Cybercrime - is your firm safe?
How your firm can protect themselves - by Ben Harris, Jan 30, 2019
Law firms are a gold mine of data, holding detailed personal information, company dealings and juicy details on high profile individuals - rich pickings if this should fall into the wrong hands. 11 million files were leaked during the Panama Papers breach, so what would happen to your firm if your information was suddenly in the public domain.
Scary isn't it?
The really scary thing is failing to take any action, there are things you can do today to make your firm more secure. In our legaltech 2019 trends article we talked about cyber security becoming the wrapper around all of your project endeavours, but it's not just technology.
Your cybersecurity strategy should be built on three pillars, these may be familiar if you've been involved in project delivery:
- People - ensuring your employees understand the processes and technologies in place to make your firm cyber secure. Educating your employees and testing them to see how they react when they are subjected to a phishing scam or a ransomware incident provides valuable insight.
- Processes - the way in which your organisation prevents a cybersecurity incident, such as the processes used to transfer data transfer or how you select your vendors. These processes have a clearly defined path, that ensures calm in the event of a conflict and provides a means to evaluate and continually improve your cyber security practice.
- Technology - Technology is not the quick fix, but it does work with your processes and people to protect your firm and underpin good working practice, for example Mimecast won't stop you sending an email to the wrong person, but it will ask you to double check.
Think about it another way, what happens in the event of a fire at your office? The fire alarm rings (technology), people know what to do (people) and there are checks to ensure that the right people are assembled at the right place (process). These measures ensure that your firm is safe and people are protected in the event of a fire, the same needs to be in place to cyber secure your firm and your clients.
So, what can you do?
The issue of cybersecurity regularly crops up with our clients. Before embarking on any new business change, we advise clients to consider the cybersecurity implications and ensure the following areas are considered:
Understand your firms' appetite for risk - a firm specialising in large corporate transactions or persons of significant interest may be more risk-averse than a volume conveyancer, do you have contractual obligations to your clients for their data?
Understand the change your making - implementation of a CRM system as a standalone solution can be relatively lightweight from an information sensitivity perspective when compared with a case management or document management solution.
Understand who is working on the project - you wouldn't allow everyone in your firm to access a sensitive case and the same is true when delivering a project, often defined as the segregation of duties this ensures that no one person has the keys to the castle.
Start from most secure and work back - it's often easier and quicker to allow users to have all the permissions to your new system, however taking those away if a vulnerability is found can be very difficult.
Consider the other side - it can seem like the right thing to test a solution from the positive perspective taking the well-trodden route, but what if someone is trying to break into your client portal, they're going to try every combination of buttons to get through, testing can help minimise the risk.
Hopefully these tips help you on your business change journey. If you are still unsure and would like further assistance please get in touch, we'd be happy to help.