The risk of doing business: is your legal or accountancy firm putting your data at risk?

Lawyers and accountants depend on a bond of trust with their clients. So you would imagine that protecting their clients’ sensitive personal information would be a priority, yet many firms are relying on cybersecurity measures that are untested – and often incomplete. 

At the moment, most firms are presenting an easy target for hackers. And with serious breaches becoming the norm, the promise of confidentiality is becoming impossible for many to uphold, along with the dependability that these trusted professions are meant to provide.  

These sectors seem reluctant to respond to the threat, however. So it could be up to you – their clients – to change their outlook. 

Why are law firms targeted? 

The legal sector has vulnerabilities – they’re embedded throughout its everyday operations. From bank transfers and automated identity checks, to emails carrying your personal information, law firms routinely handle sensitive data, making them an attractive target to cyberattackers.  

In August 2020, for instance, UK-based law firm Tucker Solicitors fell victim to a vicious ransomware attack. The firm holds court bundles including private personal data such as medical files, witness statements and names and addresses of witnesses and victims relating to crimes of all severities. After the breach, hundreds of thousands of files containing sensitive information were leaked on the dark web and held to ransom. 

A common tactic that law firms often fall victim to is Friday afternoon fraud, which contributes to an eye-watering 75% of all cybercrimes in this sector. This type of fraud is in the name – Friday afternoon is the traditional time-period for completion of property conveyancing transactions. It’s also a time when many in the profession are winding down for the weekend. 

Hackers use this window to break into a firm’s defences – which are often outdated and untested – then imitate an employee, contacting clients from what appears to be the employee’s real company email, so they can make off with the completion day funds. It’s the kind of easy-to-mitigate fraud that could be drastically reduced with a robust cybersecurity strategy. 

Due to the substantial amount of money passing between law firms and their clients, these kinds of scams are widespread. Large amounts of sensitive data held by lenders, estate agents and mortgage brokers is at risk. Despite all of this, the sector doesn’t seem to be in a hurry to act. 

 

What about accountants? 

Accounting firms play a pivotal role in our economy, handling financial data of businesses big and small. They also deal with high-value commercial data and sensitive financial information on a daily basis, making them another prime target for cyberattacks.

At the beginning of 2022, Chester-based umbrella payroll firm Parasol was hit by an attack that forced them to shut down their external and back office systems. This in turn led to thousands of contractors going unpaid or receiving lower pay than expected. A similar attack occurred to the Brookson Group at the same time, and both of these attacks followed a high profile ransomware attack on GiantPay. The UK’s leading accounting companies are certainly in the firing line. 

 

What’s stopping these industries from stepping up their cybersecurity game to protect your data? 

It’s an understatement to say that online working has accelerated over the last few years, but many in the legal and accountancy sectors are still slamming the brakes on digital adoption. Some are beginning to use digital documents, but many are still working with systems that existed before ‘internet’ was a word.

There is still some fear of technology from specialists in these professions, even at a basic level. Let alone before you introduce cloud computing and e-signing of critical documents. 

The pandemic has only made this worse. Overnight home working added a whole new level of cyber challenges, including a deluge of covid-related scams.

The rapid change in digitalisation from forced remote working may have been too prompt for firms to properly consider data security. SME sized firms tend not to have IT teams, or any in-house understanding. They’ll also probably outsource their compliance, without understanding the implications of their own internal processes.

The only real legal requirement is to follow GDPR, even though they are handling very sensitive information, more so than organisations required to have a pen test. GDPR does not enforce a specific set of cybersecurity measures, but rather expects businesses to take ‘appropriate’ action, leaving law and accountancy firms without IT expertise in the dark.

For some of the most traditional law firms, it may be up to clients like you to nudge them forward. If organisations begin to demand pen tests and other security measures before they will agree to work with a firm, it might tip the balance. This is already common practice in some industries, and it’s essential to ensure a secure supply chain<link to supplier due diligence blog>, so it might not be long before organisations and clients demand the same security measures from their lawyers. 

