All data is at risk. None more so than sensitive business-critical data. Threats from cybersecurity are increasing and the main danger? Your own staff. CIOs plan and protect against known threats, but the biggest concern? The unknown. So, how do you plan for unknown threats?
What are the main cybersecurity concerns for law firms?
With more and more data being stored and processed by law firms - much of it containing sensitive client information - it's crucial that IT and practice managers address the growing number of cybersecurity threats. One of the most important steps in successfully plugging the security holes is to first assess the sources of the main dangers posed to confidential data and IT system integrity. These broadly fall into three categories:
Inadvertent data loss or breach by members of staff is one of the most significant threats to cybersecurity currently faced by law firms. This can range from a USB stick left on a train through to e-mailing client documents to a personal insecure e-mail account (i.e. to carry on working on a case from home). The rise in agile working poses an increased danger if employees are not working in the cloud.
External hacking is an obvious problem, with attempts becoming more sophisticated and organised as cyber criminals realise the sensitivity of data held by many firms. Internal hacking by disgruntled employees also needs to be tackled, particularly in light of the Panama Papers fiasco.
Although many hacking attempts can be prevented by the implementation of antivirus software, along and effective security policies, tackling malicious hacking is a war of attrition. Updated cyber-fortifications need to constantly be put in place as new computer viruses and methods of hacking emerge.
The most concerning of all cybersecurity threats is the unknown. The issues or scenarios which have simply not been considered yet or have not been taken into account when developing a cybersecurity strategy are the things that concern legal IT executives. According to Information Age what you don’t know can certainly harm you, and developing strategies on how to protect is a priority for the IT team. This could be something like a fire in the server room or AI software which goes rogue; basically anything which has not been identified as a potential threat.
What are the financial (and reputational) penalties?
The Data Protection Act is currently the main piece of legislation with which law firms need to comply. Any data breach can lead to an investigation by the Information Commissioner's Office (ICO) along with a hefty fine of up to £500,000 for the most serious offences. However, this pales into insignificance when compared to the forthcoming General Data Protection Regulation (GDPR), due to come into force from 25th May 2018, which can lead to fines of up to €20 million or 4% of annual global turnover. Furthermore, the SRA rules place a responsibility on law firms to ensure that all client data is kept confidential, and the SRA can take additional enforcement action against firms which fail to do so.
However, despite the significant increases in potential fines by virtue of GDPR, it’s the reputational damage to firms which is likely to have the most impact on their business.
How can law firms minimise cybersecurity risks?
Moving away from legacy on-premise IT systems to a hosted cloud solution can lead to much improved cybersecurity for several reasons:
- Dedicated cloud computing providers are able to focus on ensuring that security is constantly being optimised and updated, thereby minimising risks posed by external hacking;
- Employees who are given access to a cloud computing resource will no longer need to send unencrypted emails to their personal accounts or use USB sticks to transfer data; and
- Potential internal hacking attempts can be better monitored with the use of auditing software and the distribution of individual logins which track any activity.
But changing the internal culture by designing and implementing cybersecurity policies, and educating staff to be more aware of the known threats (e.g. not clicking on links in spam), is just as important as technological methods to counter the risk of data breach.
How should firms react to a hacking attempt or data protection breach?
An IT partner or dedicated cybersecurity resource can help firms to deal with the immediate impact of any breach and to prevent potential future breaches, but the essential steps are:
- Identify the source of the hack or data breach;
- Take action to plug the existing security hole;
- Assess the scope of the breach (e.g. type and volume of data);
- Consider how to prevent similar breaches in the future; and
- Inform relevant authorities (e.g. ICO, SRA) – and potentially clients, depending on the nature of the breach.
Watch this space for more blogs and podcasts from CenturyLink discussing emerging legal technology trends. To find out how we can help your firm with cybersecurity and other IT requirements, please e-mail me: firstname.lastname@example.org