GDPR Compliance for Law Firms: Data Backup Considerations

In my recent blogs, I have penned a number of articles round preparing your law firm for GDPR from an IT perspective, including six key steps that firms need to be taking to ready themselves for GDPR, understanding where your data is stored, controlling access to your data and cyber security considerations.

In today’s article I wanted to focus on data backup, as I find that there can be much confusion about effective, compliant backup, and it is quite common for law firms to think their data is safely backed up, only to find that when a problem arises which causes them to revert to their backup, that for any number of reasons, it doesn’t work as they anticipated. Having an effective data backup strategy forms part of any organisation’s obligations to safeguard the data that they hold, much of which is likely to contain information that identifies individuals, and therefore falls under the scope of the GDPR.

There are a whole host of reasons why you need to backup your systems and data, for example to protect against:-

• Ransomware attacks 
• Deletions – accidental or malicious 
• Data corruption 
• Hardware failures 
• Software problems 
• Fire, flood or natural disaster 

As well as forming part of your firm’s GDPR preparations, having effective backup strategies in place to mitigate the types of risks listed above is also an important part of SRA compliance, since Principle 8 of the Code of Conduct states that you must “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles”.

It is important to realise that there are many different types of backup, and they each provide protection against one or more of the above scenarios, but they do not all necessarily provide full protection against every scenario, so it may well be appropriate to deploy several different layers of backup.

A few things to think about include:-

• If you are using removable media (hard disks or tapes) to backup your system, where do you store your backups? If they are onsite, then there is a danger that say a fire or natural disaster that incapacitates your live system could also wipe out your backup system. If you store them offsite, what is the procedure for recalling them to site in a disaster and how long would it take to retrieve them?
  
  
• How often do you backup your data? If it is only nightly, then in a disaster you could lose up to a whole day’s work. What are your procedures to re-create this data? What about emails that have been lost? Would this be acceptable to the business, to the regulator and to your clients? If the answer is No, then you need to review the frequency that you are taking backups.
  
• Are your backups permanently connected to your live system (e.g. hard disks or online backup that presents itself as a drive on your machine or server)? If so, in the case of a ransomware attack, there is the danger that your backups could be encrypted as well as your live system and effectively rendered useless.
  
• How many copies of your backups do you hold? Some organisations rely on a real-time cloud based backup or replication to another server to hold up-to-date backup data. Whilst this is very useful in some scenarios (e.g. a server hardware failure), as it ensures there is no data loss, in other scenarios in may not work well at all – for example a data corruption that affects your live system will be immediately replicated to your cloud backup or standby server, thereby rendering it useless. It is therefore important that you also have a process in place that allows you to restore your data back to a given point-in-time: in this example, to before the corruption occurred.
  
• Then there’s the question of what to restore your backups onto, which is something not everyone considers. In the case of a deletion, data corruption or ransomware attack you can restore your data back onto your existing hardware. But in the case of a hardware failure, flood, fire or natural disaster, you may no longer have server(s) to restore your backups onto. Purchasing new hardware and restoring backups onto it is no small task and you can expect to be without your data and IT systems for several days if you haven’t pre-planned for this scenario.
  
• This brings me onto the difference between data and systems backups, which is a fine distinction that is not always appreciated, but can make a huge difference in the event of an entire system needing to be restored. With data backups alone, whilst you have copies of your data, you do not have copies of your entire servers, which contain operating systems, software applications, settings, user IDs, policies and a myriad of other configuration settings as well as your data. Data backups provide excellent protection against things like data deletion, but do not provide a quick and easy way to recover a working IT network in the event of a complete server failure or fire, flood or natural disaster. In this case, if the recovery is to be in any way timely, you really need to be looking at a backup that takes a complete image of your entire server, not just your data.
   
• Finally, any data recovery will only be successful if your backups have worked in the first place. I am constantly surprised by the number of businesses who fall foul of this and believe they have a working backup until the day they need to recover some data, or their entire system, when they find that those backups haven’t worked in full or, in some cases, at all. Having a business process in place to monitor the success of backups is paramount, as is regular testing to ensure the integrity and restorability of your backups. 

I hope that this article has helped to highlight that data backup is actually a complex issue, which almost always requires a multi-layered approach, combined with structured business processes, to be successful. If, having read this article, you are concerned that your data backup strategy may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include undertaking an independent audit of your backup procedures, and/or providing technologies and processes that ensure your backups meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Remote Working and GDPR Compliance for Law Firms

In my recent blog, Preparing your Law Firm for GDPR, I outlined 6 key steps that law firms need to be taking to ready themselves for GDPR. Today I wanted to talk about another hot topic in the legal sector: remote working, and specifically how this sits in relation to GDPR compliance.