What is the solution? 

We’re not trying to scare you into never using legal or accountancy help. There is a simple solution to ensuring your data is safe.

There is one thing law and accountancy firms must ensure: that a robust cybersecurity strategy is in place. This can inform employees on the rules for encrypting email attachments, steps for accessing work applications remotely, guidelines for creating and safeguarding passwords, and rules for best use of social media.

Getting cybersecurity training up to standard is also critical, particularly in a hybrid working environment. Training ensures promotion of cybersecurity awareness and best practices among employees, so that they can act in your best interest.

As a client, you can request information on your chosen firm's cybersecurity policy, considering they have an obligation to protect your data. Have they put in a robust strategy, especially since the start of the pandemic, to preserve your information? Are they encrypting their emails that contain your sensitive data? And are they conducting third party due diligence <link to blog 07>? Next time you’re speaking with a potential legal or accountancy partner, it makes perfect sense to bring cybersecurity into the conversation.

At Datavax, we are cybersecurity experts. To learn more about what we do, check out our guide to independent penetration testing: what we do and why. 


Supplier due diligence: how to stop hackers slipping through the back door

A business of any size, needs to get their due diligence process set up from the get-go. And once it’s in place, it also needs to be continually monitored and reviewed.

Due diligence can simply describe the reasonable steps taken by a person to avoid harm. In this case though, we’re going to specifically talk about the risk of a cybersecurity breach via a third party supplier.

It’s not just about compliance and protection. Keeping on top of your supplier due diligence can enable your company to attract both customers and investors. It also gives you peace of mind, so you can focus on building and scaling upwards, knowing your foundations won’t let you down.

Big name data breaches

Ticketmaster and Volkswagen are just two examples of big name brands that have fallen victim to a third party’s vulnerability.

Hundreds of thousands of customers' personal details such as full names, email addresses and phone numbers were exposed in the huge data breaches that occurred via third party suppliers, resulting in hefty fines and a massive dent in public reputation for both vendors.

Had they done their due diligence before agreeing to work with these third party suppliers, these massive blunders could have been avoided. Though it’s not as simple as it sounds.

Large companies like Ticketmaster and VW have huge numbers of suppliers, all with their own subcontractors, making all of them hard to keep a track of. And once a cyberattacker has got in via one third party, it’s easy for them to access data in other parties without being flagged.

But these kinds of data breaches aren’t just limited to household names. Smaller businesses and entrepreneurs are also at risk of being targeted.

 

What businesses big and small should consider

Some organisations will barely mention their cybersecurity policy when joining a partnership, but others are more switched on.

Has a supplier completed a pen test recently? Was it completed by a tester who is CREST-certified? Some organisations will consider everything about their suppliers and partners, even down to the routers businesses are using for their WiFi.

While you’ll want some differentiation depending on the type of supplier, you’ll want a due diligence policy you can roll out to every single one. This will keep your business, your employees and your customers digitally secure – and enable you to pass the checks of those performing due diligence on your own organisation.

 

Four best practices for supplier due diligence

1. Security questionnaires for suppliers

First, it’s crucial to understand the ways cybersecurity is implemented into a supplier’s own best practices.

A supplier due diligence questionnaire examines risk by asking questions on data security, human resource policies, financials, and references. You can then use a supplier’s answers to set requirements the third-party supplier must uphold to meet the standards of the business relationship. If anything goes wrong, you can refer back to their answers and hold them accountable.

 

2. Tiering suppliers by criticality

Save time during supplier onboarding due diligence by tiering your suppliers based on the relationship they will have with your business.

For instance, you’ll want to prioritise security of an organisation that will need access to your sensitive data (e.g. a SaaS product provider) more than a business that does not have immediate access to critical information (e.g. a graphic design agency).

Instead of trying a one-size-fits-all approach to evaluating criticality, tiering helps you work out whether you need to review evidence of a clean independent pen test, or whether it's enough for a supplier to abide by GDPR.

