Preparing for GDPR: How do you know if your Law Firm’s Data is Secure?

As those of you who follow my blog will know, I have recently published a series of articles on preparing for GDPR, which cover key issues such as cyber security considerations, protecting your data from insider threats and effective data backup strategies.

However, the GDPR obliges firms not only to safeguard the data that they are holding, but also to be able to demonstrate that they are safeguarding it effectively.

And this raises an interesting question: how do you know if you are securing your data effectively? The truth is that many organisations are not aware that their controls around data security are ineffective until a data breach or cyber-attack comes to light – and by then of course, it is too late.

In some cases, even when there has been a data breach, organisations are not aware until long after the event - in some cases not until data is made public weeks, months or even years later. In itself this will be an issue under GDPR, which requires that data breaches are notified to the regulator within 72 hours.

The effectiveness of any firm’s data security is made even more difficult to measure as the cyber security landscape is a constantly moving target, with fraudsters continually devising ever more ingenious scams to gain access to data and money.

In addition, businesses are constantly evolving, with increasing use of technology and more remote working which can leave them exposed if the necessary controls are not put in place. M&A activity can also lead to a secure system suddenly becoming insecure – for example the high profile data breach that earned TalkTalk a £400,000 fine in October 2016 under the current Data Protection Act was reportedly caused by data being stolen from a database inherited through TalkTalk's acquisition of Tiscali, and accessed through three web pages with inadequate security. The "significant and sustained cyber attack" cost TalkTalk £42 million and resulted in the loss of 101,000 subscribers in the third quarter of 2015 as users fled to other networks. This highlights how cyber security is a Board Room/Senior Partner issue rather than just an IT issue, with data security considerations needing to be built into every business decision, in order to ensure that an organisation’s defences remain robust.

And, as I discussed in my blog, having a firewall and some anti-virus software is just the tip of the iceberg these days when it comes to cyber security defences. A plethora of technologies are now needed to achieve a joined-up approach to cyber security management and these must be combined with highly structured and methodical processes if you are to keep your firm one step ahead of the cyber criminals.

So how do you know if you have got everything covered?

Most businesses I ask this question of say that they “hope” their defences are adequate, which is quite a scary answer when a firm’s reputation and financial stability are at stake. And this seems to be part of a wider perception about IT as a whole – many firms I talk to are surprised when I tell them that the effectiveness of their IT should be measurable and aligned to their business objectives, just like every other element of their business. After all you wouldn’t dream of running your firm without knowing how many billable hours you were charging, yet it never ceases to surprise me how many people don’t see their IT in this light.

Of course, when it comes to cyber security, there are different levels of protection and a commercial risk management decision must be made regarding your firm’s appetite for risk and consequently what level of investment in cyber security is appropriate. If you get a really determined hacker, who has a personal vendetta to target your firm, then it can be very difficult and very expensive to ensure your defences will keep them out. But these types of bespoke attacks are the exception; the vast majority of cyber-attacks are what in the trade we call “commodity attacks”, (more details of which can be found in my article “SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!”), which exploit known vulnerabilities to obtain access to an organisation’s data.

And measuring your organisation’s defences against commodity attacks is something that can be done. Here at Connexion we have tools that allow us to scan a customer’s network from outside and/or inside their organisation to highlight any vulnerabilities from external cyber criminals or insider threats. This can either be done to provide a one-off security benchmark, on a periodic basis or even now on a continual real-time basis.

There are also accreditations such as the Government’s Cyber Essentials scheme, which I talked about in my article “Risk Management in Law Firms: Protecting your Firm from Cyber Crime”, or ISO 27001 for those organisations where the risks demand a higher level of data security.

For those organisations wanting a more in-depth audit and report on the state of their cyber security, with recommendations of any remedial actions they should implement in readiness for GDPR, we also conduct full GDPR cyber security readiness audits.

These types of vulnerability scanning services, accreditations and audits provide firms with a clear measure as to whether or not their cyber security defences are conforming to best practice, and also provide that vital documentary proof for GDPR compliance purposes (and indeed for your prospective customers and the SRA too), that you are taking cyber security seriously and doing everything in your power to safeguard the data your firm holds.

