Background
When it founded in 1962, Simkins was one of the first legal firms to represent a group of up-and-coming clients from the music and film businesses. The firm grew over the following decades to become one of a small number of specialist practices with particular expertise in the legal and business side of the media and entertainment industries and quickly gained an unparalleled reputation for outstanding deal-making, uncompromising toughness and total confidentiality and discretion for its high-profile clients. From this foundation, the firm expanded into the full range of practice areas that you would expect from a modern and award-winning law firm. Today, Simkins continues to be one of the foremost media and entertainment firms in the country and has developed an excellent reputation across all its practice areas and sectors.
Challenge
With a client list including a veritable ‘who’s who’ from the world of entertainment, Simkins has always recognised that it is a target for cyber criminals seeking access to the confidential information it retains to help it serve its clients. As such, Simkins has continually invested in strengthening its cyber security defences at a technical control level and through security awareness training for staff across the business.
As Nick Wright, CIO for Simkins explains, “We have all the usual type of controls in place to protect access to our systems, applications and data. However, we also recognise that sometimes, we need to visit unsavoury websites for example when we are looking at infringement of IP or trademark that typically, an organisation would normally restrict its web users from accessing. To this end, we first started working with ANSecurity to help us update our content filtering and inspection technology to newer systems from Palo Alto that offered much more granular control over access – that’s where the relationship started and it has grown since then.”
The success of the initial project fostered an ongoing relationship between Simkins and ANSecurity which has gone through several cycles of consulting and projects as part of the evolution of its security controls. However, it was the confluence of two events that accelerated that relationship recently starting with Simkins longer term strategy to gain Cyber Essentials Plus accreditation and the more immediate need to respond to the COVID outbreak. “The pandemic forced a massive shift in our work routine,” explains Wright. “From a practical standpoint, moving staff into remote working requires new ways of accessing systems and information and it also bring new working patterns that we felt could have impacted our security controls.”
Solution
Ahead of the UK government-imposed lock-down order, Simkins started a pre-emptive plan to get its business ready for home working and Wright brought in ANSecurity on a consultative basis to assess its current controls and recommend a plan to get it ready for a lockdown scenario.
“We evaluated key areas such as our VPN access, user authentication and other controls from the viewpoint of risk,” says Wright. “Essentially, we started upgrading our infrastructure and putting in elements that could handle not just 10% of our staff working remotely, but everybody, across every type of business activity. We needed to strike the right balance of security to mitigate risk without putting up unnecessary barriers to the productivity of our staff.”
Initially, this meant scaling up and load balancing its terminal servers, upgrading the bandwidth on its IP connectivity and additional VPN capacity to support remote working. Just two weeks before lock-down, Wright and his team ran a companywide test to shake down any issues and get staff used to the idea of remote login and working.
“We had already moved to Office 365 for Exchange, so we had some good building blocks for location independence and ANSecurity came in and helped secure all these environments and give us an external expert view of our security controls,” Wright adds.
As lock-down was enacted, Simkins was able to move all its staff to a remote working position. “Yes, we had a few challenges getting laptops and 4G dongles for staff with poor home broadband, but from an access and security perspective, the work we had done put us in a really good place so disruption has been limited.”
Results and benefits
Even with the rapid push to move to remote working, the underlying ethos of continually improving cyber security was not forgotten. And over the last year, Wright and his team have been aligning the organisation to meet the Cyber Essentials Plus accreditation standard with the help of ANSecurity.
“This is not just a tick box excise for us,” explains Wright, “We recognise that we – and in fact the legal profession that routinely deals with incredibly sensitive information – must make cyber security an absolute priority. Cyber Essentials gives us a great framework to work against and practical steps we can take that are considered best practice.”
To this end, ANSecurity have worked on several projects to help Simkins meet the core controls including tightening up user authentication, access privileges, and securing data in transit and at rest. “This is an ongoing effort and we have just finished our first successful Cyber Essentials Certification which has helped to not just show our commitment but offers external validation that we are delivering against best practice,” Wright adds.
In terms of the relationship with ANSecurity, “It may sound like a cliché, but it is pretty close to a real partnership,” says Wright. “We are able to have candid conversations about threats, risks and where they think we can strengthen our posture – and because they are not aligned to a particular vendor, this independence gives us an insight into the market that is invaluable.”