GDPR for Law Firms: How to Protect Your Data from Insider Threats

In my recent blog I shared my 8 top tips to protect your data from cyber threats. However, threats to your data do not just come from external cyber criminals, so today I wanted to talk about ways to protect your data from insider threats.

So what do I mean by an insider threat?

Well this can be something like a rogue employee or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error is actually one of the commonest causes of a data breach. In fact, according to Security Magazine, up to 70% of data breaches can be linked to internal security gaps. Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (Article 32), it is important to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such measure. I'm sure most of us would agree that we would prefer to choose an easily memorable password, but these are often very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as I have seen firms who have implemented very complex password policies, which demand long passwords with complex character sets and frequent password changes, which have resulted in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

With a recent survey by PwC having shown that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, there is also a whole new set of challenges to address around data security. Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid, stolen or hacked. Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/smartphone/home computer and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area.

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to give staff only the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate. Staff education is also vital in ensuring that your systems are not compromised by fraud or ransomware, which are often started via rogue emails.

Controls around what software employees can run on their computers are also important, as it is all too easy for employees to unwittingly install software that creates network vulnerabilities which could allow a hacker to access the network. Alongside this, there is also the need to have processes in place that ensure all devices on the network are updated with the latest software security patches. These are released by the various software companies on a regular basis. Of course it is human nature if given a choice that staff will click on “no” or choose to postpone the installation of such updates, so as to avoid disruption to their busy working day, but by doing this staff can leave your network highly vulnerable to security threats. It is therefore important to have a centralised system for managing security updates, something I will discuss in more detail in a future blog.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Hopefully the examples above serve to illustrate that a wide range of controls are needed to ensure that your firm is protecting its data from insider threats. From a GDPR perspective it is important that law firms are able to demonstrate that they have understood what personal data they hold, where it is stored, who has access to it and for what purpose. Since there is an obligation to be able to demonstrate that risks have been assessed and an appropriate level of security has been implemented, I would recommend that all law firms review their data access control policies, procedures and technologies to ensure that they are protecting their data in accordance with current best practice.

Such controls not only put firms back in control of their valuable data, but also minimise the risk of a data breach under GDPR.

I hope this article has given you a useful insight into the ways that you need to protect your data from insider threats, as well as external cyber security threats, when preparing for GDPR. If, having read this article, you are concerned that your data security policies may not be adequate for GDPR, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help. Our services include providing independent GDPR cyber readiness audits, vulnerability scans and consultancy around implementing technologies and processes to ensure your data security defences are in line with industry best practice.

                                                                                                                                                               

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Disaster Recovery Considerations

In my last blog, I talked about data backup considerations when preparing your law firm for GDPR.  Today I wanted to talk in more depth about disaster recovery.

With the best planning in the world, sometimes the unexpected does happen. We only have to look at the chaos caused in the NHS by the Wannacry ransomware attack to see the operational and commercial impact that computer systems downtime can cause, as well as the reputational damage.

It is therefore important that as part of your GDPR obligations to safeguard the data that your firm holds, that you have in place suitable disaster recovery plans that you could fall back on should the worst happen.

Part of this will be about having a technical disaster recovery plan in place that ensures you can recover your data and systems successfully and in a timely manner. Equally importantly, there also need to be plans in place to cover how you would operate in the interim and how you would communicate details of an IT failure to customers, staff, suppliers and the relevant regulator(s) to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many law firms I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable. For example, according to Intermedia, 72% of companies infected with ransomware suffer two days or more without access to their files, while 32% are locked out of their files for at least 5 days.

Whether an outage is caused by ransomware, hardware failure, software failure or a wider scale disaster, it is critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. I find many businesses that put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as use of technology in law firms has moved on rapidly, and what was an acceptable recovery plan even a year or two ago may now be totally inadequate. In addition, systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that law firms continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

1. How long could your firms manage without access to each of its IT systems and data repositories? This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email, but it may be acceptable for an archived cases folder to be restored within 72 hours. So your disaster recovery plan needs to consider each system and data repository that you use, assessing how long your firm could cope without access to that system or data repository.

2. How much data, if any, could you afford to lose?
For each IT system and data repository you need to be clear how much data loss, if any, would be acceptable to the firm, in both commercial and regulatory terms, and tailor your backup and disaster recovery plans accordingly. If no data loss is acceptable, then a real-time replication solution should be considered, as part of a multi-layered backup approach (see more details in this blog). If some data loss is acceptable in a disaster scenario, then backups which run daily or hourly may be acceptable.

3. Does your current disaster recovery plan accurately reflect 1 and 2 above?
Your disaster recovery plan needs to be designed such that your objectives around downtime and data loss as defined above can be met.

