5 Practical Steps to Secure your Law Firm’s Data for GDPR

With the clock rapidly ticking down towards GDPR go-live, this week I was reading the newly published government survey, “Cyber Security Breaches Survey2018: Preparations for the new Data Protection Act” and I have to say I was amazed by some of the findings. The survey was looking at how aware businesses and charities are of the incoming GDPR legislation and how they are actively preparing for the change. Having been immersed in GDPR, both for my own organisation and for our clients, for well over a year now, I was particularly surprised to learn that overall only 38% of businesses had even heard of GDPR! And among those aware of GDPR, only just over a quarter of businesses had made changes to their operations in response to GDPR’s introduction.

However, of those who had made changes to how they operate, 49% said that some of the changes made related to cyber security practices. This doesn’t come as a surprise to me as we are currently in the throes of conducting an independent cyber security vulnerability scan, or a more in-depth cyber security check-up, to many organisations as part of their GDPR preparations, and we are finding, almost invariably, that cyber security is an area where there are some deficiencies that need to be corrected.

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

Article 32 of the GDPR states that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

It goes on to list some more specific measures which you may wish to consider, amongst others, which are:-

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

By the nature of data security, it is impossible for the legislation to be prescriptive, because the security threat landscape is constantly evolving, and as such, what constitutes a secure network today almost certainly will not constitute a secure network tomorrow.

Whilst the ICO (the data protection regulatory body in the UK) have produced guidance documents on many sections of the GDPR, there is not yet updated guidance around IT security for small and medium size businesses, so I thought it would be useful today to try and explain some practical steps for securing your data, in-line with IT industry best practice.

1. Cyber Security Defences
It is important to realise that there is no single product that will provide a complete guarantee of security for your firm. The recommended approach is to use a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security. The type of products you should be considering are likely to include:-

• Virus protection 
• Malware protection 
• Ransomware protection 
• Email filtering 
• Web filtering 
• Constantly updated firewall protection 
• Encryption of data in transit 
• Encryption of data at rest 
• Mobile working policies 
• Data loss/leakage prevention technology 
• Strong passwords 
• Two factor authentication 
• The ability to remotely wipe data from any user device that is lost or stolen 
• A system for securely wiping old servers and PCs prior to disposal 
• Regular or continuous vulnerability scanning 
• 24/7 monitoring against threats 

2. Implement an Effective Security Patching Regime
I recently wrote a detailed article on this subject, so won’t repeat myself here, but the full article can be found at -> http://legalsectorit.blogspot.co.uk/2018/02/preparing-for-gdpr-key-considerations.html 

3. Protect Data from Insider Threats

• Access control procedures (staff and third parties) 
• Starters and leavers procedures 
• Mobile working policies 
• Data leakage prevention 
• Ongoing staff education on cyber threats 
• More on protecting data from insider threats can be found here -> http://legalsectorit.blogspot.co.uk/2018/01/gdpr-for-law-firms-how-to-protect-your.html 

4. Implement Effective Data Backup Procedures

• A multi-layered approach to data backup to protect against different types of threats 
• Actively monitored backups 
• Backups tested regularly to ensure they are recoverable 
• More on effective data backup can be found here -> http://legalsectorit.blogspot.co.uk/2017/12/gdpr-compliance-for-law-firms-data.html 

5. Review and Test your Disaster Recovery Procedures

• Up to date plans 
• Regularly tested 
• Deliver proven recovery times 
• More on disaster recovery planning can be found here -> http://legalsectorit.blogspot.co.uk/2018/01/gdpr-compliance-for-law-firms-disaster.html 

I hope this provides you with some useful practical insight into how to secure your data in readiness for GDPR. If you are unsure whether or not your current data security practices are adequate for GDPR, then the best thing to do is to contact me to discuss getting an independent vulnerability scan or full cyber security audit. This will give you a good benchmark as to whether or not you are doing the right things around cyber security management, and if you are not, give you practical steps to remediate any vulnerabilities prior to the GDPR go live date on 25th May. If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________  
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

The Cyber Crime Wave: 5 Practical Steps to Protect your Law Firm

Cyber-attacks are becoming ever more frequent and ever more costly, with estimated annual losses from cyber-crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies.

And the effect of cyber-attacks on law firms is wide-ranging: disruption to the firm, the potential for large financial losses (the average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims) and the reputational damage that a cyber-attack is likely to cause the firm. In addition, many cyber-attacks lead to a breach of personal data which in itself has major regulatory ramifications, both under the current Data Protection Act and the forthcoming GDPR.

On top of this law firms have the added complication of the impact an attack has on their SRA regulatory obligations.

