply chains. So, for example, it comin over who wins four of Debenhams websites of these examples outside of legal services. When's four of Debenhams websites, including Debenhams flowers their access into, you know, the Debenham system? I meant that they were compromised. So they had an attack on their systems of malware. Attack on it, compromised evidence systems. Similar. We've just had, ah, situation. If you're been watching what's been happening in terms of cloud services and cloud news and child security Capital 1/2 been subject to a new alleged attack on this systems with a lot of clients banking of financial data taken by an Amazon, allegedly by an Amazon cloud employees. Now Amazon had announced that I'm sorry. Capital One had announced that Amazon would be their preferred power provide. And I think that was last year on. This has just recently happened in somebody, and an Amazon employee has been arrested. Now, if you think about this, how many people out there store are many law firms store sensitive client data on the cloud, And what does that look like? Wherever people storing this data on Do you know, could this be subject to access by anybody else on what they've said is, you know what the explanation that was given at the time was this with some form of configuration. Eso, the access and security controls that were in place needed to be better configured. So we need to think about if you're using cloud supply within your supply chain as well. Also, who has access to that on how that works and operates. And that could be a key issue for lawyers of our law firms to consider in terms of the sensitivity of client data. So what the National Cybercrime Security Center of said is that there are key weaknesses within people supply chains on what they're looking at is on the cloud, which we've just talked about on where people are storing data. There are also encouraging people to think about their suppliers system. So what they look out aunt, how secure a supplier systems actually are. There are also encouraging people to think about the software that they're using. We'll see in a minute that there has been an example within another sector where software has been compromised and this has led to a lot of being people being affected across an entire sector. So you think about those things as being potential weaknesses when you're thinking about this. You can also bring it the GDP, our responsibility in respect of that as well. Who do send data to? Can you minimize the data that you send? Can you work to understand who your key suppliers are and who you do business with regularly on what kind of systems they have in place? Okay, you might think about whether or not any third party can come in and gain access to the systems on whether data is being also cast on whether you can minimize the data and how that is and how that works and operates. But those are the three things that the National Cyber Security Center of highlighted thinking about the clouds and where you're storing data. Think about your supply systems, but also thinking about software providers about on what kind of security is built into those systems. These are some known cyber supply chain problems in cyber from different sectors. So there's something called when you're thinking about bringing in third politics offer. So this is the software supplies example. There's been examples, and the energy sector of where its software used across the sector has been compromised, and this is affected supplies so things that you might take for granted as being or no really safe may need an evaluation. Also, website builders have been targeted, so creative agencies who build websites for people have been targeted on their core. Scripts have been targeted mean in the end, websites that go out to a number of different people who've purchased on companies have purchased those websites, Um have then been compromised. And when you get the average consumer going onto those websites there visiting, then compromise websites, there's also been compromised of data aggregators, eso credit referencing agencies. I've been targeted people who store, for example, data relating to store cards. Those constants. Anybody who's compiling, aggregating and storing that data could be at risk. There's also been examples off people targeting what is known as a watering hole. So watering hole is a website which can be used by either on organization that's being targeted or, more commonly, across an entire sector. So I'm sure we can all think of websites that are used across legal services. We might get our news from them. We might get information from them. We might all visit those certain Web sites on a regular basis that's known as a watering hole. Those websites can be targeted because a lot off people visit them on. And they have been instances where websites, you know, sectors have been targeted on those websites been targeted with malicious, you know, the ah, malicious downloads, you know, being made available. So you've got a website where file can be downloaded. The website may not be aware that they've been compromised on, but what people are being downloaded has been compromised as well intended to disrupt the entire sector. So when we're thinking about managing supply chains and what people sometimes say is, how can I go and evaluate my systems on the systems of a supplier? There can be difficulty in doing that, and that can be very time consuming to do that. And so what I want to do is just do a quick mapping exercise with you to try to take some of that time out of the equation so that today, if you go away and do some things that we discussion today, session on, do a little bit of following up afterwards, you could be in the position where you've done some evaluation and started to understand your supply chain a little bit more, but also interested where your critical data is coming from. ONDA also understood the you know, take some steps after this weapon article and evaluate the systems off your