 

3. Monitor your suppliers regularly

Cybersecurity due diligence needs to be kept up throughout your vendor partnerships, and isn’t something you can just forget about once the contract is signed.

Depending on your resources, you can use an automated continuous monitoring solution to keep your finger on the pulse about the varying risk profiles of your suppliers. Or you could simply require suppliers to update you on any changes in their systems or processes that have the potential to impact security.

 

4. Evaluate third-party cyber security risk using a pen test

If a third party is dealing with your customers’ data, they will need to present a recent penetration test report, showing either a clean result, or detailing the actions taken to rectify any vulnerabilities found, plus the related retest to ensure the remedial work has been effective.

Penetration testing (often referred to as pen testing) is a security exercise that attempts to seek out and exploit vulnerabilities in a computer system, network or web, to identify any weak spots that could be taken advantage of by a hacker.

A successful test can often reassure customers. Even if they have to address gaps in their security, businesses can wear their due diligence as a badge of honour.

By following these best practices, you can lower the risk of partnering with third parties and relieve the burden on employees. Your security, legal and compliance teams will thank you.

 

Datavax is a trusted, neutral cybersecurity partner with expert CREST-certified pen testers. See how you could benefit by booking a free 30-minute consultation with one of our senior testers and project managers today.


Beyond compliance: The business benefits of penetration testing

It goes without saying that the biggest benefit of carrying out regular penetration tests is protecting your business and customers from an attack and data breach. However, there are also a number of other benefits businesses can leverage.

Compliance is also crucial to avoid facing fines – from GDPR to PCI DSS and SWIFT CSP – but  compliance and protection from an attack are far from the only factors to consider here. If you’re looking for funding, looking to be acquired, or simply looking to land more deals, it might be time to consider the business benefits of penetration testing.

 

Peace of mind

Pen-testing can highlight where your team needs training, where your software needs updating and where your system needs restructuring. Crucially, independent pen testers can make these recommendations without trying to sell you a solution.

Ultimately this gives you peace of mind. Once your team’s cybersecurity strategy has been thoroughly tested with both manual pen tests and automated tools, you’ll know what you’re working with. You can see what’s not working, improve your protocols and setup, and ensure a continuity of security throughout your organisation. Then you can keep building your company without worrying about cracks in the foundation.

 

Attracting and keeping customers

It’s not only your organisation that will appreciate a pen tested infrastructure. You’re also able to pass on that peace of mind to your clients – reassuring them that their data is safe with you.

Large organisations are aware of the risks involved in trusting other companies with their data. Some of our own clients require cover letters for the companies they work with, and they won’t link their data to your organisation unless they can see you’ve either had a clean pen test or you’re addressing any issues that were found.

So if you can promote the fact that you’ve had pen testing done to prospective clients, you’ll be more likely to get through their quality assurance gate. And once you’re through it, you’ll be able to appeal to other key stakeholders too, particularly strategic and financial partners, who need to feel at ease before they give the go ahead.

 

Attracting investors

Speaking of financial partners, it’s here that the rubber can really hit the road. Companies looking to merge with or buy other businesses often won't even consider acquisitions that they can't qualify as being data-secure.

Shareholders can be equally discerning. If Series A or Series B funding is in your long term plans, you need to act like a billion dollar company before you’re treated like one. That means having a robust information security strategy and being able to prove it’s airtight.

 

Protecting your brand

The pandemic has made it clear that businesses need to look beyond present efficiency to create systems that are robust for the future. So while your brand may be high and dry to date, you can’t afford to roll the dice on your reputation tomorrow.

Thorough penetration testing can ensure you avoid more than GDPR fines. It can ensure you steer clear of irreparable damage to your brand. If vulnerabilities are uncovered in testing, especially if they come up more than once, you’ll know how you need to act to mitigate risk. You’ll be able to address the issues, create a long term continuity plan, and keep growing long into the future.

 

A blueprint for data security success

So whether your destination is acquisition, funding or converting more leads, a bias-free audit can set your company in the right direction. Your IT teams might have carried you this far. But scanning for blind spots will do them a favour in the long run – and inspire trust in all onlookers, too.

Datavax is a trusted, neutral, and CREST-certified cybersecurity partner. To learn more, don’t hesitate to get in touch.


Independent penetration testing: what we do and why

If you’re looking for penetration testing for your organisation, you’re unlikely to want to compromise. You’re dealing with highly sensitive data - medical, financial or personal - and the risk of disclosure doesn’t bear thinking about.

Except, of course, you have thought about it. You’ve built a highly secure system to protect against malware and supply chain attacks. You just need an authority to examine whether your infrastructure is watertight.

At Datavax we leverage established practices, certified testers and the latest security tools to uphold the highest standards of testing.

We’re independent, and that’s unusual

A lot of companies that provide penetration testing are also trying to sell you something.

Like a mechanic at a garage, they’ll check over your car, see what’s amiss and then offer to fix everything. Now a very trustworthy mechanic might give you a very honest quote. But in general, there’s a reason that MOTs and NCTs take place independently from those who make a living fixing the problems they find.

It’s the same with penetration testing. If a tester’s priorities are split between finding issues and fixing them, their assessments may not be entirely without bias. At Datavax, we’ve chosen to offer testing alone so that you can have full confidence in our findings.

Our Red Team approach simulates a real cyber threat

When it comes to what we can find, we believe we have the edge.

Ultimately when you’re trying to protect against hackers who may be highly proficient, you want testers who are highly proficient too. Testers who are capable of finding any and all security weaknesses ethically before they’re discovered illegally.

Hackers are humans, capable of using human creativity to exploit exposed vulnerabilities. So our testers, likewise, don’t rely solely on automatic tools for our tests.

Now, we do make use of some of the strongest tools available, including Burp Suite Spider, Nikto and Dirbuster. But for our web application testing, automation only accounts for 25% of our Red Team penetration method. Our CREST-certified testers (the Red Team), expend most of their efforts creatively using this auto-gathered information to see if they can get past the security of your organisation (the Blue Team), simulating a real-world threat.

 

We uncover security gaps that other teams might not find

Our ethical hackers are, if we may say so, some of the best in the field. Our team has a mixture of certifications including CREST and have extensive experience in testing methodologies. We also put a senior penetration tester on every project to ensure we don't miss even the most complex or hard-to-find vulnerabilities.

And we do find them. We’ve found cookies that would have allowed a hacker to create a new Administrator level account and wreak havoc. We’ve identified a cached post-authenticated client session that would allow for PII information leaks. We’ve even discovered an SQL Injection that enabled us to download a database table full of unencrypted credit card information - for hundreds of customers.

Because the companies in question hired us, the gaps in security were discovered by ethical hackers, and not the other kind. They didn’t have to pay out fines, deal with reputation damage, or face a single hiccup in their operations. They could simply address the issue and continue to serve their customers with peace of mind.

 

We’re personally on hand from start to finish

Even when you know that the test is necessary, that the threat is a simulated one, and that you’re hiring a CREST-certified team, it’s still a little unnerving to let anyone hack your organisation.

That’s why we ensure you have a dedicated contact from the early scoping stages right through to the end of the project. Your project manager will help demystify the process, be on hand to answer any questions, notify you if any critical issues are found, and ensure the entire project is efficient.

Your dedicated project manager will never close a project until you are happy and your team understands both our reporting and the actions they need to take. We want to offer support for as long as we can be useful and make the experience as positive as possible.