It follows then that risk management around cyber-crime is now a major issue for all businesses. Law firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

Many firms are turning to cyber insurance as a way of mitigating the risks around cyber-crime, but the reality is that a cyber insurer will assess your business processes around cyber security in order to understand their own level of risk and make decisions over the acceptance and pricing of your policy accordingly. So whilst taking insurance may be a prudent step, it does not mitigate the requirement to implement suitable processes, controls and technologies around cyber security management.

This is where a highly structured and methodical approach to IT management becomes critical as it is easy to lose sight of the relentless attention to detail that is needed to manage a law firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. Some practical steps that I would recommend every law firm implements to lessen their risk of falling victim to cyber-crime are as follows:-

1. Implement an effective security patch management policy Software vendors are releasing a regular stream of patches to mitigate newly discovered security flaws. As I discussed in my recent blog “Key Considerations for an Effective Security Patching Regime”, having a methodology to ensure every device on the network receive patches in a timely fashion is vital.
   
   
2. Get an INDEPENDENT vulnerability scan carried out to benchmark your cyber security defences Because it’s very easy to be too close to a system and potentially overlook a security loophole, we frequently get called on to conduct independent security vulnerability scans, or fuller complete security audits for law firms. An independent security review by a third party who has no vested interest in the system is more likely to give objective, impartial feedback.
    
3. Implement a multi-layered data backup strategy With ransomware now extremely prevalent, effective procedures around data backup are paramount. More information can be found here.
   
   
4. Review and test your disaster recovery procedures I see so many disaster recovery plans that, for a plethora of reasons, don’t work when used in anger. Testing is essential to prove all your data is being backed up successfully and that your entire system can be restored in a timescale that is acceptable to the business. I wrote a blog on this subject recently, which you can find here.
    
5. Consider Cyber Essentials Certification The Cyber Essentials scheme is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security. More information can be found here.  

There’s no doubt that managing the risk around cyber-crime is not easy, and needs dedicated resources and strict procedures which are rigorously adhered to. I think that is probably why so many firms are now moving towards partnering with a specialist IT company to provide this function, someone who can monitor their system from a security perspective at all times and is not distracted by the day-to-day operations of the firm. This is certainly the trend we’re seeing here at Connexion, where we are working with law firms to provide all of the above services on a fully managed basis.

If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services which include security vulnerability scans, patch management solutions, cyber essentials certification, backup solutions and disaster recovery solutions, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing for GDPR: How do you know if your Law Firm’s Data is Secure?

As those of you who follow my blog will know, I have recently published a series of articles on preparing for GDPR, which cover key issues such as cyber security considerations, protecting your data from insider threats and effective data backup strategies.

However, the GDPR obliges firms not only to safeguard the data that they are holding, but also to be able to demonstrate that they are safeguarding it effectively.

And this raises an interesting question: how do you know if you are securing your data effectively? The truth is that many organisations are not aware that their controls around data security are ineffective until a data breach or cyber-attack comes to light – and by then of course, it is too late.

In some cases, even when there has been a data breach, organisations are not aware until long after the event - in some cases not until data is made public weeks, months or even years later. In itself this will be an issue under GDPR, which requires that data breaches are notified to the regulator within 72 hours.

The effectiveness of any firm’s data security is made even more difficult to measure as the cyber security landscape is a constantly moving target, with fraudsters continually devising ever more ingenious scams to gain access to data and money.

In addition, businesses are constantly evolving, with increasing use of technology and more remote working which can leave them exposed if the necessary controls are not put in place. M&A activity can also lead to a secure system suddenly becoming insecure – for example the high profile data breach that earned TalkTalk a £400,000 fine in October 2016 under the current Data Protection Act was reportedly caused by data being stolen from a database inherited through TalkTalk's acquisition of Tiscali, and accessed through three web pages with inadequate security. The "significant and sustained cyber attack" cost TalkTalk £42 million and resulted in the loss of 101,000 subscribers in the third quarter of 2015 as users fled to other networks. This highlights how cyber security is a Board Room/Senior Partner issue rather than just an IT issue, with data security considerations needing to be built into every business decision, in order to ensure that an organisation’s defences remain robust.

And, as I discussed in my blog, having a firewall and some anti-virus software is just the tip of the iceberg these days when it comes to cyber security defences. A plethora of technologies are now needed to achieve a joined-up approach to cyber security management and these must be combined with highly structured and methodical processes if you are to keep your firm one step ahead of the cyber criminals.

So how do you know if you have got everything covered?

