We are pleased to welcome to Kevin Magee, a new guest blogger, to the Jordans Limited blog this week. Kevin is the Managing Director of the UK office of CSPi, an information technology company with offices in the United States, Germany and the UK.
By Kevin Magee
What do the UK Government, the European Union and the Organisation for Economic Co-operation and Development (OECD) all agree on and which should be of interest to UK law firms? Well, perhaps many things. One opinion that these three august bodies share is that organisations should be doing more about cybersecurity.
In September this year, Ed Valzey of the Department for Culture, Media & Sport warned UK businesses about the growing risk of cyber-attacks, claiming that “90 percent of major businesses and 74 percent of small businesses had security breaches in the last year” and reminded UK companies that “good cybersecurity underpins the entire digital economy.”
Why should law firms in particular be aware of the growing threat of cyber-attacks? Mostly because the primary impact of a security breach is often serious brand and reputational damage. Law firms, perhaps more than most, trade on reputation. Trust is an integral part of legal firms’ competitive advantage – both trust in terms of integrity and trust in terms of protecting confidentially. The impact on reputation is clearly illustrated by the fallout from the recent breach at TalkTalk. While it now appears that the hack was not as severe as first thought, ‘only’ 160k customers being affected, and even fewer losing useful data - the share price of TalkTalk has fallen by about a third since the incident. No doubt it will be many years before TalkTalk loses the reputation for being cavalier with customers’ data. The loss of competitive information, or even actual monetary loss, may pale in the long term beside the long lasting impact on reputation if a law firm were to lose sensitive information about a customer or even an employee and that information were to come into the public domain.
Another reason law firms should be particularly attentive to calls for increased vigilance when it comes to cyber security is the nature of law firms themselves. A law firm is inherently vulnerable to the kind of cyber breach that has recently become more prevalent due to the level of access solicitor’s usually need to sensitive data. Today’s security threat does not always come from the stereotypical hacker in the bedroom trying to breach a fire wall for personal gain. Breaches often occur due to insider mistakes, carelessness or occasionally deliberate actions by employees. Why is this particularly important for law firms? A larger proportion of professional legal workers frequently need unfettered access to company systems and information. Such individuals are in almost every case trustworthy. However even the most trustworthy individual can inadvertently download an email containing a Trojan virus, or choose a password which is relative easy to access.
Trustwave, a U.S. security specialist, estimates that it takes an average of less than a day to break an 8 letter password but that extends to 591 days if the password is 10 letters long. Such behaviours can easily leave holes in the organisations protection system and with the level of access of the typical law firm employee, sensitive information can be left vulnerable.
On top of that, however good the edge protection is (the protection against unwarranted access), data can also be accessed following the simple loss of laptops or phones. With law firms, a key professional outside of the office may have considerable data with them on a phone or laptop. In 2013 alone 15,833 mobile phones were lost on the London Underground as well as 506 tablets and 528 lap tops! No doubt some of these devices were carrying sensitive information, and possibly, in the right hands, could provide one click access to the heart of an organisation’s internal systems and data.
What to do about it?
The simplest step, despite what I’ve said above, is of course to first make sure that you do have the edge of the organisation protected. Regular penetration testing should be routine. But what about a more thorough check? Many suppliers, including CSPi, offer the services of an Esthetical Hacker. A skilled, but trusted, consultant who can use programmes and techniques widely available on the web to those in the know to test the barriers to a business’ systems. Also consider tightening up your access processes. Adding two factor authentications using hard or soft token keys is a common choice.
But most importantly, you need to go beyond protecting the barrier. As the statistic above demonstrates, many company security systems were breached last year – and as reports of the sources of breaches show, you cannot trust everyone who is on the internal network. You need to look at how you protect the data even after an unauthorised individual has broken in, or an authorised individual has decided to help themselves to information. Software is now available which can pick up unusual patterns of access. Data encryption should be second nature; and systems should be in place to stop data being sent out of the organisation.
And finally, senior managers in an organisation need to understand what policies and procedures are in place. If a breach happens, woe betide the senior manager who is unable to explain what processes were in place to protect the organisation. As the current CEO of TalkTalk, Dido Harding, is finding, it’s an uncomfortable and possibly career threatening situation to find oneself being unable to confirm what systems were in place and whether or not data was encrypted.