The internet has, for many lawyers, revolutionised the way we work. It has enabled us to search for and access an array of data that we could only dream of 20+ years ago.
Today, law firms do not just have unparalleled access to information held within the firm, but equally can access a myriad of information and use systems located all around the world. We are, in effect, connected to everywhere.
As Sony, the US Government, and numerous other high profile organisations know, this comes at a potential cost. And while hacking into your computer systems is unlikely to cause a nuclear reactor melt-down, it could nonetheless lead to a melt-down of sorts for the firm. Nor is it just high-profile entities that are vulnerable to attack - it is simply that we get to hear about them, where others go unreported. Law firms provide a rich seam of confidential, high value data, which criminals will definitely seek to target.
Check out the following tips which may help you mitigate the risks:
Segment your data
It's the equivalent of bulkheads in a ship! While many firms successfully use firewalls to protect their internal networks from external attacks, far fewer take the same approach to protecting the information within the firm.
Can staff, other than HR, access HR data stored on your systems? Do your Property Team have full access to all Litigation files? Storing such files on discreet drives can help prevent contagion in the event of a virus entering your firm systems, and can help reduce the impact of a successful cyber attack.
Restrict access to relevant data only
Storing information on separate drives or servers does not necessarily make it unduly difficult to access as and when required. It all comes down to access rights. It is important to remember that the most significant risk to the security of data in your firm remains those inside your firm (whether intentionally or unintentionally), not outside attack.
Accounts staff should not necessarily be able to access parts of your firm's network that they do not require to do their job. Fee-earners may in some limited circumstances require access to other departments files, but this should be monitored and/or controlled.
Using differential categories of access rights can also help ensure that only the correct people have access to particular confidential data, while ensuring that practical day-to-day tasks are not prejudiced.
Regularly review/update access provision
Roles change, and people come and go. How many people can still access systems remotely for a period notwithstanding that they are no longer employed by the firm in question?
Build-in periodic changes of username and/or password where there is a shared access system, and ensure that you have the removal of all access rights (list each one applicable) built into your HR leavers procedural checklist.
And, a personal bete noire of mine, ensure that there is an effective work around that enables secretaries and IT departments to access the information they require without resorting to asking you for your username and password. NO-ONE should have access to your password!
Review external access rights to your systems
It may be your IT Helpdesk function, or an IT contractor, or a systems provider - support services of one sort or another are increasingly outsourced. Their role often requires them to conntect remotely into your network, screen share, or control your computer.
Ensure that you know who has the ability to remote into your network (and which parts of it, and when) in order that you can monitor and review the appropriateness of the access rights and controls applied.
Encourage staff, when allowing a support team to connect remotely, to close down screens containing confidential information insofar as possible.
How Lockton can help
For firms that have experienced any sort of cyber incident, they know that what really matters is getting immediate access to the right specialists to minimise the collateral (including reputational) damage and get your business back up to speed as quickly as possible. As our previous posting (Data Breaches: Does your PII policy respond) revealed, not even solicitors' comprehensive PII policy provides all the cover, particularly for these vital recovery specialists, that impacted firms find they need.
Our Cyber team is one of the most highly regarded, not just in the UK, but world-wide. We have the products to fit your needs, whether yours is a multinational magic circle firm, high-street practice or a niche boutique firm. Contact us today to see how we can assist.