As those of you who follow my blog will know, I have recently published a series of articles on preparing for GDPR, which cover key issues such as cyber security considerations, protecting your data from insider threats and effective data backup strategies.
However, the GDPR obliges firms not only to safeguard the data that they are holding, but also to be able to demonstrate that they are safeguarding it effectively.
And this raises an interesting question: how do you know if you are securing your data effectively? The truth is that many organisations are not aware that their controls around data security are ineffective until a data breach or cyber-attack comes to light – and by then of course, it is too late.
In some cases, even when there has been a data breach, organisations are not aware until long after the event - in some cases not until data is made public weeks, months or even years later. In itself this will be an issue under GDPR, which requires that data breaches are notified to the regulator within 72 hours.
The effectiveness of any firm’s data security is made even more difficult to measure as the cyber security landscape is a constantly moving target, with fraudsters continually devising ever more ingenious scams to gain access to data and money.
In addition, businesses are constantly evolving, with increasing use of technology and more remote working which can leave them exposed if the necessary controls are not put in place. M&A activity can also lead to a secure system suddenly becoming insecure – for example the high profile data breach that earned TalkTalk a £400,000 fine in October 2016 under the current Data Protection Act was reportedly caused by data being stolen from a database inherited through TalkTalk's acquisition of Tiscali, and accessed through three web pages with inadequate security. The "significant and sustained cyber attack" cost TalkTalk £42 million and resulted in the loss of 101,000 subscribers in the third quarter of 2015 as users fled to other networks. This highlights how cyber security is a Board Room/Senior Partner issue rather than just an IT issue, with data security considerations needing to be built into every business decision, in order to ensure that an organisation’s defences remain robust.
And, as I discussed in my blog, having a firewall and some anti-virus software is just the tip of the iceberg these days when it comes to cyber security defences. A plethora of technologies are now needed to achieve a joined-up approach to cyber security management and these must be combined with highly structured and methodical processes if you are to keep your firm one step ahead of the cyber criminals.
So how do you know if you have got everything covered?
Most businesses I ask this question of say that they “hope” their defences are adequate, which is quite a scary answer when a firm’s reputation and financial stability are at stake. And this seems to be part of a wider perception about IT as a whole – many firms I talk to are surprised when I tell them that the effectiveness of their IT should be measurable and aligned to their business objectives, just like every other element of their business. After all you wouldn’t dream of running your firm without knowing how many billable hours you were charging, yet it never ceases to surprise me how many people don’t see their IT in this light.
Of course, when it comes to cyber security, there are different levels of protection and a commercial risk management decision must be made regarding your firm’s appetite for risk and consequently what level of investment in cyber security is appropriate. If you get a really determined hacker, who has a personal vendetta to target your firm, then it can be very difficult and very expensive to ensure your defences will keep them out. But these types of bespoke attacks are the exception; the vast majority of cyber-attacks are what in the trade we call “commodity attacks”, (more details of which can be found in my article “SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!”), which exploit known vulnerabilities to obtain access to an organisation’s data.
And measuring your organisation’s defences against commodity attacks is something that can be done. Here at Connexion we have tools that allow us to scan a customer’s network from outside and/or inside their organisation to highlight any vulnerabilities from external cyber criminals or insider threats. This can either be done to provide a one-off security benchmark, on a periodic basis or even now on a continual real-time basis.
There are also accreditations such as the Government’s Cyber Essentials scheme, which I talked about in my article “Risk Management in Law Firms: Protecting your Firm from Cyber Crime”, or ISO 27001 for those organisations where the risks demand a higher level of data security.
For those organisations wanting a more in-depth audit and report on the state of their cyber security, with recommendations of any remedial actions they should implement in readiness for GDPR, we also conduct full GDPR cyber security readiness audits.
These types of vulnerability scanning services, accreditations and audits provide firms with a clear measure as to whether or not their cyber security defences are conforming to best practice, and also provide that vital documentary proof for GDPR compliance purposes (and indeed for your prospective customers and the SRA too), that you are taking cyber security seriously and doing everything in your power to safeguard the data your firm holds.
If this article has resonated with you and you would like more information about vulnerability scans, GDPR cyber security readiness audits or the Cyber Essentials scheme, then please do not hesitate me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/
No comments:
Post a Comment