suppliers so there can be sometimes security issues and disclosure. Although people might be willing to discuss you with the systems that they have in place, it can be useful to discuss information with your suppliers on with those around you so that if they're subject to a threat, then you can also be notified of that as well. And that could be part of your business. Continuity Legal services is dominated at certain points by small supplies by small firms on it's important to work with people around you to understand what threats they're experiencing. If you're also in their supply chain, you might be experiencing the same threat as well, but also that can provide you with critical intelligence. You can pass that on to the people in your firm, so let's have a think about how we define our supply chains on what I've put on the slide. There is a way off managing on understanding what we mean by supply chain in different ways, we can start to make a list, but then it becomes and wheeled in different ways. And sometimes we need a way to categorise that. So what I normally look at is horizontal supply chain. So that might be the people that do the same thing as you. Okay, so it might be the other law firms that are in your convincing supply chain or the other law firms are commonly on the same side, So we on the other side to you in the matters that you deal with, Who else are you regularly working with Which other law firms on? Can you write them on that list? We're going to do this in a minute. Okay? I'm gonna ask you to have a go and then have a think about the vertical. So what we mean by the vertical is anybody else who works with you to deliver the product to the end client. So we might think about if you're in convincing the search company, for example, or an insurance provider, we might think about expert witnesses, for example. We might think about litigation funders. Anybody who helps you supply that end product. Andi. Then you can think about other stakeholders. It might be websites that you regularly visit with your talked about watering holes. You might think about the SA way you might think about your cloud security provider. You might think about anybody else that helps you, or that you're regularly doing business with. I've drawn a map here as an example. So if you've got a firm hey in a convincing chain, who's selling? And they've got firm BAE, who's buying and selling from C at the end there, all exchanging information on If you have an attack on one person system. Okay, that could. Then, for example, a phishing email comes in. It's got something malicious on it that's going to be downloaded onto the system that might then start sending emails out to everybody else. Okay, in your address book, those people that you commonly do business with, we might see attacks that also happen across the piece on different firms. At the same time, a case of people are particularly targeting a chain I've given example of a litigation supply chain is there you've got, for example, lead firm. We might have a class action so lots of different firms involved with a lead firm and then a defendant firm that relates to that. All of those people are going to be exchanging information, emails going backwards and forwards if somebody's home computers infected. If somebody has some sort of issue that can multiply on, spread itself across the chain. Okay, so we can also then see horizontal. So horizontal supply chains can also lead us into the situation. People map their hallways onto supply chain sometimes in order to reduce risk, and this can help us so we can see if we operate on. We have local networking groups with our other local North terms. We can go in and start to talk to them about some of the common issues in cybercrime, what security measures people have in place, those kinds of things. But we can also see how people are dealing with clients and what information is being given out to clients. We can also see that a lot of our horizontal surprise they're gonna have access to clients in the same position on we've talked about fired afternoon forward and clients being particularly at risk in terms of that. So we have to be aware off the extent which were exposed your clients and also the information that we're giving out to clients as well. So educating the client about risks in the supply chain and educating the clients about the fact that you won't change the bank details. But also people have started to be approached, for example, by, you know, fake emails coming from the Council for license conveyances asking for money. Fake emails coming from different estate agents asking for payment. Educate your clients about the different ways in which people might contact them on what's legitimate on what isn't legitimate or more. Talk later about the ways in which you can support the clients. In respect of that. Now what I've also done there is added in the vertical suppliers. So, for example, we've got our horizontal suppliers for Mary from Be from See, we've also got You can also then map in your horizontal suppliers. So the people who helped supply the M product but don't do the same job is you. So you might have insurers credit referencing agencies for when you're doing your due diligence checks on clients, you might have surveyors mortgage company you might have the London industry, for example, You also. If we talk about litigation, you might have people who are committed to refer into you. So you might. They might be doing litigation from this. Witnesses, experts, doctors. If we look at our other stakeholders, you might have cloud storage. You might have your software providers for farm management. You might have people who do your accounts. You might have insurance and staff. Do they all work on the premises? Have you got anybody free lunch, for example? Do you have a website developer? What about your landlord? What kind of provision is made? Their onda also the client a swell. So thinking about bringing the client in at that point as well. I also think about the regulator and any government agencies that you might have relationships with. So that's a good way of starting to understand who is doing business around others on then thinking about and it going away and having a look and just having a look at their systems to say what kind of information has been provided to clients do it. They process critical data, but also can we evaluate their systems as well, so that we understand where the risks are too close. And increasingly, people are moving into this digitization. So people have stores of different information in different places. On there's new, you know, new modes of communication, which Campos different challenges for his people are increasingly doing business by email. And think about the ways in which you're doing business with your key supplies and whether or not that secure. So thinking about that when you're evaluating people systems. So what I'd like you to do now is just to take five minutes to have a thing. People often say we don't have the time to go through Andi, Um, a map out our supply chain and we don't have the time to go through and do this, So I just want you to take five minutes now map your contacts really quickly, So just draw this down on a piece of paper. Ah, hey, age, horizontal or vertical and other stakeholders on then say white who do which law firms in my horizontal column. So I commonly do business ways. Who supports that? Make a list of the companies on which stakeholders toe I regularly interact with his okay on. I just want you to do that really quickly. That is the beginning part as part of this session. If you could do that in five minutes, that is the beginning part off this mapping exercise that you conduce to then take away and say what do that we send them critical data on what kind of systems do they have in place? And can we share information with them about supply chain incidents In respect of cybercrime? People often say we don't have time to do this. I just want you to do it five minutes. Think about whether people are you know who these people are, and we'll move on in a in a minute to thinking about whether or not they hand or critical data on whether or not that critical day and whether we can evaluate their system in some way. So just I don't want you to share this with anybody. This is just for you. I just want you to spend just a couple of minutes just now whiteout down, make your list holds onto Ah, who are my law firms that I interact trees on the other side regularly or that I'm on the phone to regular army mailing regularly in my vertical list. What? My other companies that I I'm regular using and in my other stakeholders list. What are you know, who are the other websites that visits? I'm just giving you a few minutes to do that. Now have a go at it. People say they don't have time to do it. We're going to do it while you're watching this webinar as part of your CPD. Okay, Teoh, to make this list. And then in a minute, we're gonna do a little bit more exercise on evaluating whether they've got critical data on evaluating whether they what their systems are. And you can take that away this afternoon. Okay, Teoh. And then you'll be there with job done, hopefully toe have mapped your suppliers and also thought about, you know, have started that process beginning to matter whether people have got those systems in place and what those systems look like and sharing that information with people. So I just give you five minutes to do that. You're horizontal suppliers of those people in your you know, your law firm. So you commonly doing business with your vertical ones. There are the people that you are, um, you know that help you deliver that end product. So the insurers, the search companies, your expert witnesses on the other stakeholders, anybody else. Okay, so now we've got all of this information process that they've given you five minutes to do that. I don't share it with anybody. I just want you to have done that and thought about it and come up with a really, really quick list on the ones that you think our first are highly likely to be the ones that are there. Okay. So what can you do now? You've got this list, Okay. The Guardian. Their small business network recommends asking your i t provider. So think about how we got somebody committing this. Your i t You've got that list. Now. Take that away this afternoon on, um, ask on, have a look and say, Do I know what kind of security those people have in place? What kind of systems and can I share information with them? If something goes wrong, you can start the process by looking out and seeing what systems were in place. On evaluating those systems. Take steps to limit the data that you sent to another party, if possible, What data while we sending and do we need to send it? Okay, so this can help limit and reduce your risk. Andi. If possible, use information exchange portals. There are a number commercially available. The National Cybercrime Security Center also says keep software up to date. Ensure your network permissions are configured correctly and ensure that your managing him can credentials correctly as well. Particular way you're exchanging information on poor tours on your exchanging information with other parties. When you're dealing with a supply chain, the National Cybercrime Security Center advise people at board level. So it's really high level saying, Does access provide that way In our partners? Andi suppliers handling data purely on do products and services have security built into them. Are we satisfied with that? And if they are, a lot of the time you're gonna be saying yes. Consider setting standards part of your contracting process, making sure people up to date and and but do that proportionately because there is a small business element to this as well. And then when we're thinking about cloud security, we saw that breach there that we talked about earlier with a capital one and Amazon. Okay, so if it can happen to Capital One, it can happen to a law