GDPR for Law Firms: How to Protect Your Data from Insider Threats

In my recent blog I shared my 8 top tips to protect your data from cyber threats. However, threats to your data do not just come from external cyber criminals, so today I wanted to talk about ways to protect your data from insider threats.

So what do I mean by an insider threat?

Well this can be something like a rogue employee or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error is actually one of the commonest causes of a data breach. In fact, according to Security Magazine, up to 70% of data breaches can be linked to internal security gaps. Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (Article 32), it is important to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such measure. I'm sure most of us would agree that we would prefer to choose an easily memorable password, but these are often very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as I have seen firms who have implemented very complex password policies, which demand long passwords with complex character sets and frequent password changes, which have resulted in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

With a recent survey by PwC having shown that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, there is also a whole new set of challenges to address around data security. Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid, stolen or hacked. Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/smartphone/home computer and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area.

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to give staff only the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate. Staff education is also vital in ensuring that your systems are not compromised by fraud or ransomware, which are often started via rogue emails.

Controls around what software employees can run on their computers are also important, as it is all too easy for employees to unwittingly install software that creates network vulnerabilities which could allow a hacker to access the network. Alongside this, there is also the need to have processes in place that ensure all devices on the network are updated with the latest software security patches. These are released by the various software companies on a regular basis. Of course it is human nature if given a choice that staff will click on “no” or choose to postpone the installation of such updates, so as to avoid disruption to their busy working day, but by doing this staff can leave your network highly vulnerable to security threats. It is therefore important to have a centralised system for managing security updates, something I will discuss in more detail in a future blog.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Hopefully the examples above serve to illustrate that a wide range of controls are needed to ensure that your firm is protecting its data from insider threats. From a GDPR perspective it is important that law firms are able to demonstrate that they have understood what personal data they hold, where it is stored, who has access to it and for what purpose. Since there is an obligation to be able to demonstrate that risks have been assessed and an appropriate level of security has been implemented, I would recommend that all law firms review their data access control policies, procedures and technologies to ensure that they are protecting their data in accordance with current best practice.

Such controls not only put firms back in control of their valuable data, but also minimise the risk of a data breach under GDPR.

I hope this article has given you a useful insight into the ways that you need to protect your data from insider threats, as well as external cyber security threats, when preparing for GDPR. If, having read this article, you are concerned that your data security policies may not be adequate for GDPR, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help. Our services include providing independent GDPR cyber readiness audits, vulnerability scans and consultancy around implementing technologies and processes to ensure your data security defences are in line with industry best practice.

                                                                                                                                                               

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Disaster Recovery Considerations

In my last blog, I talked about data backup considerations when preparing your law firm for GDPR.  Today I wanted to talk in more depth about disaster recovery.

With the best planning in the world, sometimes the unexpected does happen. We only have to look at the chaos caused in the NHS by the Wannacry ransomware attack to see the operational and commercial impact that computer systems downtime can cause, as well as the reputational damage.

It is therefore important that as part of your GDPR obligations to safeguard the data that your firm holds, that you have in place suitable disaster recovery plans that you could fall back on should the worst happen.

Part of this will be about having a technical disaster recovery plan in place that ensures you can recover your data and systems successfully and in a timely manner. Equally importantly, there also need to be plans in place to cover how you would operate in the interim and how you would communicate details of an IT failure to customers, staff, suppliers and the relevant regulator(s) to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many law firms I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable. For example, according to Intermedia, 72% of companies infected with ransomware suffer two days or more without access to their files, while 32% are locked out of their files for at least 5 days.

Whether an outage is caused by ransomware, hardware failure, software failure or a wider scale disaster, it is critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. I find many businesses that put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as use of technology in law firms has moved on rapidly, and what was an acceptable recovery plan even a year or two ago may now be totally inadequate. In addition, systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that law firms continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

1. How long could your firms manage without access to each of its IT systems and data repositories? This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email, but it may be acceptable for an archived cases folder to be restored within 72 hours. So your disaster recovery plan needs to consider each system and data repository that you use, assessing how long your firm could cope without access to that system or data repository.

2. How much data, if any, could you afford to lose?
For each IT system and data repository you need to be clear how much data loss, if any, would be acceptable to the firm, in both commercial and regulatory terms, and tailor your backup and disaster recovery plans accordingly. If no data loss is acceptable, then a real-time replication solution should be considered, as part of a multi-layered backup approach (see more details in this blog). If some data loss is acceptable in a disaster scenario, then backups which run daily or hourly may be acceptable.

3. Does your current disaster recovery plan accurately reflect 1 and 2 above?
Your disaster recovery plan needs to be designed such that your objectives around downtime and data loss as defined above can be met.

4. Would your plan work if used “in anger” and are you able to demonstrate this?
In order to ensure success it is vital that the disaster recovery plan is tested on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. Whether that’s a practical problem (something technical or operational in the plan doesn’t work) or whether it reveals that the time taken to carry out the recovery does not meet business objectives, or that all data cannot be recovered successfully, testing is paramount to provide the peace of mind that the plan will actually work when used “in anger”. Tests of disaster recovery plans also need to be documented, so there is clear evidence that plans exist, testing has been conducted, the plan has been shown to meet business and regulatory requirements and that any necessary remedial actions highlighted by the test have been actioned.

5. What is the process for reviewing and updating your disaster recovery plan?
With our use of technology constantly evolving, and regular changes to legislation, it is important that plans around backup and disaster recovery are regularly reviewed and re-assessed against the commercial and operational needs of the firm, as well as regulatory compliance requirements in relation to the SRA and GDPR.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing for GDPR. If, having read this article, you are concerned that your current disaster recovery plan may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include providing independent consultancy as well as (where required) implementing technologies and processes to ensure your disaster recovery plans meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/