North England law firm LCF Law has attained the Cyber Essentials Plus accreditation for both LCF Law and its conveyancing arm LCF Residential.
The certification demonstrates that LCF’s systems and processes stand-up to the scrutiny of a combined external cyber security audit and penetration test and are certified as secure. Around 40% of UK top 50 law firms did not have the higher accreditation rating as of February 2021, according to research by Law.com.
Commenting on LinkedIn, IT director James Hood said: “I’m delighted that we’ve managed to attain this quality mark, the collective effort of both IT people and users alike.”
LCF appointed Hood – who was previously head IT at Lupton Fawcett and before that assistant manager at audit, tax and advisory firm Mazars – as head of IT in January this year.
His appointment followed significant investment in technology at the firm, which included engaging Lights-On Consulting to help update the firm’s infrastructure, including moving from an on-premises environment to a hosted infrastructure-as-a-service environment with Oosha, which was acquired by Access Legal in June 2021.
Hood told Legal IT Insider: “Part of the IT Director-as-a-Service offering provided by Lights-on Consulting was to drive the firm’s IT operation to a point it could be handed over to a full-time, in-house person to manage and continue to drive and innovate, this is where my appointment came in.”
While LCF was Cyber Essential accredited, Hood immediately instructed Mitigate Cyber to take the firm through Plus. He said: “When you are entrusting your entire world to a hosted, multi-cloud environment somewhere between Microsoft 365 and a plethora of managed service providers in contrast to the ‘everything on-premise’ model of yesterday, you need assurances that it is in safe hands. To satisfy ourselves of this we simply must have an independent, specialist opinion on whether our providers are doing everything they should be to deliver the same and to an acceptable standard.”
While having Cyber Essentials certification still isn’t compulsory, it was referenced by the Information Commissioner’s Office when it handed out a £98k find to UK criminal law firm Tuckers in March this year. Tuckers failed a Cyber Essentials assessment in October 2019 and the ICO observed that it should not only have met but surpassed the requirements, commenting: “Given the personal data that Tuckers was processing, including special category data of very vulnerable individuals, the Commissioner believes that it is reasonable to expect that the security within Tuckers should have not only have met, but surpassed the basic requirements of Cyber Essentials. The fact that some 10 months after failing Cyber Essentials it had still not resolved this issue is, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.”
Hood said: “In my head a law firm has to meet certain requirements as far as the regulator is concerned, and Cyber Essentials should be one.”
Hood leads a team of four who are currently working on a significant pipeline of projects that covers everything from business improvement to managed print and electronic document workflow systems, management information reporting, Microsoft Teams telephony and collaboration. It uses Tikit P4W for case, finance and document management and with regard to the latter, one of the next big projects will be to see how it can better leverage its Microsoft 365 investment.