Comment: Cyber Governance 101 – Who to trust?

By Rois Ni Thuama (pictured), head of cyber governance at Red Sift
IT Directors are facing a predicament – budgets for IT services including cybersecurity are on the rise in 2019[1], but the cybersecurity industry continues to promote the myth that the complex, expensive solutions are the only way to mitigate the threat from the omnipotent, superuser hacker. Do IT teams then simply allocate significant proportions of budget to these silver bullet solutions that will tackle these unknown threats?
Some time ago, Dr. Ian Levy the Technical Director of the NCSC raised the superuser myth ostensibly to debunk the notion[2] of the Advanced Persistent Threat. Instead, Levy mocked the phrase, referring to hackers as ‘Adequate Pernicious Toe-rags’. The point being, cybercriminals are less polymath, Renaissance men and much more simply one-trick pinheads. It’s critical that companies prioritise addressing the most significant threats that they’ll face rather than the exotic ones that they probably won’t. For busy IT directors, it’s a challenge to know where to turn and when you can’t trust many of the firms peddling the solutions, who can you trust?
Start by talking to the impartial experts
The UK’s authority on cybersecurity is the NCSC, part of GCHQ, and the UK’s authority on cybersecurity. The insights that they publish are as a result of their access to some of the most sophisticated capabilities available. The conclusions they draw are a result of pursuing sound research methods and they have the data to support their conclusions, unlike cybersecurity firms and consultants, who (let’s be fair) produce insights which are of dubious quality, less civic-minded and more self-serving. The NCSC’s overarching aim is to reduce the cybersecurity risk to the UK by improving cybersecurity and cyber resilience. They have zero commercial interest in advocating for any particular solution.
Moreover, NCSC rely on industry insight and expertise. Relevant data eg from the National Crime Agency (NCA) and Action Fraud (UK’s national reporting centre for fraud and cybercrime) are collated, assessed and form part of the findings into the most significant risks.
Their reports and insight can, and should be relied upon by decision-makers generally across sectors. As far as cyber governance policy goes, this is cyber governance 101.
Uncover and meet internal challenges head-on
If insights into the most significant cyber threats contained in the NCSC report are dismissed by non-technical business leaders, then the technical team tasked with ensuring the security and cyber integrity of the firm would do well to take  a two-fold approach:
 – Determine the precise objection – If a non-technical business director rejects the advice of the UK’s leading authority, it will be useful for the firm to understand their reasoning. An ipse dixit approach isn’t defensible and no sensible firm should tolerate it. It will be difficult to sustain a reasonable argument not to proceed to address the most significant threats in order, given the credibility and authority of the publisher of the research.
 – Reference your regulating and representative bodies  Reinforce the findings contained in the report by highlighting that this Cyber Threats to UK Legal Sector report was written in association with the legal sector’s own regulating and representative bodies:
(i) the SRA &
(ii) the Law Society.
Combine to create sector-specific advice from credible sources
Cyber threat reports from credible agencies are themselves difficult to dismiss, and sector-specific advice based on data from a series of credible sources is even harder to dismiss through a sustained intelligent challenge.
Reviewing the data, the NCSC together with the SRA, Law Society, NCA & Action fraud will determine that the most significant risks to the UK Legal Sector are, in order:



Data Breach

Supply Chain Compromise

Consumers of legal services could reasonably expect that law firms would heed this advice from trusted and independent experts and take steps to protect against the most significant risks.
Start by building a solid foundation for cyber defence
Cyber security budgets are not uncapped and justifying spend can be challenging so starting with the most significant threat first makes the most sense. As phishing is the most significant cyber threat, following the NCSC recommendation to defend against phishing attacks by deploying email authentication protocol DMARC as Layer 1 protection is a reasonable next step. While no cybersecurity solution provides a ‘silver bullet’, DMARC a global industry standard is widely regarded as essential to protecting a firm’s email, brand and reputation.

So not only have the legal sector been put on notice that phishing is the most significant cyber threat facing law firms, but they know or ought to know that Layer 1 defense to phishing is to implement DMARC.
Research the solution to find what’s best for you
There is categorically no downside to researching to confirm the NCSC’s findings or to verify that their guidance is in line with global industry standards. In the unlikely event, that you reach a different conclusion to the UK’s leading cybersecurity authority and you elect to disregard the guidance then you would do well to clearly document your reasoning to will help your board understand your rationale.
But whatever you do, you cannot do nothing. While the courts will appreciate that an IT director might be busy and overlook the report and guidance but that does not mean it is not negligent. People often take risks in circumstances in which it was not necessary or reasonable to do so. If the risk materialises, they may have to pay a penalty.’[3]
The NCSC, SRA and the Law Society have done the heavy lifting identifying the most significant risks and the NCSC guidance, offered in the report National Cyber Security Centre’s (NCSC) Cyber Threats to UK Legal Sector Report, couldn’t be clearer reducing the administrative burden for busy IT directors. All that remains is for firms to act on the advice.
If you would like to learn where your law firm is on their DMARC journey, follow this link.
[3] Re D’Jan of London [1993] BCC 646, per Hoffman LJ
You can find more about Rois and Red Sift here: