Information security very often does not receive the attention it deserves. However, that is changing as pending legislation in the form of the Protection of Personal Information Act forces organizations to review and implement robust practices for keeping information secure. Law firms in particular are exposed in that their core business revolves around the creation and selling of sensitive information which should be, yet often is not, kept secure.
The South African market is starting to recognize the risk this represents as can be seen with ABSA Bank’s new requirements for lawyers specifically relating to information security management.
Of course, a question to be asked is; Is the risk of losing information real? And, if so, is it really so much more of a risk today than in the past? The answer to both is yes and one only has to look at recent events to see why:
- WikiLeaks – loads of sensitive information left the US Government’s offices on a memory stick
- In August last year Renault leaked trade secrets, resulting in years of R&D effort in the hands of the competition. It also led to the dismissal of 3 senior managers but that’s of little help as the information still sits with the competition (and they will probably end up hiring the fired managers too!).
- The real honey pot sits with Mr. Tobechi Onwuhara, dubbed by Fortune Magazine as “The king of home equity fraud”. Since 2007 he stole a known amount of $44m, but estimated to be between $80m and $100m. How did he do it? By faking identities and instructing the bank to transfer money from people’s HELOCs (an American version an Access Bond).
This last incident identifies a real risk for law firms in particular. The information lawyers use in processing bonds and transfers, is enough to create a false identity. With little process and control in place, it makes a prime target for identity fraud.
Cape Town based Keyphase Technologies, specialists in information security management and digital forensics, realized there was a real need with lawyers and created ISMS for Law. (ISMS is the ISO 27k acronym for Information Security Management System).
Roelf van Zyl from Keyphase says: “We realized that Information Security Management is a rather foreign concept to most, especially lawyers. We saw this from the increased number of requests we got from legal firms seeking assistance with their ABSA compliance requirements. ISMS for Law helps the legal practice to manage their Information Security and comply with the various regulatory requirements. An ISMS in it’s simplest form consists of People, Policies, Process & Procedures, and Product. People is probably the most difficult part, as employees now have to do things differently.
Our product looks at all 4 of these “P’s”:
- On the people side, we constantly and systematically educate employees through a desktop training module. The module feeds information in bite size chunks to the employees without the need and cost in time to assemble all in a room. It also helps to increase retention of information.
- We then define, communicate and explain the policies to the people through the same communication channel.
- When it comes to process & procedure, Keyphase designs, implements and automates the processes needed for information management, doing away with paper and enabling proper reporting on compliance and activity.
- Product is implemented as required and is dependent on the organizations’ current systems and requirements.
Managing an ISMS is an ongoing affair, which is our reason for offering this as a service. This enables the law firm to stay up to date with technology, and to have a constantly maturing ISMS.”
Roelf van Zyl
082 697 1707