firm. Okay, thinking about making sure that you understand what kind of cloud provisioned you're buying. Understand this security arrangements relating to that as well. Put further information about this in your notes. But just to be aware that there were different types of cloud prevision out there on that different types of cloud provision and resulting different security for you on for your client data as well. So, for example, if you buy the public cloud, this is your average service that might be provided by Dropbox, For example, home. Andi, Anybody can buy that dropbox business with your credit card on the drop boxes, then providing the software. It is also providing the security and they set the security arrangements so that could be instances in which their employees could have access to that information. If you have a community cloud, this is where it set up on did intended to meet the regulator requirements off that particular sector. So I can't pass any comment on whether it's compliant or not but example in legal services and now star okay, They provide community cloud services intended to meet those regulator requirements within legal services. You can also have private cloud as well. And that's where somebody sets their own access controls. And it might be a known organization. Make sure that you understand your cloud providers provisions on there are further definitions in their of what you might be buying as well. So I've put further information in your notes, but make sure that you understand whether there can provided would notify you. Have there been on your authorized access to data on what they would say to you about that? Make sure that you understand what those security controls are on those configurations as well. On what the S away and the CLC say, is that it doesn't remove your duties and responsibilities and confidentiality by storing information on the cloud and have a think about who else might be in that cow providers supply chain. And whether that Capra vision is in any way layered up with anything else on, make sure that you understand what the access controls are and who can have access to it and what those configurations look like. Another concern for GDP are purposes is also to think about whether cloud provision is being used outside of the UK So where is the data physically being stored on DFC? A. Published a consultation paper a little while ago. The link in your notes where, they say, suggested that people go and visit the banking sector. Going visit that car providers premises people wrote back and said, That's actually not physically feasible in some cases. But what the always CEO suggest is having a look to see whether a cloud provider has an independent audit instead. But do be aware if the data has been transferred outside the UK there are restrictions into the ju DPR as to where the data can be transferred to. So I think about where your data is physically going to be stored as well. Think about this also, from the perspective off intervention, and the regulator may need to have access to the data if they had to intervene into a law firm or practice that sometimes causes people alarm. But do you think about how you're storing the data and where it is being stored on what the potential consequences are off that when you're think about contract terms with your can't provider also have a think about what you would do if your cow provide it became insolvent or there was some business continuity issue. In what circumstances are you being notified? And how does that look like Now there is more information in your notes, and there's also some really useful links to information from the information commissioner's office principio se from the s all right, under also from the CEO about thinking about cloud provider security as well. Just also, when we're thinking about supply chain management, think about those people who are in your supply chain on what circumstances they would notify you if there was a problem. So, for example, if there was someone somewhere on somebody in convincing, you know, if you're conveying So somebody in your conveyancing chain had two months away on their computer on that managed to get hold of your client data as well, when would you be notified and what does that look like? Make sure that you're thinking about third parties and thinking about those of and you be part the solution and on office you support where you can When you think about your own security, make sure and think about that. Not too much is put into the hands of one person. We can spread our risk by limiting the on individual responsibility that we give to individuals within our organizations. We can also take steps to understand how we would respond to a breach as well. You can have mock ups. You can have your business continuity plan. You can employ somebody to help you, so to fake up a breach as well. But you can also try this within your firm and see how people respond to what happens when the worst happens on. We can do this as well by having social engineering assessments as well. So something that I've been involved with companies doing is sending out e mails people and seeing how they react to different things, trying to obtain information from them so we can look at different ways of responding when the worst happens as well on this can be used. And when we're thinking about our supply chains on thinking about, can we help another provider by doing this and also how we're going to respond. When that happens, I'm making sure that we have the steps in place so that they can be notified if there's a problem. So if we then take all of those points that we vote on earlier So you wrote down, I'm just gonna put the white board on him right on this. So you vote down horizontal. Oh, is that drawing horizontal vertical on the stakeholders? And we separated those out there on. We also had to think about when we mapped our horizontal supply chain and clients as well. If you think about your critical supply chain actor, you