The creators of isology®

Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023.

Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive.

As a result, the question of businesses being affected by a cyber incident has become ‘when’ rather than ‘if’.  However, there are a number of steps you can take to mitigate risks ahead of any potential incidents.  

We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks.

You’ll learn

• Who are Epiq?
• What is a cyber incident?
• The importance of being proactive in reducing the risk of an incident
• What can organisations do to be proactive in mitigating cyber incident risk?
• What are forensic tabletop exercises, and how do they enhance preparedness?
• Why might an organisation need to get an incident response retainer?
• What role do Information Governance consultants play in reducing cyber risk?

Resources

• Epiq
• Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk.

[02:40] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them.

Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director.

Jack’s role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology.

[06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation’s information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats.

Organisations looking to combat information security risks should consider ISO 27001, as it’s key principles include the confidentiality, integrity or availability of your businesses information.

[08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business?  – Let’s look at some startling statistics:

In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week.

48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business.

This is the most shocking of the statistics, and why it’s so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident.

70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don’t).

Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following!

 [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024:

January saw a rise in cyber incidents predominantly affecting retail, education and local government.

In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets.

All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident.

[13:35] ISO Standard trends – At Blackmores, we’ve seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries.   

[15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation’s requirements and compliance issues arising from a cyber incident.

If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it’s imperative that your organisation has established, sound relationships with law firms and consultants.

[17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents.

Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business.

[18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs.

The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident.

[19:35] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity.

In Blackmores’ experience, a lot of organisations don’t actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it’s a bit of an eye opener when they realise they’re not as resilient as initially thought.

It’s always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task.

[23:40] Why might an organisation need to get an incident response retainer? – We’re starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements.  One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements.

[26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate.

[27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining:

• Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements.
• Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements.
• Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process.
• Privacy Compliance: Aligning with regulations such as  GDPR, DP, DPA, CCPA.

[33:30] What are Jack’s top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn’t a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against:

Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks.

These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions.

So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security.

Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases.

Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees.

Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure.

Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I’m seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur.

If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Dinesh Sharma, Director of Information Security Governance at Epiq, joins us on the ISO Show today. He discusses ISO 27001, his in-depth experience of this standard, how it’s working for Epiq, lessons learned, and how he manages this globally for Epiq Global.

We are so excited to interview Dinesh! He has a wealth of experience in terms of implementing frameworks like ISO 27001 and PCI DSS. He’s got plenty of experience ranging from developing information security policies, procedures, managing risk assessments, to delivering security training and awareness, and overseeing internal audits. He also has expert experience in security management and governance as his last 15 years focused on information security.

You’ll learn about:

• What Epiq does
• What it means to be Director of Information Security Governance
• Setting up a security team and managing it in terms of global responsibilities
• Continual improvement at Epiq
• Dispelling ISO 27001 myths
• What has worked well for Epiq in relation to ISO 27001

First and foremost, let’s dive into what Epiq is and does…

What does Epiq do?

Epiq, primarily based in the U.S, is a global professional services company, operating in approximately 25 countries including Germany, Belgium, India, London and so many more.

Epiq primarily provides support to the legal industry (so to law firms and the legal departments within large organisations). Their key service is around E-discovery. This is where there is potentially an investigation, or if two parties are about to enter a litigation. Some processes need to happen around data collection, data review, forensics, processing and document review. Epiq can make all of this so much more efficient and cost-effective for clients! Another core service Epiq provides is court reporting and transcription services. Other services include business transformation services, class-action and a range of other services.

Now, let’s find out more about Dinesh’s role…

Role at Epiq

Dinesh is part of the Global information security function at Epiq. They have a dedicated Global information security team to support the business.

Dinesh’s specific role is to lead the security governance side of things. This means that he manages and helps to define the information security policy set and Information Security Management System (ISMS) within Epiq. He also leads and coordinates the internal security assessments (part of which is internal ISMS audits as well as internal security audits across Epiq). He even reviews and provides input on contracts of clients and vendors around security clauses to ensure they align with the policies of Epiq. His team also delivers staff security awareness and training. Finally, his team manages security certifications including ISO 27001 (very relevant for today!).

So, let’s explore how a mature ISMS is managed…

How to go about setting up a security team and manage it in terms of global responsibilities?

At Epiq they have a dedicated team within their information security function for security operations. This team oversees the security toolset, they monitor the alerts from this toolset, such as their end-point detection and the logging and alerting around network security. This security operations team also takes the lead on defining their processes and handling any security incidents. So, they have a separate team for this specifically.