4. Would your plan work if used “in anger” and are you able to demonstrate this?
In order to ensure success it is vital that the disaster recovery plan is tested on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. Whether that’s a practical problem (something technical or operational in the plan doesn’t work) or whether it reveals that the time taken to carry out the recovery does not meet business objectives, or that all data cannot be recovered successfully, testing is paramount to provide the peace of mind that the plan will actually work when used “in anger”. Tests of disaster recovery plans also need to be documented, so there is clear evidence that plans exist, testing has been conducted, the plan has been shown to meet business and regulatory requirements and that any necessary remedial actions highlighted by the test have been actioned.

5. What is the process for reviewing and updating your disaster recovery plan?
With our use of technology constantly evolving, and regular changes to legislation, it is important that plans around backup and disaster recovery are regularly reviewed and re-assessed against the commercial and operational needs of the firm, as well as regulatory compliance requirements in relation to the SRA and GDPR.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing for GDPR. If, having read this article, you are concerned that your current disaster recovery plan may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include providing independent consultancy as well as (where required) implementing technologies and processes to ensure your disaster recovery plans meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Data Backup Considerations

In my recent blogs, I have penned a number of articles round preparing your law firm for GDPR from an IT perspective, including six key steps that firms need to be taking to ready themselves for GDPR, understanding where your data is stored, controlling access to your data and cyber security considerations.

In today’s article I wanted to focus on data backup, as I find that there can be much confusion about effective, compliant backup, and it is quite common for law firms to think their data is safely backed up, only to find that when a problem arises which causes them to revert to their backup, that for any number of reasons, it doesn’t work as they anticipated. Having an effective data backup strategy forms part of any organisation’s obligations to safeguard the data that they hold, much of which is likely to contain information that identifies individuals, and therefore falls under the scope of the GDPR.

There are a whole host of reasons why you need to backup your systems and data, for example to protect against:-

• Ransomware attacks 
• Deletions – accidental or malicious 
• Data corruption 
• Hardware failures 
• Software problems 
• Fire, flood or natural disaster 

As well as forming part of your firm’s GDPR preparations, having effective backup strategies in place to mitigate the types of risks listed above is also an important part of SRA compliance, since Principle 8 of the Code of Conduct states that you must “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles”.

It is important to realise that there are many different types of backup, and they each provide protection against one or more of the above scenarios, but they do not all necessarily provide full protection against every scenario, so it may well be appropriate to deploy several different layers of backup.

A few things to think about include:-

• If you are using removable media (hard disks or tapes) to backup your system, where do you store your backups? If they are onsite, then there is a danger that say a fire or natural disaster that incapacitates your live system could also wipe out your backup system. If you store them offsite, what is the procedure for recalling them to site in a disaster and how long would it take to retrieve them?
  
  
• How often do you backup your data? If it is only nightly, then in a disaster you could lose up to a whole day’s work. What are your procedures to re-create this data? What about emails that have been lost? Would this be acceptable to the business, to the regulator and to your clients? If the answer is No, then you need to review the frequency that you are taking backups.
  
• Are your backups permanently connected to your live system (e.g. hard disks or online backup that presents itself as a drive on your machine or server)? If so, in the case of a ransomware attack, there is the danger that your backups could be encrypted as well as your live system and effectively rendered useless.
  
• How many copies of your backups do you hold? Some organisations rely on a real-time cloud based backup or replication to another server to hold up-to-date backup data. Whilst this is very useful in some scenarios (e.g. a server hardware failure), as it ensures there is no data loss, in other scenarios in may not work well at all – for example a data corruption that affects your live system will be immediately replicated to your cloud backup or standby server, thereby rendering it useless. It is therefore important that you also have a process in place that allows you to restore your data back to a given point-in-time: in this example, to before the corruption occurred.
  
• Then there’s the question of what to restore your backups onto, which is something not everyone considers. In the case of a deletion, data corruption or ransomware attack you can restore your data back onto your existing hardware. But in the case of a hardware failure, flood, fire or natural disaster, you may no longer have server(s) to restore your backups onto. Purchasing new hardware and restoring backups onto it is no small task and you can expect to be without your data and IT systems for several days if you haven’t pre-planned for this scenario.
  
• This brings me onto the difference between data and systems backups, which is a fine distinction that is not always appreciated, but can make a huge difference in the event of an entire system needing to be restored. With data backups alone, whilst you have copies of your data, you do not have copies of your entire servers, which contain operating systems, software applications, settings, user IDs, policies and a myriad of other configuration settings as well as your data. Data backups provide excellent protection against things like data deletion, but do not provide a quick and easy way to recover a working IT network in the event of a complete server failure or fire, flood or natural disaster. In this case, if the recovery is to be in any way timely, you really need to be looking at a backup that takes a complete image of your entire server, not just your data.
   