can take that list and you can look at it and you can say and put it in there has just spend a couple of minutes now having a think about just off the top of your head. Do those people have crucial data or do they or could they provide a way in to my system? Okay, Andi, what we've said is cover Think about whether you've done any evaluation in respect of their system or not. Okay, but where I've put circle around that you could take that away on Save that. Do that this afternoon so use work with and said that you know the list of York people that you've made the list off. Send that off to your our I t provider. Your I t support or provide that somebody in your organization to go and have a look and say I'm what kind of security arrangements people got in place and do we know what those are? Are we Are we satisfied with those? Can we limit the data we send? And you could just do that now, while I'm while I'm talking, have a think about what data you're sending to you. Them, you know, can we limit that in some particular way on Can we include them in our business continuity plan on not something else you can take away for this afternoon. So just have a think about whether those people are handling critical data. And if you can minimize that in some way on whether you've done any evaluation of those systems, once you've got that list, you should be up to take that away this afternoon, okay? And just go away and say, Take some steps either passed onto your I t provider or take some steps internally to have a look at what systems those people have got in place. Onda also toe, you know you might get together with the other people in your you know who do the same type of work is your in your informal networking meetings on go together as a group to say, Can you tell us about your security? Invite people in to speak about those things. Take steps to evaluate those systems on include them in your business continuity plan. Or you could this afternoon send off a few emails and say, Can you just tell me about the security system so I can include this on my evaluation So I can think about making sure that supply chain is secure if people get together in groups and start evaluating, um, their supply chain systems. This can also be something that you can sell a selling point to the client. We're confident in our supply chain. We're confident in the security arrangements, is sits around it. And for those people that watched the ah, the webinar that related to risk, we've also got I've also put that down there. The impact multiplied by probability equation are people processing the data. What's the impact going to be on? What's the likelihood of that happening? What kind of systems have we got in place in respect of that, But people can come together in networks and in grooves within their supply chain. And so we're confident of everybody. For example, in my town, everybody in the local area we've all worked together on this on. Actually, we do understand the ways in which are, which are our cyber security works. So you can take those steps now, just while I'm talking toe, add those points in, um to sigh. Um uh, does this provide the, uh, crucial data or way into my systems on dab? They included them in the business continuity plan. Just give you a couple of minutes to have a think about that, and you can take that away this afternoon. I'm finished that off. If you do it really quickly, it might be something where we've said we haven't got a lot of time, and it can be very time consuming exercise to map all of our suppliers on map and evaluate those systems. But you might be up to do it quite quickly or prove start that beginning process to raise awareness. We'll start having those conversations with people quite quickly and therefore provide some assurance on think about that yourself to base that awareness within the supply chain of potential cyber column issues. There's also issues related to inside the threats Now we have seen. I mean, we go back to the example where the person has been arrested or Amazon Cloud for accessing the capital one data. I'm thinking about making sure that you understand the motivations of your staff and understand the stuff I'm betting on. I'm understand who you're taking on checking, making sure you're going back and checking out those references. I'm understand where crucial data is held. Understand? Who has access to that on what those key positions are In respect of that, when you're thinking about data breaches, if you get any, however, think about un. Understand whether you think that those are malicious or whether there's been some sort of mistake on do conduct a thorough investigation to understand what somebody's motivation is in respect of something, you can take steps to monitor the data, use off employees, although there are implications in respect of that and there's a link in your notes in respect that although it's something that I would encourage people to look into independently before taking those steps, do make sure that you restrict access to that which is necessary for the employees to do their job and note if people are going or asking questions beyond what should be expected on. Also, be aware if people are, you know, membership of particular groups, those kinds of things. Anything where there might be something that might cause some form of issue might lead you to question, particularly if you have, um, Holly Profile. Ah, high profile data on high profile clients. Just be aware off employees behavior as well as anybody behaving strangely. Is there any indication that somebody is out toe, uh, undertake an activity that might be coming events or in other ways and malicious? And then it's very important. And I've said within the notes that we don't often see our clients as being part of the supply chain. But when we're talking about Friday afternoon forward, they are a key weakness in that supply chain so they don't have the same security systems in place. Ah, so, um uh no the company so we can go and