In my recent blogs I talked about the importance of understanding your data and controlling access to your data in readiness for GDPR. In today's article I wanted to talk about securing your information systems from cyber security threats.
Protecting your firm against data breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your firm holds.
Law firms, unfortunately, are a natural target for cyber criminals, as they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients.
There are a wide range of factors to consider here, which will include:
1. How is your network secured from threats like malware, ransomware and hackers? In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of procedures, processes and technologies is needed to provide full protection.
2. What are your procedures for applying security updates to your systems? New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs/laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.
3. What safeguards, procedures and policies do you have around mobile working? How is confidential client data kept separate from personal data on phones or home computers? Can you remotely wipe data off a device that is stolen or lost? What are your policies around data encryption on mobile devices? What are your policies around use of open public Wi-Fi? (if you are unclear of the dangers associated with this, please see this case study on the law society’s website). What are your policies around file sharing services such as Dropbox? How do you guarantee confidential data is not accidentally made web facing? If you are using cloud based systems to facilitate remote working, do you understand where the provider is actually storing your confidential data, and is this within the European Economic Area?
4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing confidential data, then the very best cyber security systems can be rendered useless.
5. How do you manage secure disposal of old PC and server equipment? Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.
6. How are your staff educated to ensure they are aware of the latest cyber security threats?It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.
7. What contingency plans do you have to fall back on should the worst happen? These should include incident response plans, tested backups and full disaster recovery plans.
8. How do you ensure that your defences are constantly being monitored and that your procedures around cyber security are constantly reviewed and updated? Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated. Software that provides one-off or ongoing vulnerability scanning of your network can be particularly useful in this regard – a topic in its own right which I will cover in more detail in a future blog.
Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/