• Finally, any data recovery will only be successful if your backups have worked in the first place. I am constantly surprised by the number of businesses who fall foul of this and believe they have a working backup until the day they need to recover some data, or their entire system, when they find that those backups haven’t worked in full or, in some cases, at all. Having a business process in place to monitor the success of backups is paramount, as is regular testing to ensure the integrity and restorability of your backups. 

I hope that this article has helped to highlight that data backup is actually a complex issue, which almost always requires a multi-layered approach, combined with structured business processes, to be successful. If, having read this article, you are concerned that your data backup strategy may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include undertaking an independent audit of your backup procedures, and/or providing technologies and processes that ensure your backups meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Remote Working and GDPR Compliance for Law Firms

In my recent blog, Preparing your Law Firm for GDPR, I outlined 6 key steps that law firms need to be taking to ready themselves for GDPR. Today I wanted to talk about another hot topic in the legal sector: remote working, and specifically how this sits in relation to GDPR compliance.

In recent years, remote working has become increasingly popular and necessary for law firms, who see the many productivity benefits it offers, as well as the flexibility to be able to work from any location at any time. I noticed in a recent survey by PwC that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, and this comes as no surprise to me as it is one of the most popular solutions that we are working with solicitors’ practices to implement these days.

However, there is no doubt that remote working opens up a whole new set of challenges to address around data security. Protecting your data when it is all contained within the safe boundaries of your in-house network is one thing; protecting your data when there are copies on laptops, smartphones and tablets which may be anywhere in the world is quite another.

Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen.

Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/home PC/smartphone and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area. Those of you who read my blog “Just Where is your Law Firm’s Confidential Data?” may recall that I cited the example of a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. This example helps to demonstrate just how easily and unwittingly a data breach can occur.

Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (article 32), it is very important that policies and controls around remote working are put in place that will minimise the risks of a data breach.

So, can and should law firms be using remote working technology, or, given the plethora of highly confidential information that they are privy to – so much of which identifies an individual and therefore falls under the scope of the GDPR – should they be banning the use of such technology altogether?

It’s an interesting question, and I hear a complete mix of views when I talk to law firms – varying from those who are embracing the technology wholeheartedly, but perhaps are sometimes not fully understanding the associated risks – through to those who are regressing from use of email back to the fax machine, as there is just so much fear and uncertainty around data security.

The reality is, that with the right controls, technologies and processes in place, secure remote working is achievable, and there are ways that law firms can demonstrate that they are implementing appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk, as the GDPR demands.

This is about a lot more than passwords and anti-virus software though. As soon as you allow your staff to be making copies of data onto their own PCs, laptops or tablets, then you need to consider how you secure those devices as you would any other device on your internal network. And this is where life becomes very complicated, because on the in-house network you have certain policies around security, anti-virus software, website access, what applications run on each PC, what users are allowed to download and how PCs get updated with security fixes from vendors like Microsoft and a whole raft of other controls. As soon as you start moving data onto computers that do not have these controls, then you are potentially making your data and your firm very vulnerable.

It’s for this reason that when we are working with law firms to implement remote access to their systems, we always use technology which allows their data to stay residing centrally on their in-house servers, or at their data centre, and a copy does not get made onto the end user’s computer, laptop or device. Effectively the end user device is just a window into the central system, and as such has no confidential data stored on it. This means that only the central data repository needs to be kept secured – a much easier task than trying to secure data that is widely distributed.

There are further safeguards which we also put in place for staff who are working remotely – for example “two factor authentication”, whereby when you logon from outside the office you get a one-time code sent to your mobile phone which you need to enter in addition to your password.

Smartphones are another challenging area to secure, as these days so many of us have our company email and calendar replicated onto our mobile phone for convenience. There is an obvious danger here if a device gets lost, stolen or compromised. However, there are now technologies available that will allow company data to be remotely wiped from a phone in such a situation, as well as technology to separate company data that is held on a smartphone from the owner’s personal photos, emails etc and to implement extra layers of security to protect the company data.

So in summary, law firms can and should be making the most of the commercial advantages and flexibility that remote working can offer them, but it is imperative that in conjunction with this firms are implementing a cohesive set of controls, technologies, business processes and policies that will ensure that they are safeguarding their data, and their firm’s reputation, and demonstrating GDPR compliance.