Some penetration testing companies might choose to be faceless but from our perspective our people are an important part of the package. While the human side of what we do might not seem as important as our technical rigour, the companies we work with come to highly value it:

 

“Working with the team at Datavax was a joy. From the outset they were warm, friendly and professional, and provided clear feedback and advice.” - Chief Technology Officer

“Datavax were very easy to deal with. All queries and requests were responded to promptly and in a pleasant and helpful manner.” - Credit Union Manager

“Datavax provided an excellent service from beginning to end.” - Chief Operating Officer

 

We provide a senior tester every step of the way

You won’t only get a project manager from the get go, you’ll also get a senior tester.

Your IT team, CTO, COO or consultant will be able to ask our senior tester highly technical questions. In return, they’ll be able to ask your team questions that a less experienced tester wouldn’t know or be confident enough to ask. This senior input enables us to scope out your infrastructure in a more defined way. As a result, you get a more accurate quote and our team will be able to put their efforts where it counts.

When you need to bundle several tests together (web, app and social engineering, for instance) a senior tester will have the experience needed to schedule these according to your priorities. If a less experienced tester was left to do this, it would be much more of a guessing game. But our team setup enables you to get better value in a clearer timeframe.

Finally, our experience and responsiveness ensures no time is wasted. During the scoping stages, a senior tester might highlight an issue that you can sort straight away, even before we begin testing. Also, once testing begins, if critical gaps are discovered in your security, our team will feed this back to you in real time so you resolve the issue fast.

 

To learn more about what we do and how we do it, don’t hesitate to get in touch.


CREST certification - don't accept anything less

In theory, penetration testing can be done by anyone from any location. If they have the set up of an ethical hacker – a laptop, an internet connection and the relevant software – they’re ready to go. The only issue is, can you have confidence in their services?

When it comes to hiring pen testers, you’re naturally looking for those you can trust with your data, security and reputation. That means choosing testers accredited for high technical ability and watertight codes of conduct. And for many organisations, that means CREST.

CREST-certified testers are rigorously and independently assessed

It’s often more expensive to use a CREST-certified tester since they’ve acquired a vast amount of experience and a high level of technical expertise. The journey to CREST certification is long and hard, but the lessons a tester learns on that road are worth their weight in gold.

The accreditation is not permanent. All CREST-qualified professionals are required to re-sit examinations every three years. This ensures you never hire an ethical hacker who is anything less than a leader in their field.

CREST-certified professionals typically have at least 10,000 hours of experience, and they are capable of managing ethical hacking teams that can dive deeply and creatively into an organisation’s infrastructure. To learn more about this process – known as a Red Team approach – see our article on what makes our independent penetration testing different.

CREST-certified testers sign up to enforceable Codes of Conduct

All pen testers holding a CREST qualification sign a personal code of conduct, which ensures they follow ethical practices and vetted processes.

You don’t have to take a CREST member’s word for it, either. As a governing body, CREST can and will carry out onsite audits of their members. They also extend their rigorous expectations beyond the walls of the company to any contractors working or assisting the organisation they vet.

What are the other options besides CREST?

While there are plenty of pen testing qualifications from GIAC to CRTOP and CEPT, only a few certifications serve as an effective barometer of how trustworthy a tester is.

CHECK is a popular accreditation in this regard since it’s a government scheme conducted by the UK National Cyber Security Centre. Tigerscheme, set up and administered by the University of South Wales, is also well recognised.

But sooner or later, if you spend any time in cybersecurity circles, you’re going to hear someone say that CREST certification is the gold standard – and few would debate the point.

The Council of Registered Ethical Security Testers is the seal of approval that many public sector contracts and major private companies look for – and sometimes require. Just as no one ever got fired for buying IBM, no CTO or CIO ever took heat for doing business with CREST-certified testers.

So is CREST worth the cost?

CREST’s high standards mean that when you hire a certified tester, you’re prioritising the security of your organisation. While this has obvious preventative benefits, it also has significant business benefits.

We’ve seen several cover letters which include the sentence, “We’ve had penetration testing by a CREST-certified tester”. 2022 cybersecurity trends suggest this practice will only increase as organisations become more and more discerning of those they do business with.