They also have a separate team for security architecture and security engineering. These teams work very closely with the business to make sure that security is considered and embedded within the projects and new offerings Epiq has as a business, as well as developing their tools. So, if Epiq is looking to implement a new security tool, this team will be very involved in looking at the different vendors that provide that offering, how that would be embedded and work within the infrastructure of Epiq, and the environments with which they serve their clients. So, Epiq has got the structure of sub-teams within the security function well defined!

Of course, sitting on top of this, Epiq is very fortunate to have some very experienced and very qualified leadership come into that team. The governance and operations side is managed by a gentleman called Jason. He has lots of experience and brings experience from other industries he’s worked with. He has a peer called Andrew, who looks after the engineering and architecture side. Epiq also has a new Chief Security Officer (CSO) who is very knowledgeable and savvy. He is doing a really good job of lifting the profile of not only security within the organisation, but also Epiq’s security functions. So, they are fortunate to have that leadership as well.

This is fantastic…when organisations are starting with implementing an ISMS, we always find that leadership commitment is so key! It’s great to hear that Epiq has got a mature management system yet are still continuing to focus on leadership commitment and bringing that in from various angles across the organisation as well.

In terms of the ISMS then…

Epiq has got many other security standards, so what we want to know is how their ISMS helps them to manage all their activities.

Well, looking at the requirements of ISO 27001 and setting up an ISMS that works, Dinesh thinks the most important thing it gives an organisation, regardless of what level of maturity it is at, is what the basic components and principles are in terms of a framework that you should be having in place or that you should consider having. This is because if you want to go for certification to ISO 27001, then you must have some of these things in place.

Dinesh very much sees this as a baseline!

Once, you establish that baseline and you’ve got the documentation, the processes which support the documents and the staff in place who can deliver on those processes. You then think…‘what can you do to increase the maturity’?

A big part of ISO 27001 is continual improvement. This is something Dinesh thinks is very important and puts a lot of focus on in his role. So, that’s all tied with the kind of internal security reviews that they do with the internal assessments that happen. But any feedback they get from the business, or any input or discussions they have with the business which can raise or flag something, e.g., as a potential block, are put onto their continual improvement register to work with the team or the business area. It might be something they have to work on themselves. The important thing is to always look out for these kinds of things. That’s why this is a key area of focus for Dinesh, in his role, as he thinks about what can improve each step of the ISMS in Epiq.

However, a lot of companies, once they’ve completed the assessment, think that’s the job done. But you can’t put your feet up just yet! This is only the beginning of the journey, which is why Dinesh identifies this as the baseline and the foundation to be used for continual improvement.

So, let’s look at what Epiq has implemented in relation to continual improvement, which has been above and beyond this baseline.

Epiq and continual improvement

Epis has implemented a Critical Asset Reviews. They identified their 15 most critical assets and instead of doing a full security review, they pick the 10 most important controls and other controls they think would deliver the highest level of security if they had it in place. So, they have done a very focused security review, based on risk and what they think their most important assets are. They dig deep into what are the risks and issues and by acting on these, it moves Epiq to another level.

Now, let’s move onto the part where we dispel myths around ISO standards!

Dispelling ISO 27001 myths

Dinesh believes that a good understanding of ISO 27001 is needed to know what the standard actually means. There is a difference between being aligned and being certified to ISO 27001. So, an independent review of your ISMS is really important as it shows you haven’t just picked and chosen which parts of the core standard you’re going to implement. It shows that you’ve had to do them all and have had that verified and tested. This would provide a level of assurance to your organisation and stakeholders. That’s why there is such a big difference between being aligned to the standard and being compliant with it.

Finally, I’m sure our audience would love to know…

What has worked well from an information security perspective in relation to ISO 27001?

Dinesh identifies the top-level management commitment within a business as the most crucial thing in any implementation of a standard. The business needs to understand the importance of information security. So, everyone needs to be aware of what the benefits are, what’s going on and what is important…having this conversation in your business really makes everything easier according to Dinesh. Epiq does this during their management reviews, where all four of their CEOs attend. They take the management review section of ISO 27001 and cover most of it in their quarterly meetings, and because this is visibly supported by their CEO, the business leaders reporting to the CEO and all their directors attend the management reviews as well. So, they all understand what’s going on, what’s important and what the key risks are from the security team’s perspective. Having this conversation just makes everything a lot easier according to Dinesh.

That’s it from Dinesh! We hope you enjoyed learning about Epiq’s journey…it’s inspirational to hear how Epiq is still developing, evolving, improving and still getting such fantastic commitment from the very top as well. It clearly demonstrates Epiq Global’s commitment to information security without a shadow of a doubt!

Contact details for Dinesh, if you have any enquires or would simply like to connect with him, you can get in contact using one of the ways below:

Email: dsharma@epiqglobal.co.uk

Website URL : Epiqglobal.com

LinkedIn handle: uk.linkedin.com/in/dineshcsharma

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud