Freshfields CISO Mark Walmsley explains how he manages insider threats

Freshfields CISO Mark Walmsley is responsible for all the information security at the oldest member of the Magic Circle of elite British law firms, a task has become more complex as the cyber threat has grown.

Law firms are high-priority targets for attackers as they hold extremely sensitive and valuable client data that can be used to reveal trade secrets, business plans, and stock trading purposes. They are also more attractive targets than their clients as the information they store that’s of interest to hackers is typically less voluminous.

To protect Freshfields, Walmsley spends his days evaluating security across the business, responding to audits, talking to partners, training colleagues, supporting clients and addressing any alerts of potential threats and developing his cyber security strategy as the threat landscape changes.

“The challenge is that there is a much greater group of hackers out there who are really motivated to get into businesses, so it’s difficult to keep up with the level of threat and the number of threat actors. Number two, the threat’s from the inside, not just the outside,” Walmsley tells CIO UK at Cyber Security Connect.

“Businesses throw a lot of money and strategy and clever people at protecting the perimeter. Not enough people are doing it on the inside. We need to be investing there and we need to understand the accidental and malicious behaviours that happen there.”

Insider threats have grown as employees have gained more administration provisions. The proportion of staff given local administrative privileges on their work devices jumped from 62% in 2016 to 87% in 2018, according to CyberArk’s 2018 Global Advanced Threat Landscape Report.

Their threats encompass a wide range of motivations, actions and results, but can be a sensitive subject to address, as the person responsible will be an employee of the target.

“The zero trust model is the new way of thinking, and that’s a bit emotive, particularly with your peers and colleagues,” Walmsley admits.

Technical protection

Walmsley’s mitigation technique is based on the golden triangle of people, processes and technology.

“You can’t just buy a technology to resolve a problem,” he says. “You have to say how does my workforce work? What do they need to do? How are they most efficient? That’s the people.

“Then you go to the process and document exactly what you’re doing and what’s acceptable. What does the road look like? And then the third thing is investing heavily in good technology, and there are a few products on the market at the moment that do very good insider threat technology.”

Freshfields uses the Dtex platform to detect insider threats by analysing behaviour across user groups and point out signs of unusual activity.

The system records lightweight user behaviour metadata from the endpoint and analyses it with machine learning to pinpoint any threats. Data is anonymised to protect employee privacy.

It provides protection whether user devices are connected to the network or not, by gathering the information and loading it up the next time it’s connected

“We have a full audit log of everything that’s gone on and all of the alerts will trigger as soon as it’s got connectivity back to the network,” explains Walmsley.

Protecting people

Educating employees is the second barrier of defence. Walmsley reduces risk by offering clear guidance to staff about what’s acceptable and then instilling a mentality of joint responsibility.

He breaks his training strategy down into three key points.

“The first one is you can’t offer just one way to educate people. Everyone needs a different vector, a different mechanism,” he says. “Secondly, a one-time shot is never helpful, so it needs to be continual. Thirdly, you need to do it in a way that’s so simple that people understand their obligations.”

Freshfields provides training in a variety of different way. It offers e-learning backed up by communications, marketing materials that contain guidance, threat briefings that illustrate the issue and put the risk in context, phishing prevention tests and presentations.

“The more of those that you have it means that one or two will really bed down for different types of people,” says Walmsley.

Protective processes

The CISO’s day is getting busier as risks grow and threats evolve. Walmsley believes the best of his peers look to the future and create a “roadmap of risk”.

His own strategy for developing this is talking to clients to find out their concerns, collaborating with other industries whose defences may be more advanced, working with colleagues to build mutual trust and understanding, and discussing his ideas with people who aren’t technical experts.

A cyber-savvy board and line manager ensure Walmsley has the support he needs for his strategy and awareness of cyber threats is growing across the business.

The introduction of GDPR has added to the understanding. It will force Freshfields to respond to breaches in a shorter period of time. Organisations that don’t have the requisite visibility into what’s happening inside their networks could be in big trouble if they don’t react quickly.

The regulation may have added to his workload, but Walmsley tries to take the positives out of the new requirements.

“GDPR makes both businesses and their members of staff more accountable. That’s really important in cyber security and it also means that it is a higher priority,” he says.

“You can actually use it as a bit of a lever, because when we’re looking at protecting data, we don’t necessarily distinguish between client confidential and personal data. It has the same high value to us. If you have a regulation that looks at personal data and requires you to behave in a particular way, that allows us to leverage that behaviour against the rest of our datasets and processes.

“A lot of people moan about it. It’s finding its feet. It’s aggressive. It’s got teeth. As an industry do we think it helps us? Yeah, I think so.”

Routes into security

Walmsley had a legal background of his own before becoming a CISO. He has a law degree from the University of Derby and worked as a paralegal at Freshfields for three years before moving into the IT department and working his way up the organisation into his current role.

This career route gave him a deep understanding of the business and an ability to communicate with less technical colleagues.

“Lawyers work in a very different way to techie people,” says Walmsley. “They have a very different level of analysis. They want very clear messages and want them backed up by fact.

“Over the years, having worked in one of the big groups, I’d learnt how lawyers wanted to work. I understood how the techies were working and I’ve been able to bridge that gap.

The previous CIO at Freshfields told Walmsley that his greatest skill was his ability to communicate between IT and the rest of the business by distilling a technical conversation down into something that’s easy for a lawyer to understand.

“Personally speaking, I think the role of a really technical-only CISO is dying off,” he says. “A CISO is about risk management and therefore the ability to identify risk, analyse it and then provide options to the board, means you’re becoming much more of a trusted advisor. Having a background that’s outside of IT or at least exposure and experience outside of IT is going to become increasingly important.”