Most businesses I ask this question of say that they “hope” their defences are adequate, which is quite a scary answer when a firm’s reputation and financial stability are at stake. And this seems to be part of a wider perception about IT as a whole – many firms I talk to are surprised when I tell them that the effectiveness of their IT should be measurable and aligned to their business objectives, just like every other element of their business. After all you wouldn’t dream of running your firm without knowing how many billable hours you were charging, yet it never ceases to surprise me how many people don’t see their IT in this light.

Of course, when it comes to cyber security, there are different levels of protection and a commercial risk management decision must be made regarding your firm’s appetite for risk and consequently what level of investment in cyber security is appropriate. If you get a really determined hacker, who has a personal vendetta to target your firm, then it can be very difficult and very expensive to ensure your defences will keep them out. But these types of bespoke attacks are the exception; the vast majority of cyber-attacks are what in the trade we call “commodity attacks”, (more details of which can be found in my article “SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!”), which exploit known vulnerabilities to obtain access to an organisation’s data.

And measuring your organisation’s defences against commodity attacks is something that can be done. Here at Connexion we have tools that allow us to scan a customer’s network from outside and/or inside their organisation to highlight any vulnerabilities from external cyber criminals or insider threats. This can either be done to provide a one-off security benchmark, on a periodic basis or even now on a continual real-time basis.

There are also accreditations such as the Government’s Cyber Essentials scheme, which I talked about in my article “Risk Management in Law Firms: Protecting your Firm from Cyber Crime”, or ISO 27001 for those organisations where the risks demand a higher level of data security.

For those organisations wanting a more in-depth audit and report on the state of their cyber security, with recommendations of any remedial actions they should implement in readiness for GDPR, we also conduct full GDPR cyber security readiness audits.

These types of vulnerability scanning services, accreditations and audits provide firms with a clear measure as to whether or not their cyber security defences are conforming to best practice, and also provide that vital documentary proof for GDPR compliance purposes (and indeed for your prospective customers and the SRA too), that you are taking cyber security seriously and doing everything in your power to safeguard the data your firm holds.

If this article has resonated with you and you would like more information about vulnerability scans, GDPR cyber security readiness audits or the Cyber Essentials scheme, then please do not hesitate me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing for GDPR: Key Considerations for an Effective Security Patching Regime

In recent weeks most of you will have heard media coverage around the discovery of serious security flaws, known as Meltdown and Spectre, which affect almost every modern computer, and could potentially allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM.

I therefore thought today that it would be well worth sharing some information on not just these particular threats, but the wider issue of patching computer systems in order to protect confidential and/or personal data against the latest security threats.

Patches, also known as software fixes or updates, are released by software vendors on a regular basis and are designed to fix bugs within the software and put in place measures to mitigate newly discovered security threats. Patches are released regularly for operating systems (like Microsoft Windows) and for most business software applications, as well as for technical software such as anti-virus and backup programmes.

Applying these patches is very important for a number of reasons:-

 * It helps to reduce your risk of falling victim to ransomware attacks, which, as the Wannacry attack in the NHS demonstrated last year, are extremely disruptive and can cause major business problems through downtime and loss of data, not to mention reputational damage and regulatory consequences.

* Exploiting known vulnerabilities is one of the commonest ways that cyber criminals may hack into or compromise your network. Known as “commodity attacks”, more information on types of attacks can be found in this blog. These commodity attacks often lead to data breaches and ensuing reputational damage to the business, commercial impact with customers and again, potentially serious regulatory consequences.

Which brings me nicely on to GDPR.

Just this week I was reading a blog by the Information Commissioners Office (the data protection regulator in the UK), which defines their stance around patching in relation to GDPR, and I quote:-

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.” 

This statement brings clarity to the importance of applying security patches to your systems in a timely fashion. However, this may not be as straightforward as it first sounds. Firstly for larger businesses with remote workers or staff who use their own laptop or device for work, there is the logistical issue of how to ensure updates (which are coming out constantly) get deployed to all these end-user devices.

There are also servers to be updated which requires a structured process to ensure technical expertise is made available, suitable testing is carried out and the updates are organised in such a way as to minimise disruption to the business, such as arranging business-friendly downtime slots should the servers need to be rebooted in order to apply the patches.

Timeliness is also an issue, since cyber criminals are now actively “reverse engineering” fixes from software companies like Microsoft, so that they work out what vulnerability the update addressed, and then exploit that vulnerability in organisations who have not yet installed the appropriate patch.

There’s then the issue of testing patches to ensure they are not going to cause a problem with other software you are using on your PCs or servers or cause your IT system to grind to a halt. There has already been much speculation around how much the updates for Spectre and Meltdown may slow down computers, and over the years I have seen several updates that have caused problems on customer’s networks. Having a roll-back plan that will work is vital to mitigate the risks when deploying any widespread PC update.