evaluate all of our suppliers in respect of the security systems that they have in place on how they go about and do business. However, we can't necessarily expect the same off the consumer on. One thing that we can do is say that the consumer is an integral part in some cases of the supply chain. So they're sending funds over there sending information over and that all contributes to the end product that is being supplied in legal services, which means that they were key weakness in that supply chain. Educate your supplier. Educate your consumers. Andi on discuss i t With them, you can use the Take five to support to stop forward campaign Where there's loads of resource is on information for consumers if you don't want to provide that yourself, but you can take steps. So I asked them about security on to talk to them about who will talk to them within your supply chain on who definitely won't so educates a consumer to be aware off potential cyber risk. So we haven't had instances off malicious emails pretending to be from regulators, malicious emails pretending to be from other people within different supply chains. I'm ask the client about their security on encourage them to use secure products. Model that behavior by using secure services yourself. ANDI. Be knowledgeable on open to those questions about cyber security in order to raise people's awareness. Generally, aunt, have those discussions with clients. Make sure that you understand your privacy statements and make sure that they're correct. OK, so you're thinking about who you're providing data to within the supply chain. And make sure that the consumer understands where the data is going in respect of that, so there's no nasty surprises. For example, if somebody finds their data has been hacked in another place, however, we have taken all steps that we can in order to protect that. And that's part of that mapping process that we've just done just now. Map your data distribution and use. I think about whether data goes on how it's used within the supply chain I'm and then the National Cybercrime Security Center does have up to date advice about the use of different products. Andi, you can also do your own Google searches in terms of thinking about which products are out there. Which products are well rated in terms of security, but the National Cyber Com Security Center does provide opinions of views as well. There's not some materials available for you to use within your firm for Take five to stop. Ford. Andi UM, they are online test for consumers to see if they understand the difference between a phishing email, not phishing email signatures. Logo's those kinds of things. So there's lots of things that you can do that in different ways to continuously promote that message to consumers. But do try to do that and raise awareness because they are key weakness within that supply chain, as we've seen with Friday afternoon for So that brings us toothy end of this webinar. We've talked about the National Cybersecurity report on legal services. We've talked about concepts off supply chains. Onda. We talked about what they are, how we can map them ourselves on. Hopefully you've had to go on. Hopefully what you've got there in front of you now is a quick map of your supply chain, horizontal and vertical on those relating to other stakeholders. Andi have considered just briefly there yes or no half they got crucial data on Do they have a way in? But in that case, go away. Take those steps to evaluate what systems they have in place. And you can do that with trusted I t provider or go away and have a look yourself to see what systems they have in place. We've also talked about cloud security so that increased digitization in legal services to people using new technologies, but also that storage of information Think about where you're storing, storing the information on the examples that we've had in respect of that, you know, three example that a breach of capital one customer data that by Amazon Cloud employees, however, think about, uh, the regulators view and take their advice in terms off cyber kind. So thinking about the steps that the s a way of advice to take, but also that focus on cloud security as well. I'm We've also thought about best practice ideas for you and your supplies. Get together with people on discuss the security arrangements we have in place on make arrangements to notify them if there is any breach or any problems, so that that intelligence could be passed across the network. What we've done today is also hard to think about. I made this an interactive session. So hopefully you've got that map there in front of you and you considered who your key supplies are really quickly. Okay. You've also thought about whether people have crucial data on a weigh in on whether or not you can minimize the data that you're sending to them in any way. You can take those tables away and use that if you do it this afternoon, send a few emails out. Can you tell me what security arrangements are in place or pick up the phone to people or give it to your I t haven't service provider to make some enquiries or type. I think about what they would. You know. Maybe you've already started this process of thinking about that and looking at it, you can take that away and if you do that really quickly, you could have completed that hopefully on initial go at the mapping exercise, maybe from by the end of the day. So hopefully this has been time well spent. We often talk about mapping our supply chains as being a you know, an unwieldy exercise and very time consuming. But we've conducted part of that as part of this Webinar hopefully have enjoyed the webinar. The there are documents to download which Tom has made available on the fire showing area. Please do Let us have your questions from today Session on Die wide. A document detail in the ancestor. Any questions that are posed as well? So it just remains to say Ah, thank you very much for watching.
Webinar
Notes
Quiz 
4389 Users
91 Courses
165 Reviews