In recent years, remote working has become increasingly popular and necessary for law firms, who see the many productivity benefits it offers, as well as the flexibility to be able to work from any location at any time. I noticed in a recent survey by PwC that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, and this comes as no surprise to me as it is one of the most popular solutions that we are working with solicitors’ practices to implement these days.

However, there is no doubt that remote working opens up a whole new set of challenges to address around data security. Protecting your data when it is all contained within the safe boundaries of your in-house network is one thing; protecting your data when there are copies on laptops, smartphones and tablets which may be anywhere in the world is quite another.

Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen.

Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/home PC/smartphone and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area. Those of you who read my blog “Just Where is your Law Firm’s Confidential Data?” may recall that I cited the example of a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. This example helps to demonstrate just how easily and unwittingly a data breach can occur.

Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (article 32), it is very important that policies and controls around remote working are put in place that will minimise the risks of a data breach.

So, can and should law firms be using remote working technology, or, given the plethora of highly confidential information that they are privy to – so much of which identifies an individual and therefore falls under the scope of the GDPR – should they be banning the use of such technology altogether?

It’s an interesting question, and I hear a complete mix of views when I talk to law firms – varying from those who are embracing the technology wholeheartedly, but perhaps are sometimes not fully understanding the associated risks – through to those who are regressing from use of email back to the fax machine, as there is just so much fear and uncertainty around data security.

The reality is, that with the right controls, technologies and processes in place, secure remote working is achievable, and there are ways that law firms can demonstrate that they are implementing appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk, as the GDPR demands.

This is about a lot more than passwords and anti-virus software though. As soon as you allow your staff to be making copies of data onto their own PCs, laptops or tablets, then you need to consider how you secure those devices as you would any other device on your internal network. And this is where life becomes very complicated, because on the in-house network you have certain policies around security, anti-virus software, website access, what applications run on each PC, what users are allowed to download and how PCs get updated with security fixes from vendors like Microsoft and a whole raft of other controls. As soon as you start moving data onto computers that do not have these controls, then you are potentially making your data and your firm very vulnerable.

It’s for this reason that when we are working with law firms to implement remote access to their systems, we always use technology which allows their data to stay residing centrally on their in-house servers, or at their data centre, and a copy does not get made onto the end user’s computer, laptop or device. Effectively the end user device is just a window into the central system, and as such has no confidential data stored on it. This means that only the central data repository needs to be kept secured – a much easier task than trying to secure data that is widely distributed.

There are further safeguards which we also put in place for staff who are working remotely – for example “two factor authentication”, whereby when you logon from outside the office you get a one-time code sent to your mobile phone which you need to enter in addition to your password.

Smartphones are another challenging area to secure, as these days so many of us have our company email and calendar replicated onto our mobile phone for convenience. There is an obvious danger here if a device gets lost, stolen or compromised. However, there are now technologies available that will allow company data to be remotely wiped from a phone in such a situation, as well as technology to separate company data that is held on a smartphone from the owner’s personal photos, emails etc and to implement extra layers of security to protect the company data.

So in summary, law firms can and should be making the most of the commercial advantages and flexibility that remote working can offer them, but it is imperative that in conjunction with this firms are implementing a cohesive set of controls, technologies, business processes and policies that will ensure that they are safeguarding their data, and their firm’s reputation, and demonstrating GDPR compliance.

Connexion have been working with law firms for over 2 decades to help them implement technology to create real value to their firm, whilst carefully managing the associated risks through a highly structured and managed approach to delivering IT. If your firm would like to explore secure remote working solutions, or you are concerned that your current remote working solution may not be fully GDPR compliant, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help. _________________________________________________________________________________ Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!

Solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality, client money, and to overall compliance with SRA regulatory arrangements.

Whilst the SRA has stated that being hacked, or falling victim to malware, is not in itself a crime or necessarily a failure to meet their regulatory requirements, they do expect firms to take proportionate steps to protect themselves and their clients' money and information from cybercrime attacks while retaining the advantages of advanced IT. If a law firm does lose client money or information to cybercrime the SRA will consider whether there has been a breach of the Code of Conduct. When deciding whether to take action against a firm, the SRA have stated that they will take into account whether the firm had adopted reasonable systems and controls to protect against the risk.