Finally, your cyber defences are only ever as good as your weakest link on any given day, so when it comes to patching, getting 99% of your devices updated is just not enough. With many cyber threats set to seek out the one device that isn’t patched, and enter your network via that device, it is vital that organisations have in place systems that give clear visibility over all devices on the network and their current patch status, and raise an alert for any device which has not been patched or where a patch has failed to deploy for any reason. It is all too easy for one computer to slip through the net if your systems for deploying updates are not highly structured – perhaps the device was turned off, the user rejected or postponed the update or there was a technical problem such as the computer running short of disk space.

I hope this article has provided a useful insight into both the importance of, and the potential complications around, patching your computer systems. Here at Connexion we have highly structured processes and methodologies to deliver patch management to our customers, which include providing timely deployment of patches to all devices, clear visibility and alerting of any device that is missing a patch, and structured change control and rollback plans to minimise the risks around patch deployment. If you would like to find out more, please do not hesitate to contact me for a no obligation conference call on 0118 920 9600 or email james.stratton@connexion.co.uk.

 ________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR for Law Firms: How to Protect Your Data from Insider Threats

In my recent blog I shared my 8 top tips to protect your data from cyber threats. However, threats to your data do not just come from external cyber criminals, so today I wanted to talk about ways to protect your data from insider threats.

So what do I mean by an insider threat?

Well this can be something like a rogue employee or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error is actually one of the commonest causes of a data breach. In fact, according to Security Magazine, up to 70% of data breaches can be linked to internal security gaps. Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (Article 32), it is important to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such measure. I'm sure most of us would agree that we would prefer to choose an easily memorable password, but these are often very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as I have seen firms who have implemented very complex password policies, which demand long passwords with complex character sets and frequent password changes, which have resulted in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

With a recent survey by PwC having shown that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, there is also a whole new set of challenges to address around data security. Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid, stolen or hacked. Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/smartphone/home computer and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area.

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to give staff only the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate. Staff education is also vital in ensuring that your systems are not compromised by fraud or ransomware, which are often started via rogue emails.

Controls around what software employees can run on their computers are also important, as it is all too easy for employees to unwittingly install software that creates network vulnerabilities which could allow a hacker to access the network. Alongside this, there is also the need to have processes in place that ensure all devices on the network are updated with the latest software security patches. These are released by the various software companies on a regular basis. Of course it is human nature if given a choice that staff will click on “no” or choose to postpone the installation of such updates, so as to avoid disruption to their busy working day, but by doing this staff can leave your network highly vulnerable to security threats. It is therefore important to have a centralised system for managing security updates, something I will discuss in more detail in a future blog.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Hopefully the examples above serve to illustrate that a wide range of controls are needed to ensure that your firm is protecting its data from insider threats. From a GDPR perspective it is important that law firms are able to demonstrate that they have understood what personal data they hold, where it is stored, who has access to it and for what purpose. Since there is an obligation to be able to demonstrate that risks have been assessed and an appropriate level of security has been implemented, I would recommend that all law firms review their data access control policies, procedures and technologies to ensure that they are protecting their data in accordance with current best practice.

Such controls not only put firms back in control of their valuable data, but also minimise the risk of a data breach under GDPR.

I hope this article has given you a useful insight into the ways that you need to protect your data from insider threats, as well as external cyber security threats, when preparing for GDPR. If, having read this article, you are concerned that your data security policies may not be adequate for GDPR, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help. Our services include providing independent GDPR cyber readiness audits, vulnerability scans and consultancy around implementing technologies and processes to ensure your data security defences are in line with industry best practice.

                                                                                                                                                               

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Disaster Recovery Considerations

In my last blog, I talked about data backup considerations when preparing your law firm for GDPR.  Today I wanted to talk in more depth about disaster recovery.

With the best planning in the world, sometimes the unexpected does happen. We only have to look at the chaos caused in the NHS by the Wannacry ransomware attack to see the operational and commercial impact that computer systems downtime can cause, as well as the reputational damage.

It is therefore important that as part of your GDPR obligations to safeguard the data that your firm holds, that you have in place suitable disaster recovery plans that you could fall back on should the worst happen.

Part of this will be about having a technical disaster recovery plan in place that ensures you can recover your data and systems successfully and in a timely manner. Equally importantly, there also need to be plans in place to cover how you would operate in the interim and how you would communicate details of an IT failure to customers, staff, suppliers and the relevant regulator(s) to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many law firms I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable. For example, according to Intermedia, 72% of companies infected with ransomware suffer two days or more without access to their files, while 32% are locked out of their files for at least 5 days.

