Data security is important for any business but, for legal firms, the safe storage of digital information is critical.
Highly sensitive documents must be effectively and reliably secured from unauthorised access and removal. and in the response to the COVID-19 pandemic, remote working means expert data security is essential.
In this article, we discuss the three main examples of data security policies that cover key areas of concern for legal firms.
This is not an exhaustive list and we invite you to contact us so that you can build upon it in order to maximise effectiveness for your specific firm so that your planning is in accordance with your clients, data, regulatory environment, and other applicable factors.
- data security policies in regard to employee requirements
- data leakage prevention, specifically data in motion whilst remote working
- your workstation full disk encryption options
Data security policy and employee requirements
Your staff must adhere to correct behaviour when dealing with sensitive data and they must be fully aware of the types and nature of data that they interact with. Legal firms should offer relevant training in order for security procedures to be followed as well as ongoing guidance and advice.
The fundamentals of employee requirements for data security in legal firms should be:
- All sensitive data must be protected, restricted, or kept confidential as required. This is primarily to protect individuals, to avoid damage to your reputation, and to avoid a negative impact on your clients. The correct handling of data security begins with employees or contractors who have access to data and is followed by the control of technology that can effectively deal with scenarios such as theft or data corruption
- The definition of sensitive data must be clearly stated for your employees: is it financial, PII, restricted/sensitive, confidential or IP?
- A recognition of your responsible for making sure your staff complete security awareness training and agree to upholding the acceptable use policy
- All visitors to your site should be accompanied at all times and restricted areas respected as appropriate
- Ensure that employees understand protocol of not referencing any matter of confidential information on public platforms or over systems not managed or hosted by your business
- The importance of having a clean desk to maintain information security. It is important that all printed data is locked away appropriately and not left unattended in the office space
- Making sure that secure passwords are used on all systems and that they are not used on other external systems or services which would potentially jeopardise security to your business
- If you have any members of staff leave the business, they must return any business technology, records, or data which contain personal information – it’s useful to include this in your employee’s contract to make sure this happens if they leave your company
- Immediate notification of any lost or damaged technology or data. For example, a mobile left on a train or a computer damaged and requiring safe disposal.
These are the fundamentals of data security which apply to both office working and remote working. However, remote working requires extra precautions to maintain and uphold maximum security. Once data or technology holding data is removed from the office, there are further considerations to take into account because of the presence of additional risks.
Remote working requires colleagues to have the ability to access information securely.
Setting up data transfer platforms is necessary in this instance and this could be done either by file shares, secure cloud storage, emails, or encrypted USB keys.
If you choose to transfer data physically on devices like laptops or memory sticks, they must not be left in sight – for example in a window or in a car. Depending on what works best for your business, transfer procedures should be developed that will be fit for purpose and able to be successfully used by your team.
Data leakage prevention when working remotely
Data leaks affect any business of any size however corporations dealing with sensitive data – including legal firms – are appealing targets to cybercriminals due to their wealth of confidential information they hold.
It’s essential that your firm implements a secure data leakage prevention strategy as a matter of course but its successful implementation is critical for remote workers.
Working from home may result in a heightened risk of data leakage because your staff may not be using secure technology, they may be running out of data software, and they may be failing to encrypt sensitive documents.
What type framework would we recommend for a data leakage prevention plan from which to work?
It may be beneficial for your company to adapt the following points in accordance with specific legal regulations or data stipulations that you are required to uphold.
- The purpose of your business’ data leakage prevention plan is to balance the need to protect any restricted, confidential, or sensitive information from interception by cybercriminals and the need to make that same information accessible to staff who need it.
- When considering your plan, any devices which are used regularly and store confidential information, like mobile phones and laptops, must be included, not just office-based monitors
- Consider using data leakage prevention technology which scans for data in transit. This technology works with large volumes of files which generally are at high risk of containing sensitive information and which would invoke significant problems if handled inappropriately. Data leakage prevention technology identifies specific content, for example credit card details, personal information and emails marked ‘confidential’ and it is configured to alert the user in the event of a suspicious transfer of data. You can then decide whether to allow or deny this transaction to take place
- When using a data leakage prevention program, any incidents which are recorded and information must be provided to the relevant department – for example HR or security management – and access to the data in question withheld if appropriate
It’s important to note that data prevention leakage technology does not constitute evidence that an employee has intentionally or accidentally lost data. However it does assist in providing a sufficient basis for any investigation to ensure that any data your firm held was appropriately protected.
As previously mentioned, data protection begins with the employer and employees, but suitable platforms and implementation of strategies are also essential steps to take to protect your business and data.
Your workstation full disk encryption options
When working from home, it may be necessary for you to implement full disk encryption policies on digital devices used by your workforce. Full disk encryption is technology which protects every piece of information on a device by converting it into hard-to-decipher code. This means that unauthorised user cannot access, view or download data which they’re not cleared for.
Full disk encryption is now used by legal firms as a key tool in enhancing technology privacy protocols reflecting current regulatory guidelines. While many employees are working from home, workstation encryption adds another layer of security to help fight against cybercrime and other risks imposed by home working such as theft or damage.
It is possible to implement full disk encryption on all desktop and laptop computers as well as on other digital devices. You may wish to consider the cost implications of doing this across your company. If it is too expensive or complex to undertake, you should conduct a risk assessment to assess any potential threats or damages.
Your data protection strategy should include an acceptable use policy as well as relevant security awareness training for staff. This allows staff to understand the importance of notifying the relevant personnel should they suspect any unusual activity or feel they are not working in compliance with data protection.
The encryption policy you choose to implement must be managed and validated appropriately and report to a central management infrastructure which will enable audit records to be accurately stored.
If a central management infrastructure is not possible, especially for remote working, it is possible for employees to provide active encryption keys to the IT department or outsourced provider. An outsourced provider will also support your business and staff in any issues including lost credentials or data block problems.
An outsourced provider of full disk encryption will naturally require users to provide a secure password or further information to determine authority. If further authorisation is required, it’s possible for your outsourced provider to speak with senior management or other key staff members to ensure two factor authentications have been followed.
Industry best practise defined cryptographic standards must be employed in your workspace data protection plan. To avoid cybercriminals cold booting and attacking your company systems, all security options are considered to authenticate users and logons.
Full disk encryption protects against physical access to your sensitive data – this is crucial as the technology you use and data you store is now in remote locations as your team work remotely from home. Protecting your information in this way adds an effective layer of security to your confidential files and is necessary for the correct implementation of data storage.
Protect your confidential data and avoid data leakage with Sprout IT
Sprout IT are an established technology firm specialising in digital data protection in the legal sector. We are able to help you with your data protection plan, including data security policies and employee requirements, data leakage prevention and full disk encryption services.
To get in contact with our team about data securing and work from home policies, please call Sprout IT today on 020 7036 8530 or email us.