Connexion have been working with law firms for over 2 decades to help them implement technology to create real value to their firm, whilst carefully managing the associated risks through a highly structured and managed approach to delivering IT. If your firm would like to explore secure remote working solutions, or you are concerned that your current remote working solution may not be fully GDPR compliant, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help. _________________________________________________________________________________ Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!

Solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality, client money, and to overall compliance with SRA regulatory arrangements.

Whilst the SRA has stated that being hacked, or falling victim to malware, is not in itself a crime or necessarily a failure to meet their regulatory requirements, they do expect firms to take proportionate steps to protect themselves and their clients' money and information from cybercrime attacks while retaining the advantages of advanced IT. If a law firm does lose client money or information to cybercrime the SRA will consider whether there has been a breach of the Code of Conduct. When deciding whether to take action against a firm, the SRA have stated that they will take into account whether the firm had adopted reasonable systems and controls to protect against the risk.

With the SRA already receiving around 40 reports of confidentiality breaches each month, it is important that all solicitors and firms take care to understand the threats and how to avoid them. I therefore today wanted to talk about the types of cyber threats that exist and some of the more sophisticated modern ways that law firms can manage their risk around data breaches and cyber-crime.

In order to mitigate the risks, it is important firstly to understand the different types of cyber-attack that exist. These broadly fall into two categories: commodity attacks and bespoke attacks.

Commodity Attacks

Commodity attacks are where cyber criminals use widely available tools that exploit known vulnerabilities in software or operating systems in order to hack into your system or compromise it. These types of attacks are easy to deploy and don’t need much technical knowledge. Indeed, some of the most destructive types of cyber-attacks, such as ransomware, are now widely available for would-be cyber criminals to purchase as an off-the-shelf package and deploy as they wish. This type of ransomware-as-a-service means that cyber criminals need minimal technical knowledge and have the opportunity to make plenty of quick and easy money.

So it is little wonder that this type of threat is becoming more and more prevalent. In fact a recent survey by Kaspersky showed that the number of ransomware attacks on businesses tripled last year, with a company now being hit with ransomware every 40 seconds. The same survey showed that 71% of companies targeted by ransomware attacks have been infected.

We now also have the situation where the more sophisticated hackers are making a point of reverse engineering security fixes that vendors like Microsoft bring out to patch newly discovered security loopholes. This means that unless you have applied the security fixes to every device on your network very promptly, there is a real danger that you will be compromised.

As the motivation behind these sort of attacks is generally about making money, whether that be through demanding ransoms to give you back your data or through stealing confidential information to sell it on, the cyber-criminal is generally not picky who he targets and as such commodity attacks tend to be widespread.

Bespoke Attacks

While the vast majority of cyber security attacks are commodity attacks, a small number are bespoke attacks. These are very different, as they are attacks where cyber criminals target one or more individual companies for a specific reason e.g. to steal IP, or cause reputational damage.

Again cyber criminals will start by using commodity attack tools to find out if there is an easy way to compromise your system. In many cases this will provide a route in, but if not, then the cyber criminals will take time to research your organisation, your security, individual employees, social media activities and much more through a wide range of digital reconnaissance and sometimes physical reconnaissance measures and then develop bespoke hacking tools to attempt to breach your defences. These types of attacks are carried out by much more sophisticated and determined cyber criminals.

So how can Law Firms manage their risk around Cyber Threats?

Well putting yourself into the mindset of the cyber-criminal is a really good starting place. He or she is going to be looking for known vulnerabilities in your system where they can get in. These vulnerabilities are a constantly moving target, because software updates are coming out from software application vendors, operating system vendors like Microsoft and security software vendors the whole time. So the scary reality of the situation is that while your data may be fully protected at 9am this morning, by 10am you may be vulnerable.

So the key here is to be constantly, in real-time, scanning your system for vulnerabilities, using the same tools that the cyber-criminal is using. This way you see your network through the eyes of the hacker and can pre-empt his next move. Of course, the quantity and skillset of human resources required to do this manually would be cost prohibitive for most small and medium sized firms. However, we are now working with law firms to implement automated real-time unified security management systems which carry out just this function. So rather than a vulnerability scan being carried out on the network say once a year (which provides a useful benchmark, but only tells you that your data is secure at that one moment in time), these systems carry out a continuous vulnerability scan on your system, all day, every day. Such continuous vulnerability scanning allows risks to be highlighted immediately, and reported back in real-time to our Security Operations Centre. Working with our clients we then ensure these latest security loopholes are closed down immediately and that thus your firm is kept one step ahead of the cyber criminals.