Whether an outage is caused by ransomware, hardware failure, software failure or a wider scale disaster, it is critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. I find many businesses that put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as use of technology in law firms has moved on rapidly, and what was an acceptable recovery plan even a year or two ago may now be totally inadequate. In addition, systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that law firms continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

1. How long could your firms manage without access to each of its IT systems and data repositories? This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email, but it may be acceptable for an archived cases folder to be restored within 72 hours. So your disaster recovery plan needs to consider each system and data repository that you use, assessing how long your firm could cope without access to that system or data repository.

2. How much data, if any, could you afford to lose?
For each IT system and data repository you need to be clear how much data loss, if any, would be acceptable to the firm, in both commercial and regulatory terms, and tailor your backup and disaster recovery plans accordingly. If no data loss is acceptable, then a real-time replication solution should be considered, as part of a multi-layered backup approach (see more details in this blog). If some data loss is acceptable in a disaster scenario, then backups which run daily or hourly may be acceptable.

3. Does your current disaster recovery plan accurately reflect 1 and 2 above?
Your disaster recovery plan needs to be designed such that your objectives around downtime and data loss as defined above can be met.

4. Would your plan work if used “in anger” and are you able to demonstrate this?
In order to ensure success it is vital that the disaster recovery plan is tested on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. Whether that’s a practical problem (something technical or operational in the plan doesn’t work) or whether it reveals that the time taken to carry out the recovery does not meet business objectives, or that all data cannot be recovered successfully, testing is paramount to provide the peace of mind that the plan will actually work when used “in anger”. Tests of disaster recovery plans also need to be documented, so there is clear evidence that plans exist, testing has been conducted, the plan has been shown to meet business and regulatory requirements and that any necessary remedial actions highlighted by the test have been actioned.

5. What is the process for reviewing and updating your disaster recovery plan?
With our use of technology constantly evolving, and regular changes to legislation, it is important that plans around backup and disaster recovery are regularly reviewed and re-assessed against the commercial and operational needs of the firm, as well as regulatory compliance requirements in relation to the SRA and GDPR.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing for GDPR. If, having read this article, you are concerned that your current disaster recovery plan may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include providing independent consultancy as well as (where required) implementing technologies and processes to ensure your disaster recovery plans meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Data Backup Considerations

In my recent blogs, I have penned a number of articles round preparing your law firm for GDPR from an IT perspective, including six key steps that firms need to be taking to ready themselves for GDPR, understanding where your data is stored, controlling access to your data and cyber security considerations.

In today’s article I wanted to focus on data backup, as I find that there can be much confusion about effective, compliant backup, and it is quite common for law firms to think their data is safely backed up, only to find that when a problem arises which causes them to revert to their backup, that for any number of reasons, it doesn’t work as they anticipated. Having an effective data backup strategy forms part of any organisation’s obligations to safeguard the data that they hold, much of which is likely to contain information that identifies individuals, and therefore falls under the scope of the GDPR.

There are a whole host of reasons why you need to backup your systems and data, for example to protect against:-

• Ransomware attacks 
• Deletions – accidental or malicious 
• Data corruption 
• Hardware failures 
• Software problems 
• Fire, flood or natural disaster 

As well as forming part of your firm’s GDPR preparations, having effective backup strategies in place to mitigate the types of risks listed above is also an important part of SRA compliance, since Principle 8 of the Code of Conduct states that you must “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles”.

It is important to realise that there are many different types of backup, and they each provide protection against one or more of the above scenarios, but they do not all necessarily provide full protection against every scenario, so it may well be appropriate to deploy several different layers of backup.

A few things to think about include:-

• If you are using removable media (hard disks or tapes) to backup your system, where do you store your backups? If they are onsite, then there is a danger that say a fire or natural disaster that incapacitates your live system could also wipe out your backup system. If you store them offsite, what is the procedure for recalling them to site in a disaster and how long would it take to retrieve them?
  
  
• How often do you backup your data? If it is only nightly, then in a disaster you could lose up to a whole day’s work. What are your procedures to re-create this data? What about emails that have been lost? Would this be acceptable to the business, to the regulator and to your clients? If the answer is No, then you need to review the frequency that you are taking backups.
  
• Are your backups permanently connected to your live system (e.g. hard disks or online backup that presents itself as a drive on your machine or server)? If so, in the case of a ransomware attack, there is the danger that your backups could be encrypted as well as your live system and effectively rendered useless.
  