Datavax is a trusted, neutral cybersecurity partner with CREST-certified testers. If you’re still sitting on the fence about pen testing, you can book a free, no strings attached, 30-minute consultation with one of our senior testers and project managers.


A quick guide to planning your 2022 cybersecurity strategy  

If you’re anything like us, you’re probably reflecting on your 2021 IT infrastructure and wondering, ‘how can we iterate on this and make it even stronger?’

Inevitably, cybersecurity will be front of mind whether you’re a  CTO, COO or a founder. This will be especially true if you’re in a growing organisation with a swelling data footprint, or if you’re diversifying into new sectors, or releasing products that make use of sensitive financial or health data. 

Looking at the aftermath of events in 2021 such as the HSE phishing crisis and the supply chain attack on Kaseya, it’s safe to say the benefits of testing your security go far beyond prevention and compliance

PwC’s Independent Post Incident Review of HSE shows their infrastructure was insecure because they lacked investment to maintain it. There’s no doubt that getting the budget you need to create a robust infrastructure is non-negotiable, so here’s our quick guide to evaluating and iterating on your cybersecurity this coming year.

2022 and beyond

What we do now needs to be informed by what’s ahead. By 2025, Gartner predicts that 60% of organisations will prioritise cybersecurity when deciding on transactions and business engagements. This is hardly a far flung prediction, either. We’ve already seen companies rule out organisations for acquisitions or mergers based upon their security infrastructure.

Bloomberg report that according to the US Treasury, the average ransomware transaction was $102.3m per month in 2021. And while cyber insurance might mitigate the damage, it won’t cover GDPR fines or protect against disruption as ransomware attacks become more frequent. Market analyst Jeffrey Williams told the Insurance Times that ransomware attacks now occur every 11 seconds, which is in line with pre-2021 predictions.

With this in mind, it’s no surprise that the Digital Europe Programme is assigning €269m of its funding to advance cybersecurity equipment, tools and data infrastructures. Similarly, the UK government is investing £700m in cybersecurity training and business support.

Whether you take advantage of this funding or not, it’s essential to evaluate your security strategy, policies and technology. You may realise you should be enforcing a zero trust policy, role based access, stricter VPN policies – or you might need to ensure your remote employees have the home infrastructure they need. For many companies, it will also be crucial to reassess their hybrid working cybersecurity strategy and monitoring tools.

Getting the buy-in and budget you need

As with many organisations, you will eventually come up against the issues of internal buy-in and budget. And this is where you’ll likely want to consider a pen test. 

Pen testers can discover where exactly the vulnerabilities are in your organisation – whether it’s your cookies, authentication or employee behaviour. Once you know what your weaknesses are, you can present the risks to stakeholders and use your budget to strengthen them in the optimal way. 

To understand what kind of test is right for you, you should know that automated tools alone will not be sufficient. Hackers don’t solely rely on automated tools, so you shouldn’t rely on defences tested by automated tools either. Of course, the strongest tools can speed up the process, but if you’re going to simulate a real cyber threat, you’ll need a seasoned ethical hacking team – known as a Red Team – testing your infrastructure.

You should also strongly consider hiring pen testers who are CREST-certified or similarly qualified and vetted. The process, training and experience they undertake to get that certification makes them an invaluable asset to have on your side. 

Finally it’s worth understanding the benefits of independent pen testing. The more impartial your testers’ security recommendations, the easier you’ll find it to persuade stakeholders that those suggested measures are necessary.

Book a free consultation 

To kick off the new year, we’re going to be offering organisations a free 30-minute consultation to discuss their infrastructure and cybersecurity strategy.

You’ll have the opportunity to speak with a senior tester and a project manager, and ask any questions – technical or otherwise. There’s no obligation to commit to any form of pen testing with us afterwards, but we’ll be able to explain anything in case you need to make a business case to other decision makers in your organisation.

Datavax is a trusted, neutral and CREST-certified cybersecurity partner. To book a consultation with us, don’t hesitate to get in touch