Peter Wright is a Solicitor and Managing Director of Digital Law UK. He is the author of the Cyber Security Toolkit (Law Society Publishing, 2016).
Cyber threats and scams have become a fact of life for both businesses and individuals and Solicitors and their clients are no exception. Firms of all sizes are vulnerable but there are some things you can do to protect your firm and your clients.
Audit your firm for cyber risk
All firms are different in the way they operate on a daily basis, from they way they sell their products and services through to how they acquire, store and use personal and business data and how they operate online. So make sure that you are aware of the risks that your firm may be taking by assessing risk across all of the different facets of the business. Look at your network, devices, servers, email, back-up, user privileges, remote access, website security and social media account security for a start.
Look at relationships with third parties and suppliers—how do you exchange data, how do you ensure their systems are safe and secure and that your client data is being properly looked after? Don’t forget that client data is your responsibility. If it is shared with a supplier or partner such as a case management system or a finance & accounting package, it remains your responsibility. If data is lost or compromised as a result of a cyber attack sustained by a supplier, it is your firm that will face an investigation from regulators like the Information Commissioners Office or the SRA. Any serious crime will have to be reported to the Police incurring the consequences of bad publicity, rising PII premiums and a potential negative impact on your firms credit worthiness.
Infrastructure - network, hardware & devices
Make sure that your systems, both in terms of hardware and software, are appropriate with the right levels of security and access.
- Can access to certain information be locked down so that it can only be accessible for staff for whom such access is necessary for them to carry out their day to day responsibilities?
- Are devices suitably encrypted, with remote access granted on to those who really need it?
- If you allow staff to use their own devices for business purposes, are they required to have that device checked by your IT staff / supplier to ensure that business contacts and communications are not being compromised through the presence of Malware or other nefarious applications that could be running on personal devices?
- Do you have policies and procedures covering the use of mobile devices, email, passwords etc?
In short, close down any areas of risk regarding your network and systems identified above.
Personnel - your biggest vulnerability or greatest strength
Your staff can be your greatest security threat if they do not know what cyber threats to look out for, or could even be creating additional risks if they are not aware of best practice and simple measures that can be taken in order to minimise the risk to themselves and the firm. Otherwise staff could be storing or transmitting personal, confidential or legally privileged data via unencrypted or otherwise insecure means. Staff need to be able to pro-actively identify cyber security risks in their everyday activities and work with management to reduce those risks.
Staff can only do this if they receive effective training on cyber security risks along with appropriate guidance on the measures that the firm is taking to combat those risks. They need practical help in seeing how this affects their day to day activities and why certain steps or measures are being taken for their own protection and to protect the firm (rather than being seen as ‘interference’).
Training on cyber security risks and the protection measures taken by your firm should form part of the induction process on joining the organisation. Cyber security threats are constantly evolving, and consequently refresher and update training is essential every 6 months or so in order update staff. Training has to be for everyone throughout the organisation and there should be no exemptions on account of seniority or being “too busy”.
One law firm was subject to a cyber attack in 2016 as a result of a partner using Dropbox to communicate with a client. This led to a link being inadvertantly clicked and compromising the whole firm’s network. After a sleepless 48 hours the IT team had restored the network, only for the same partner to open up Dropbox and do the same thing all over again, unaware of his own firm’s policies regarding the use of insecure systems like Google Docs and Dropbox.
Hope for the best but plan for the worst
While no one ever wishes to be subjected to a cyber security attack, it is necessary to plan for such an eventuality to make sure that your firm can respond quickly and efficiently if an attack does take place. “Wargame” a cyber attack, by having an external specialist penetration test your system to find any weakpoints, and simulate what your firm would do if such an attack happened.
- Who would report matters to the SRA or the ICO?
- Who would decide whether the police need to be notified?
- Would it be necessary to notify staff, and if so do you have a draft email template already available?
- Would clients have to be informed, and do you have a draft letter ready to go?
- Who would report matters to your professional indemnity insurer?
- What information would you have needed to verify before reporting anything to all of these regulators?
- Would you bring in external IT specialists to report for you on the size and nature of any cyber attack in order to recommend what you do to prevent similar attacks in the future?
- Would you be able to effectively back up your system and continue to undertake fee earning work while all of this goes on?
- All of these questions can only be answered if you simulate a “dummy” attack on your firm to find out how you would respond.
Constant review - staying up to date
Cyber Security threats are always evolving, and you need to be aware of the next big threat to your firm. You should already be undertaking a periodic risk review as mandated by the SRA, and this should include a review of cyber security risks to your firm. File Audits should be reviewed, along with records of scam or phising emails received, attacks on other businesses and firms, and a review of specialist and legal press for anecdotal evidence of other threats that you need to be aware of. This review should shape the content of future staff training and education, along with informing future IT procurement choices.
Once cyber governance is in place - use it
To get a cyber security policy and supporting structures in place can take time. However, once it is there, use it. Your cyber security policy should be a living breathing document, not just a lever arch file gathering dust on top of a filing cabinet. It needs to be regularly reviewed and updated, with overall responsibility lying with your firm’s Information Security Officer (this could also be your COLP or it could be a specific designated staff member), ideally supported by a working group made up of a few more staff.
You may find that increasingly clients will require that their law firms undertake security audits and answer questionnaires confirming their cyber security status and awareness and this exercise will be significantly easier to respond if you already have the right cyber security governance and systems in place.