• How many copies of your backups do you hold? Some organisations rely on a real-time cloud based backup or replication to another server to hold up-to-date backup data. Whilst this is very useful in some scenarios (e.g. a server hardware failure), as it ensures there is no data loss, in other scenarios in may not work well at all – for example a data corruption that affects your live system will be immediately replicated to your cloud backup or standby server, thereby rendering it useless. It is therefore important that you also have a process in place that allows you to restore your data back to a given point-in-time: in this example, to before the corruption occurred.
  
• Then there’s the question of what to restore your backups onto, which is something not everyone considers. In the case of a deletion, data corruption or ransomware attack you can restore your data back onto your existing hardware. But in the case of a hardware failure, flood, fire or natural disaster, you may no longer have server(s) to restore your backups onto. Purchasing new hardware and restoring backups onto it is no small task and you can expect to be without your data and IT systems for several days if you haven’t pre-planned for this scenario.
  
• This brings me onto the difference between data and systems backups, which is a fine distinction that is not always appreciated, but can make a huge difference in the event of an entire system needing to be restored. With data backups alone, whilst you have copies of your data, you do not have copies of your entire servers, which contain operating systems, software applications, settings, user IDs, policies and a myriad of other configuration settings as well as your data. Data backups provide excellent protection against things like data deletion, but do not provide a quick and easy way to recover a working IT network in the event of a complete server failure or fire, flood or natural disaster. In this case, if the recovery is to be in any way timely, you really need to be looking at a backup that takes a complete image of your entire server, not just your data.
   
• Finally, any data recovery will only be successful if your backups have worked in the first place. I am constantly surprised by the number of businesses who fall foul of this and believe they have a working backup until the day they need to recover some data, or their entire system, when they find that those backups haven’t worked in full or, in some cases, at all. Having a business process in place to monitor the success of backups is paramount, as is regular testing to ensure the integrity and restorability of your backups. 

I hope that this article has helped to highlight that data backup is actually a complex issue, which almost always requires a multi-layered approach, combined with structured business processes, to be successful. If, having read this article, you are concerned that your data backup strategy may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include undertaking an independent audit of your backup procedures, and/or providing technologies and processes that ensure your backups meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!

Solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality, client money, and to overall compliance with SRA regulatory arrangements.

Whilst the SRA has stated that being hacked, or falling victim to malware, is not in itself a crime or necessarily a failure to meet their regulatory requirements, they do expect firms to take proportionate steps to protect themselves and their clients' money and information from cybercrime attacks while retaining the advantages of advanced IT. If a law firm does lose client money or information to cybercrime the SRA will consider whether there has been a breach of the Code of Conduct. When deciding whether to take action against a firm, the SRA have stated that they will take into account whether the firm had adopted reasonable systems and controls to protect against the risk.

With the SRA already receiving around 40 reports of confidentiality breaches each month, it is important that all solicitors and firms take care to understand the threats and how to avoid them. I therefore today wanted to talk about the types of cyber threats that exist and some of the more sophisticated modern ways that law firms can manage their risk around data breaches and cyber-crime.

In order to mitigate the risks, it is important firstly to understand the different types of cyber-attack that exist. These broadly fall into two categories: commodity attacks and bespoke attacks.

Commodity Attacks

Commodity attacks are where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it. These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.

So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.

We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.

As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who he targets and as such commodity attacks tend to be widespread.

Bespoke Attacks

While the vast majority of cyber security attacks are commodity attacks, a small number are bespoke attacks. These are very different, as they are attacks where cyber criminals target one or more individual companies for a specific reason e.g. to steal IP, or cause reputational damage.

Again cyber criminals will start by using commodity attack tools to find out if there is an easy way to compromise your system. In many cases this will provide a route in, but if not, then the cyber criminals will take time to research your organisation, your security, individual employees, social media activities and much more through a wide range of digital reconnaissance and sometimes physical reconnaissance measures and then develop bespoke hacking tools to attempt to breach your defences. These types of attacks are carried out by much more sophisticated and determined cyber criminals.

So how can Law Firms manage their risk around Cyber Threats?

Well putting yourself into the mindset of the cyber-criminal is a really good starting place. He or she is going to be looking for known vulnerabilities in your system where they can get in. These vulnerabilities are a constantly moving target, because software updates are coming out from software application vendors, operating system vendors like Microsoft and security software vendors the whole time. So the scary reality of the situation is that while your data may be fully protected at 9am this morning, by 10am you may be vulnerable.