With the SRA already receiving around 40 reports of confidentiality breaches each month, it is important that all solicitors and firms take care to understand the threats and how to avoid them. I therefore today wanted to talk about the types of cyber threats that exist and some of the more sophisticated modern ways that law firms can manage their risk around data breaches and cyber-crime.

In order to mitigate the risks, it is important firstly to understand the different types of cyber-attack that exist. These broadly fall into two categories: commodity attacks and bespoke attacks.

Commodity Attacks

Commodity attacks are where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it. These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.

So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.

We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.

As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who he targets and as such commodity attacks tend to be widespread.

Bespoke Attacks

While the vast majority of cyber security attacks are commodity attacks, a small number are bespoke attacks. These are very different, as they are attacks where cyber criminals target one or more individual companies for a specific reason e.g. to steal IP, or cause reputational damage.

Again cyber criminals will start by using commodity attack tools to find out if there is an easy way to compromise your system. In many cases this will provide a route in, but if not, then the cyber criminals will take time to research your organisation, your security, individual employees, social media activities and much more through a wide range of digital reconnaissance and sometimes physical reconnaissance measures and then develop bespoke hacking tools to attempt to breach your defences. These types of attacks are carried out by much more sophisticated and determined cyber criminals.

So how can Law Firms manage their risk around Cyber Threats?

Well putting yourself into the mindset of the cyber-criminal is a really good starting place. He or she is going to be looking for known vulnerabilities in your system where they can get in. These vulnerabilities are a constantly moving target, because software updates are coming out from software application vendors, operating system vendors like Microsoft and security software vendors the whole time. So the scary reality of the situation is that while your data may be fully protected at 9am this morning, by 10am you may be vulnerable.

So the key here is to be constantly, in real-time, scanning your system for vulnerabilities, using the same tools that the cyber-criminal is using. This way you see your network through the eyes of the hacker and can pre-empt his next move. Of course, the quantity and skillset of human resources required to do this manually would be cost prohibitive for most small and medium sized firms. However, we are now working with law firms to implement automated real-time unified security management systems which carry out just this function. So rather than a vulnerability scan being carried out on the network say once a year (which provides a useful benchmark, but only tells you that your data is secure at that one moment in time), these systems carry out a continuous vulnerability scan on your system, all day, every day. Such continuous vulnerability scanning allows risks to be highlighted immediately, and reported back in real-time to our Security Operations Centre. Working with our clients we then ensure these latest security loopholes are closed down immediately and that thus your firm is kept one step ahead of the cyber criminals.

I hope this article has given you some useful insight into the approach of cyber criminals and the ways you can minimise your risk of becoming a target of a cyber-attack or data breach. If you would like to find out more about this topic, or you would like information on our continuous vulnerability scanning solution or indeed if you would like to arrange a one-off vulnerability scan of your network to see how your cyber defences currently measure up, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when it will be my pleasure to speak with you.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Risk Management in Law Firms: Protecting your Firm from Cyber Crime

With a recent news release from the SRA revealing that cyber crime is rapidly escalating, with almost double the number of cyber thefts being reported in the first quarter of 2017 compared with the same time last year, and triple the amount of money being stolen, I today wanted to talk about pragmatic approaches to minimising your firm’s risks of being targeted by cyber criminals.

Cyber crime is now prolific, with law firms unfortunately being a natural target due to the large amounts of confidential information and high value financial transactions that they are dealing with. Indeed according to the SRA, in the last year (April 2016 to March 2017) they have seen cases involving around £11m of losses.

Property transactions are a particularly high risk to client money, but cyber criminals also target inheritance money and law firms’ own money too.

In addition to SRA compliance breaches and subsequent action, any such event can also cause massive reputational damage to a law firm.

So how can law firms protect themselves from these cyber threats?

Firstly, I would say that it is vital that a joined-up approach is taken to cyber security management, as in the ever evolving threat landscape, it is nowhere near enough to just be relying on one or two technical measures like some anti-virus software and a firewall. Rather the firm’s cyber security strategy must involve senior partners, as well as technical personnel, and be formulated as an integrated suite of risk management measures encompassing business processes, technologies, staff training and procedures.

