Our successful webinar on managing information security risks identified a number of practical action points for professional client firms.
The webinar is now available to download, along with a range of resources to help you manage Information Security in your business.
Information Security risks - the reality
Recent research reported by Titus suggests that at least 25% of businesses have had a security breach in the last year - and that's only those who admit to it, or are even aware of it. Many more may not realise that they have had a breach.
Awareness is key to protecting your business and your clients. As a solicitor, your stock in trade is your clients' confidential information - and it is increasingly seen as a valuable resource for criminals.
But while most of us think of hacking attacks and viruses when we consider Information Security, today's webinar made the point that your staff are your biggest risk - and their inadvertent data breaches are the most significant threat that you need to counter.
Effectively Managing People Risks
According to the same Titus survey, 84% of employees surveyed consider that colleagues violate controls on storage and use of electronic data. Many of the causes of information breach come down to carelessness or simply failing to realise the potential security risk they are creating.
Whether it is leaving a laptop on a train, losing an unencrypted memory stick, or having an ill-advised conversation in a public place (this can also include conversations on social media sites), raising staff awareness of the risks will go a long way to discouraging bad practice - particularly if it is seen to be one rule for all, and not a case of a rule for management, and another rule for other staff.
With that in mind, we have produced a range of posters, available to download free of charge, for use in your office. Simply click on the links at the end of this article.
Information Security Action Points
1. Ensure there is an information security 'champion' at the top level of your organisation
2. Encourage reporting of data breaches, and near misses
3. Keep a regiser of breaches and near misses, and monitor it regularly. Take action to address the major risks flagged up
4. Implement regular staff training from a reputable provider (such as ComputerLaw Training)
5. Create clear acceptable use, security, mobile device and social media policies (guidance can be found here)
6. Use encryption for sensitive data wherever possible (at its simplest, sending attachments as password protected ZIP files can provide a good degree of protection. For more complex encryption of email, speak to your IT provider)
7. Enforce good password management (for information on what good should look like, read the following article) and do NOT write passwords down (if this is problematic, consider using password management software)
8. Be pragmatic. Ensure that your security procedures enable your business, not obstruct it. Obstructive systems will just be worked round, making them worse than useless.
9. Restrict the ability of staff to download and install software from the internet
10. Back-up all important files on and off-site - and check that back-up can be read, at regular intervals.
An eleventh action point emerged during the webinar also. Microsoft stopped supporting Windows XP earlier this month, leaving users of that operating system increasingly exposed to cyber threats.
11. If you are currently running on Windows XP move to an up-to-date supported operating system, such as Windows 7. If your current computer hardware does not support this, it my be time to replace it. Speak to your IT team if there are specific programmes that you use which require XP to function. there are a range of work-arounds for this.