So the key here is to be constantly, in real-time, scanning your system for vulnerabilities, using the same tools that the cyber-criminal is using. This way you see your network through the eyes of the hacker and can pre-empt his next move. Of course, the quantity and skillset of human resources required to do this manually would be cost prohibitive for most small and medium sized firms. However, we are now working with law firms to implement automated real-time unified security management systems which carry out just this function. So rather than a vulnerability scan being carried out on the network say once a year (which provides a useful benchmark, but only tells you that your data is secure at that one moment in time), these systems carry out a continuous vulnerability scan on your system, all day, every day. Such continuous vulnerability scanning allows risks to be highlighted immediately, and reported back in real-time to our Security Operations Centre. Working with our clients we then ensure these latest security loopholes are closed down immediately and that thus your firm is kept one step ahead of the cyber criminals.

I hope this article has given you some useful insight into the approach of cyber criminals and the ways you can minimise your risk of becoming a target of a cyber-attack or data breach. If you would like to find out more about this topic, or you would like information on our continuous vulnerability scanning solution or indeed if you would like to arrange a one-off vulnerability scan of your network to see how your cyber defences currently measure up, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when it will be my pleasure to speak with you.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Risk Management in Law Firms: Protecting your Firm from Cyber Crime

With a recent news release from the SRA revealing that cyber crime is rapidly escalating, with almost double the number of cyber thefts being reported in the first quarter of 2017 compared with the same time last year, and triple the amount of money being stolen, I today wanted to talk about pragmatic approaches to minimising your firm’s risks of being targeted by cyber criminals.

Cyber crime is now prolific, with law firms unfortunately being a natural target due to the large amounts of confidential information and high value financial transactions that they are dealing with. Indeed according to the SRA, in the last year (April 2016 to March 2017) they have seen cases involving around £11m of losses.

Property transactions are a particularly high risk to client money, but cyber criminals also target inheritance money and law firms’ own money too.

In addition to SRA compliance breaches and subsequent action, any such event can also cause massive reputational damage to a law firm.

So how can law firms protect themselves from these cyber threats?

Firstly, I would say that it is vital that a joined-up approach is taken to cyber security management, as in the ever evolving threat landscape, it is nowhere near enough to just be relying on one or two technical measures like some anti-virus software and a firewall. Rather the firm’s cyber security strategy must involve senior partners, as well as technical personnel, and be formulated as an integrated suite of risk management measures encompassing business processes, technologies, staff training and procedures.

I would also recommend that as a starting point, law firms look at the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

1. Boundary firewalls
2. Secure configuration
3. User Access control 
4. Malware protection (including ransomware) 
5. Patch management 

We are already in the throes of working with several of our clients to implement Cyber Essentials, which they see as having a plethora of business benefits including assisting with regulatory compliance, demonstrating care of personal data for GDPR compliance purposes, demonstrating to clients and potential clients that they are safeguarding their data and their money, and ensuring that their firm’s risk of suffering costly downtime and/or reputational damage is minimised.

Additionally, the government already requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, and it is clear to me that these types of accreditations and requirements are only set to continue and grow, as they inevitably percolate all the way up through the supply chain. Indeed the SRA Cyber Security roundtable this spring also recommended that firms should consider the benefits of this scheme in protecting themselves from cyber-attacks.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, or you would like to find out more about the Cyber Essentials scheme, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Cyber Security Considerations

In my recent blogs I talked about the importance of understanding your data and controlling access to your data in readiness for GDPR. In today's article I wanted to talk about securing your information systems from cyber security threats.

Protecting your firm against data breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your firm holds.

Law firms, unfortunately, are a natural target for cyber criminals, as they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers? In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems? New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs/laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.

3. What safeguards, procedures and policies do you have around mobile working? How is confidential client data kept separate from personal data on phones or home computers? Can you remotely wipe data off a device that is stolen or lost? What are your policies around data encryption on mobile devices? What are your policies around use of open public Wi-Fi? (if you are unclear of the dangers associated with this, please see this case study on the law society’s website). What are your policies around file sharing services such as Dropbox? How do you guarantee confidential data is not accidentally made web facing? If you are using cloud based systems to facilitate remote working, do you understand where the provider is actually storing your confidential data, and is this within the European Economic Area?

4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing confidential data, then the very best cyber security systems can be rendered useless.

5. How do you manage secure disposal of old PC and server equipment? Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.

6. How are your staff educated to ensure they are aware of the latest cyber security threats?It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. What contingency plans do you have to fall back on should the worst happen? These should include incident response plans, tested backups and full disaster recovery plans.