If this article has resonated with you and you would like more information about vulnerability scans, GDPR cyber security readiness audits or the Cyber Essentials scheme, then please do not hesitate me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing for GDPR: Key Considerations for an Effective Security Patching Regime

In recent weeks most of you will have heard media coverage around the discovery of serious security flaws, known as Meltdown and Spectre, which affect almost every modern computer, and could potentially allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM.

I therefore thought today that it would be well worth sharing some information on not just these particular threats, but the wider issue of patching computer systems in order to protect confidential and/or personal data against the latest security threats.

Patches, also known as software fixes or updates, are released by software vendors on a regular basis and are designed to fix bugs within the software and put in place measures to mitigate newly discovered security threats. Patches are released regularly for operating systems (like Microsoft Windows) and for most business software applications, as well as for technical software such as anti-virus and backup programmes.

Applying these patches is very important for a number of reasons:-

 * It helps to reduce your risk of falling victim to ransomware attacks, which, as the Wannacry attack in the NHS demonstrated last year, are extremely disruptive and can cause major business problems through downtime and loss of data, not to mention reputational damage and regulatory consequences.

* Exploiting known vulnerabilities is one of the commonest ways that cyber criminals may hack into or compromise your network. Known as “commodity attacks”, more information on types of attacks can be found in this blog. These commodity attacks often lead to data breaches and ensuing reputational damage to the business, commercial impact with customers and again, potentially serious regulatory consequences.

Which brings me nicely on to GDPR.

Just this week I was reading a blog by the Information Commissioners Office (the data protection regulator in the UK), which defines their stance around patching in relation to GDPR, and I quote:-

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.” 

This statement brings clarity to the importance of applying security patches to your systems in a timely fashion. However, this may not be as straightforward as it first sounds. Firstly for larger businesses with remote workers or staff who use their own laptop or device for work, there is the logistical issue of how to ensure updates (which are coming out constantly) get deployed to all these end-user devices.

There are also servers to be updated which requires a structured process to ensure technical expertise is made available, suitable testing is carried out and the updates are organised in such a way as to minimise disruption to the business, such as arranging business-friendly downtime slots should the servers need to be rebooted in order to apply the patches.

Timeliness is also an issue, since cyber criminals are now actively “reverse engineering” fixes from software companies like Microsoft, so that they work out what vulnerability the update addressed, and then exploit that vulnerability in organisations who have not yet installed the appropriate patch.

There’s then the issue of testing patches to ensure they are not going to cause a problem with other software you are using on your PCs or servers or cause your IT system to grind to a halt. There has already been much speculation around how much the updates for Spectre and Meltdown may slow down computers, and over the years I have seen several updates that have caused problems on customer’s networks. Having a roll-back plan that will work is vital to mitigate the risks when deploying any widespread PC update.

Finally, your cyber defences are only ever as good as your weakest link on any given day, so when it comes to patching, getting 99% of your devices updated is just not enough. With many cyber threats set to seek out the one device that isn’t patched, and enter your network via that device, it is vital that organisations have in place systems that give clear visibility over all devices on the network and their current patch status, and raise an alert for any device which has not been patched or where a patch has failed to deploy for any reason. It is all too easy for one computer to slip through the net if your systems for deploying updates are not highly structured – perhaps the device was turned off, the user rejected or postponed the update or there was a technical problem such as the computer running short of disk space.

I hope this article has provided a useful insight into both the importance of, and the potential complications around, patching your computer systems. Here at Connexion we have highly structured processes and methodologies to deliver patch management to our customers, which include providing timely deployment of patches to all devices, clear visibility and alerting of any device that is missing a patch, and structured change control and rollback plans to minimise the risks around patch deployment. If you would like to find out more, please do not hesitate to contact me for a no obligation conference call on 0118 920 9600 or email james.stratton@connexion.co.uk.

 ________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/