I would also recommend that as a starting point, law firms look at the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

1. Boundary firewalls
2. Secure configuration
3. User Access control 
4. Malware protection (including ransomware) 
5. Patch management 

We are already in the throes of working with several of our clients to implement Cyber Essentials, which they see as having a plethora of business benefits including assisting with regulatory compliance, demonstrating care of personal data for GDPR compliance purposes, demonstrating to clients and potential clients that they are safeguarding their data and their money, and ensuring that their firm’s risk of suffering costly downtime and/or reputational damage is minimised.

Additionally, the government already requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, and it is clear to me that these types of accreditations and requirements are only set to continue and grow, as they inevitably percolate all the way up through the supply chain. Indeed the SRA Cyber Security roundtable this spring also recommended that firms should consider the benefits of this scheme in protecting themselves from cyber-attacks.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, or you would like to find out more about the Cyber Essentials scheme, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Cyber Security Considerations

In my recent blogs I talked about the importance of understanding your data and controlling access to your data in readiness for GDPR. In today's article I wanted to talk about securing your information systems from cyber security threats.

Protecting your firm against data breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your firm holds.

Law firms, unfortunately, are a natural target for cyber criminals, as they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers? In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems? New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs/laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.

3. What safeguards, procedures and policies do you have around mobile working? How is confidential client data kept separate from personal data on phones or home computers? Can you remotely wipe data off a device that is stolen or lost? What are your policies around data encryption on mobile devices? What are your policies around use of open public Wi-Fi? (if you are unclear of the dangers associated with this, please see this case study on the law society’s website). What are your policies around file sharing services such as Dropbox? How do you guarantee confidential data is not accidentally made web facing? If you are using cloud based systems to facilitate remote working, do you understand where the provider is actually storing your confidential data, and is this within the European Economic Area?

4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing confidential data, then the very best cyber security systems can be rendered useless.

5. How do you manage secure disposal of old PC and server equipment? Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.

6. How are your staff educated to ensure they are aware of the latest cyber security threats?It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. What contingency plans do you have to fall back on should the worst happen? These should include incident response plans, tested backups and full disaster recovery plans.

8. How do you ensure that your defences are constantly being monitored and that your procedures around cyber security are constantly reviewed and updated? Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated. Software that provides one-off or ongoing vulnerability scanning of your network can be particularly useful in this regard – a topic in its own right which I will cover in more detail in a future blog.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________  
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Controlling Access to Your Data

Following my recent blog posts Preparing your Law Firm for GDPR and GDPR Compliance for Law Firms: Just Where is your Confidential Data?, I have received a number of enquiries from law firms as to the ways in which they should be controlling access to their data, so today I thought it would be worth sharing some information on this important topic.

Securing your data in readiness for GDPR broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access). Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.

GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a firm’s data.

Therefore, for each piece of data that you hold, it is important to understand, and have documented, who has access to that data and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to do their job. Allowing staff wider access puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats.

As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Appropriate password policies are also very important, since if policies allow passwords to remain unchanged indefinitely, or indeed allow staff to choose an easily guessable password, then there is a danger that data security will be compromised, which does not demonstrate the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your data. In this case this needs to be secured in just the same way, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Any business's data is precious, but none more so than that of law firms who are privy to so much confidential information and who must meet their SRA regulatory obligations to maintain client confidentiality.

Not only do law firms hold much personal data, which is governed by the Data Protection Act and forthcoming GDPR legislation, they also hold a wealth of commercially confidential details ranging from large financial transactions, to trade secrets, through to the personal affairs of high-profile clients.

But in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards. Indeed, aside from GDPR, data residency is a major concern for law firms from a jurisdiction point of view as well.

There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone. Indeed many of you may have read about a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. Under GDPR, the financial and reputational consequences for such a breach could be crippling, so it is imperative that law firms have a real understanding of where their data is.

In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your law firm to a security breach. So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Senior Partners have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

-------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing your Law Firm for GDPR

The new EU general data protection regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.

Whilst law firms already have onerous SRA compliance responsibilities to meet in relation to data protection, many may still need to broaden their security measures and precautions in order to meet GDPR, as well as ensuring that they have in place the necessary written SOP’s and can provide documentary evidence to demonstrate compliance.

So what do law firms need to be doing to prepare for GDPR?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
-------------------------------------------------------------------------------------------------------------------------
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Secure Remote Working for Law Firms

Most law firms I speak to these days are keen to embrace the commercial benefits that remote working can deliver for their firm, allowing their fee earners to work from home or other remote locations, thus maximising their time and productivity as well as facilitating more flexible working practices.