8. How do you ensure that your defences are constantly being monitored and that your procedures around cyber security are constantly reviewed and updated? Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated. Software that provides one-off or ongoing vulnerability scanning of your network can be particularly useful in this regard – a topic in its own right which I will cover in more detail in a future blog.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________  
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Controlling Access to Your Data

Following my recent blog posts Preparing your Law Firm for GDPR and GDPR Compliance for Law Firms: Just Where is your Confidential Data?, I have received a number of enquiries from law firms as to the ways in which they should be controlling access to their data, so today I thought it would be worth sharing some information on this important topic.

Securing your data in readiness for GDPR broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access). Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.

GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a firm’s data.

Therefore, for each piece of data that you hold, it is important to understand, and have documented, who has access to that data and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to do their job. Allowing staff wider access puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats.

As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Appropriate password policies are also very important, since if policies allow passwords to remain unchanged indefinitely, or indeed allow staff to choose an easily guessable password, then there is a danger that data security will be compromised, which does not demonstrate the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your data. In this case this needs to be secured in just the same way, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Any business's data is precious, but none more so than that of law firms who are privy to so much confidential information and who must meet their SRA regulatory obligations to maintain client confidentiality.

Not only do law firms hold much personal data, which is governed by the Data Protection Act and forthcoming GDPR legislation, they also hold a wealth of commercially confidential details ranging from large financial transactions, to trade secrets, through to the personal affairs of high-profile clients.

But in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards. Indeed, aside from GDPR, data residency is a major concern for law firms from a jurisdiction point of view as well.

There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone. Indeed many of you may have read about a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. Under GDPR, the financial and reputational consequences for such a breach could be crippling, so it is imperative that law firms have a real understanding of where their data is.

In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your law firm to a security breach. So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Senior Partners have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

-------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing your Law Firm for GDPR

The new EU general data protection regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.

Whilst law firms already have onerous SRA compliance responsibilities to meet in relation to data protection, many may still need to broaden their security measures and precautions in order to meet GDPR, as well as ensuring that they have in place the necessary written SOP’s and can provide documentary evidence to demonstrate compliance.

So what do law firms need to be doing to prepare for GDPR?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
-------------------------------------------------------------------------------------------------------------------------
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Secure Remote Working for Law Firms

Most law firms I speak to these days are keen to embrace the commercial benefits that remote working can deliver for their firm, allowing their fee earners to work from home or other remote locations, thus maximising their time and productivity as well as facilitating more flexible working practices.

However, given the wealth of highly confidential data that law firms are dealing with on a daily basis, there are naturally also concerns about the implications of providing remote access and whether this could compromise client confidentiality, SRA compliance or data protection.

There is no doubt that a myriad of risk management issues exist around cyber security, as those who read my previous blog Effective Cyber Security for Law Firms will have seen. 

However, there is much that can be done to mitigate these risks, and enjoy the best of both worlds, by deploying well designed, well managed, highly secure technologies that ensure that no data ever leaves the security of your law firm’s servers or data centre.

As an example of this, I’d like to share a recent implementation we have completed for a UK law firm, where there was a pressing business need to provide secure remote access to all their systems for their fee earners.  In this case, the solution designed allowed nominated staff to access their full computer desktop from any internet connected laptop or computer, at any location.   As well as the normal office suite of applications and email, the system provided fee earners with full access to their practice management software, dictation software and all their files.  They key here was that all data and applications remained at all times on the law firm’s highly secure, tightly managed back-end servers, with the end user device effectively just providing a “window” into that system.    In this manner data remained centralised, subject to the firm’s stringent security policies, safely backed up and never being transferred to individual fee earner’s personal devices.  A number of additional layers of security were also put in place, including 2 factor authentication via SMS message, which requires a logon from outside the office to be authenticated via a text message to the individual’s mobile phone, thus providing an additional level of security over and above a password alone. 
 

In other cases, where law firms are receiving emails on their personal smart phones, and thus copies of potentially confidential data has been transferred outside the secure environment of their servers, we work with their in-house IT department to implement robust mobile device management solutions.  These provide the firm with the control needed over corporate data that is on staff members’ own devices, but cleverly allow a separation of work and personal data on the smart phone so that the firm has all it needs to control data from a compliance perspective, but that control does not interfere with or extend to the user’s personal applications and data, such as photographs or personal emails.   As well as pin protecting company email, such solutions can be configured with a variety of policies that allow the network administrator to lock or wipe the corporate data from the device remotely and immediately in the event of an issue such as a device being mislaid or a staff member leaving.

So, whilst nothing in life is completely without risk, with the right advice, people, technology and structured processes in place, there are certainly effective ways that law firms can achieve mobility without compromising confidentiality or compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in law firms, including protecting both client confidentiality and the structural and financial stability of your law firm, through appropriate risk management. In the meantime, if you would like to know more about secure remote working solutions for law firms, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/