GDPR has now been a reality for solicitor’s practices and barristers’ chambers since 25th May 2018 and our recent departure from the European Union does not change that one little bit.
In fact, in the upcoming trade negotiations, regulatory compliance on data security between the UK and EU will feature highly in the complex talks to navigate both parties towards a trade agreement.
Where are we in the first quarter of 2020? In this article, we’ll be covering the feedback and questions we’ve received since the turn of the year from our clients, including:
- no matter how well-intentioned, your human firewall leaves your firm vulnerable. How can you change this?
- the top technical priorities for GDPR compliance right now
- are your suppliers the weakest link in your data protection chain?
How can you avoid your staff being caught out by social engineering attacks?
Social engineering relies on short-circuiting the rational human decision-making process by using conceit and deception. 32% of data breaches in general involved a phishing attack – arguably the type of attack at which cybercriminals are most experienced and competent. 80% of cyber-attacks against UK law firms use phishing and social engineering.
With a phishing attack, a cybercriminal attempts to trick someone working within a firm:
- to click on a link or download an attachment which compromises the security of their terminal or
- to divulge confidential or sensitive information
In addition to attempting to deceive people by email, phishing attempts can also take place over the phone (vishing) or by text message (smishing). Phishing attacks are often quite generic making the deception easy to spot however cybercriminals are becoming more sophisticated and difficult to detect by increasingly targeting their efforts through the pursuit of specific victims (spear phishing).
88% of successful data breaches are caused by human error, not by cyberattacks.
The best defence against social engineering attacks is to train your staff on what they should be suspicious about and, if they are suspicious, what steps they should take (including reporting any attempt to senior management) to mitigate risk to your firm. The use of strong passwords should be mandatory within any legal firm.
No matter how technologically advanced and up to date your IT-based defences are, your human firewall is far more likely to be the reason behind the success of an attack. In-depth training followed up by ongoing monitoring of staff compliance to cybersecurity protocols will arguably produce a greater return for your legal firm than any investment made in technology.
However, technology is still very important because there will be ways to breach your system which do not rely on a lack of training or awareness among your regular staff.
What should the top technical priorities be for your IT team/lead contractor?
There are many different ways with which cybercriminals can breach your company’s IT security which leave your clients’ sensitive personal and commercial data vulnerable. In the previous 12 months, there has not been a great deal of innovation in the method of attack rather cyberattackers’ energies seem to have been spent improving on their existing techniques.
Distributed Denial of Service attacks (DDoS) do not leave your data vulnerable as such however they can cause severe disruption to the day-to-day operations of your firm. They represent a major threat vector to legal firms and you should take every opportunity to improve your defences against them.
On GDPR issues, we would suggest that your IT team focuses on the following potential forms of attack:
- Man-in-the-Middle (MitM) attacks – a form of eavesdropping on electronic communication between colleagues and between colleagues and clients. Further danger comes because more sophisticated MitM attackers can alter messages en route whilst still retaining their apparent legitimacy and authenticity. You should consider using Virtual Private Network (VPN) over Wi-Fi, installing an intrusion detection system, or installing SSL across your extranet and website to counteract this threat.
- Ransomware – ransomware usually depends on out-of-date software or software which has not been updated to work. Ransomware holds your computer system and the data contained on it hostage – if you don’t pay the ransom fee, your data may be wiped completely. Even if you do pay the ransom fee, there’s no guarantee that you will have access to your data. You’ll need to audit all software present across your system and the devices attached to that system and ensure that all updates are installed upon release and without delay.
- Out-of-office working – despite the widely-held belief that Wi-Fi connections are secure, they’re not and they shouldn’t be used without a VPN connection. If a hacker breaches a Wi-Fi connection or if they create their own Wi-Fi connection in a public place (by using mobile phone tethering for example), all of a user’s activities are trackable including the security steps they use to log into your company’s extranet. For the use of email on the move, multi-factor authentication should be used.
How much attention should you pay to your suppliers?
56% of data loss issues in 2018 were caused by third parties – and there is no current indication that the current lag in the provision of the highly reliable data security and management services is improving.
To counteract this threat, you should assign someone at board level to manage this risk – alternatively you may choose to employ a part-time Data Protection Officer. Following the introduction of the GDPR and the revised DPA, someone at your firm should already have these responsibilities (in an ideal world) however, if this is not yet the case for your solicitors’ practice or barristers’ chambers, now would be the time to appoint or contract someone to manage your firm’s data security.
Your third-party suppliers (mainly software and app vendors) will be in regular receipt of data and other sensitive information from your firm. Prior to engaging with a supplier, you’ll need to devise a third-party risk management process for your practice or chambers. Then, you’ll need to understand on a supplier-by-supplier basis:
- how critical it is that their services are available to you when you need it,
- what data they access,
- what value they add to your business financially, operationally, and
- their compliance with your third-party risk criteria.
Ask yourself what risks are involved in outsourcing this data handling to third party supplier? What assurances do you need from a potential supplier about their service and security levels? Make sure that all of your requirement are included both in the contract and in the service level agreement and make sure that all of these provisions are met from day 1.
Monitor each relationship with each supplier carefully involving them in the internal decisions made which may affect the delivery of their service. In addition to the quality of the service they’re providing, you may also wish to monitor their financial performance and any legal actions brought against your supplier – this will give you extra room to make alternative arrangements in good time as and when needed.
Your legal firm GDPR questions answered by Sprout IT
To speak with one of our team about achieving the highest levels of GDPR and data protection law compliance within your solicitor’s practice or barristers’ chambers, please call Sprout IT today on 020 7036 8530 or email us.