However, given the wealth of highly confidential data that law firms are dealing with on a daily basis, there are naturally also concerns about the implications of providing remote access and whether this could compromise client confidentiality, SRA compliance or data protection.

There is no doubt that a myriad of risk management issues exist around cyber security, as those who read my previous blog Effective Cyber Security for Law Firms will have seen. 

However, there is much that can be done to mitigate these risks, and enjoy the best of both worlds, by deploying well designed, well managed, highly secure technologies that ensure that no data ever leaves the security of your law firm’s servers or data centre.

As an example of this, I’d like to share a recent implementation we have completed for a UK law firm, where there was a pressing business need to provide secure remote access to all their systems for their fee earners.  In this case, the solution designed allowed nominated staff to access their full computer desktop from any internet connected laptop or computer, at any location.   As well as the normal office suite of applications and email, the system provided fee earners with full access to their practice management software, dictation software and all their files.  They key here was that all data and applications remained at all times on the law firm’s highly secure, tightly managed back-end servers, with the end user device effectively just providing a “window” into that system.    In this manner data remained centralised, subject to the firm’s stringent security policies, safely backed up and never being transferred to individual fee earner’s personal devices.  A number of additional layers of security were also put in place, including 2 factor authentication via SMS message, which requires a logon from outside the office to be authenticated via a text message to the individual’s mobile phone, thus providing an additional level of security over and above a password alone. 
 

In other cases, where law firms are receiving emails on their personal smart phones, and thus copies of potentially confidential data has been transferred outside the secure environment of their servers, we work with their in-house IT department to implement robust mobile device management solutions.  These provide the firm with the control needed over corporate data that is on staff members’ own devices, but cleverly allow a separation of work and personal data on the smart phone so that the firm has all it needs to control data from a compliance perspective, but that control does not interfere with or extend to the user’s personal applications and data, such as photographs or personal emails.   As well as pin protecting company email, such solutions can be configured with a variety of policies that allow the network administrator to lock or wipe the corporate data from the device remotely and immediately in the event of an issue such as a device being mislaid or a staff member leaving.

So, whilst nothing in life is completely without risk, with the right advice, people, technology and structured processes in place, there are certainly effective ways that law firms can achieve mobility without compromising confidentiality or compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in law firms, including protecting both client confidentiality and the structural and financial stability of your law firm, through appropriate risk management. In the meantime, if you would like to know more about secure remote working solutions for law firms, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Effective Cyber Security for Law Firms – Why a Structured Approach is Paramount to Managing Risk

With cyber attacks and data breaches hitting the news headlines seemingly daily, it cannot have escaped anyone’s notice that risk management around cyber crime is now a massive issue for all businesses. Law firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients. As such, I frequently get asked by my law firm clients for advice on the best ways to manage the risk around cyber security, so today I thought it would be useful to share some information on this important subject.

Cyber crime is now a widespread issue, with a study published by Osterman Research Inc in August 2016 showing that 72% of UK based organisations had suffered a security attack in the previous 12 months.

The types of attacks experienced are diverse, ranging from "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption. The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.

Protecting confidential client information is one of the most essential requirements for any legal business to ensure compliance with SRA Principle 10 and outcome 4.1. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

And this is where a structured approach to IT management becomes critical. With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage a law firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures? How is your system backed up and how long would it take to recover it in the event of something like the recent ransomware attack? How often is it tested to ensure it would be successful? How would your firm operate in the interim? And in the worst case scenario, how would you handle communication of a cyber attack in order to minimise the reputational damage?

To compound matters, cyber crime is a constantly changing landscape, with new threats emerging continuously and a constant need for law firms to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.

With so much to consider, does this mean law firms should shy away from using technology? Absolutely not. Effective use of technology is essential to the survival of any business these days, and law firms are no different. With changes in working practices, increasing globalisation, increased competition and the widespread adoption of new technologies by consumers, it is actually critical that law firms embrace technology if they are to survive and thrive. Cyber security is just like any other risk which needs to be managed.

And in my experience, the key to successful risk management around cyber security is having a highly structured approach, encompassing effective procedures and policies that are constantly reviewed and updated, along with a suite of supporting technologies. Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen. Such a structured approach towards management of IT systems not only addresses the challenges of cyber security but also brings with it the ability to successfully and safely harness technology to deliver real value to law firms.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in law firms, including protecting both client confidentiality and the structural and financial stability of your law firm, through appropriate risk management. In the meantime, if you are concerned about your firm’s vulnerability to cyber threats, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/