I hope this article has given you some useful insight into the approach of cyber criminals and the ways you can minimise your risk of becoming a target of a cyber-attack or data breach. If you would like to find out more about this topic, or you would like information on our continuous vulnerability scanning solution or indeed if you would like to arrange a one-off vulnerability scan of your network to see how your cyber defences currently measure up, then please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when it will be my pleasure to speak with you.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Risk Management in Law Firms: Protecting your Firm from Cyber Crime

With a recent news release from the SRA revealing that cyber crime is rapidly escalating, with almost double the number of cyber thefts being reported in the first quarter of 2017 compared with the same time last year, and triple the amount of money being stolen, I today wanted to talk about pragmatic approaches to minimising your firm’s risks of being targeted by cyber criminals.

Cyber crime is now prolific, with law firms unfortunately being a natural target due to the large amounts of confidential information and high value financial transactions that they are dealing with. Indeed according to the SRA, in the last year (April 2016 to March 2017) they have seen cases involving around £11m of losses.

Property transactions are a particularly high risk to client money, but cyber criminals also target inheritance money and law firms’ own money too.

In addition to SRA compliance breaches and subsequent action, any such event can also cause massive reputational damage to a law firm.

So how can law firms protect themselves from these cyber threats?

Firstly, I would say that it is vital that a joined-up approach is taken to cyber security management, as in the ever evolving threat landscape, it is nowhere near enough to just be relying on one or two technical measures like some anti-virus software and a firewall. Rather the firm’s cyber security strategy must involve senior partners, as well as technical personnel, and be formulated as an integrated suite of risk management measures encompassing business processes, technologies, staff training and procedures.

I would also recommend that as a starting point, law firms look at the Cyber Essentials scheme, a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

1. Boundary firewalls
2. Secure configuration
3. User Access control 
4. Malware protection (including ransomware) 
5. Patch management 

We are already in the throes of working with several of our clients to implement Cyber Essentials, which they see as having a plethora of business benefits including assisting with regulatory compliance, demonstrating care of personal data for GDPR compliance purposes, demonstrating to clients and potential clients that they are safeguarding their data and their money, and ensuring that their firm’s risk of suffering costly downtime and/or reputational damage is minimised.

Additionally, the government already requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme, and it is clear to me that these types of accreditations and requirements are only set to continue and grow, as they inevitably percolate all the way up through the supply chain. Indeed the SRA Cyber Security roundtable this spring also recommended that firms should consider the benefits of this scheme in protecting themselves from cyber-attacks.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, or you would like to find out more about the Cyber Essentials scheme, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Cyber Security Considerations

In my recent blogs I talked about the importance of understanding your data and controlling access to your data in readiness for GDPR. In today's article I wanted to talk about securing your information systems from cyber security threats.

Protecting your firm against data breaches forms an important part of GDPR compliance, since you need to be able to demonstrate that you are taking proper care of the personal data that your firm holds.

Law firms, unfortunately, are a natural target for cyber criminals, as they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients.

There are a wide range of factors to consider here, which will include:

1. How is your network secured from threats like malware, ransomware and hackers? In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of procedures, processes and technologies is needed to provide full protection.

2. What are your procedures for applying security updates to your systems? New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs/laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in organisations who have not applied the appropriate update to their systems.

3. What safeguards, procedures and policies do you have around mobile working? How is confidential client data kept separate from personal data on phones or home computers? Can you remotely wipe data off a device that is stolen or lost? What are your policies around data encryption on mobile devices? What are your policies around use of open public Wi-Fi? (if you are unclear of the dangers associated with this, please see this case study on the law society’s website). What are your policies around file sharing services such as Dropbox? How do you guarantee confidential data is not accidentally made web facing? If you are using cloud based systems to facilitate remote working, do you understand where the provider is actually storing your confidential data, and is this within the European Economic Area?

4. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can access your server room or acquire a laptop or smartphone containing confidential data, then the very best cyber security systems can be rendered useless.

5. How do you manage secure disposal of old PC and server equipment? Equipment that is end-of-life and being replaced will often contain confidential data or emails, and therefore it is important that it is properly wiped, to guarantee that data cannot be restored.

6. How are your staff educated to ensure they are aware of the latest cyber security threats?It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.

7. What contingency plans do you have to fall back on should the worst happen? These should include incident response plans, tested backups and full disaster recovery plans.

8. How do you ensure that your defences are constantly being monitored and that your procedures around cyber security are constantly reviewed and updated? Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated. Software that provides one-off or ongoing vulnerability scanning of your network can be particularly useful in this regard – a topic in its own right which I will cover in more detail in a future blog.

Over coming blogs, I will be exploring in more depth some of the key ways law firms can manage the risks posed by cybercrime. In the meantime, if you are concerned about your firm’s cyber security compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

_________________________________________________________________________________  
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/