In today’s highly connected world, new risks emerge every hour of every day. Connecting to the internet opens up the possibility (if not probability) of a criminal targeting your business. Cybercrime is becoming big business, and cyber risk a focus of businesses and governments globally. Monetary and reputational risks are high if businesses don’t have an appropriate cyber security plan.
For instance, if we take GDPR, the Law Society provides reasonable guidance on information and cyber security; however, it doesn’t go anywhere close to being of real value, because it forgets the importance of managing the entire process. Simply stated; this is not just an IT thing! An emphasis is placed upon the Articles of EU 2016/679 (GDPR), but the truth is that whilst this is of vital concern, so are the requirements set out in the Data Protection Act 2018 (DPA18) and related legislation. The key phrases being, “risk of varying likelihood and severity for the rights and freedoms of natural persons” and “implement appropriate technical and organisational measures.” So the real question is, if very little was implemented to satisfy the DPA98 and let us be honest with an assessment of that, then what assurance (and thus confidence) does an individual have that a law firm will in fact implement the requirements of DPA2018 and GDPR? The answer to that question has very little to do with any monetary penalty notice or enforcement notice from the Information Commissioners Office (ICO). But, all of the above are centred upon the protection of personal data (and special categories of the same).
A law firm has other information, data and knowledge that is equally important (sensitive), and potentially more important in some cases. Much of this information will be in various forms: physical (files and papers); digital (structured and unstructured data, and metadata); and that which is in the head.
Will a firewall help – possibly, but only if the rules for ingress and egress filtering are managed correctly. If not, the firewall will eventually fail to do its job
Will antivirus help – possibly, but only if there are regular (daily) updates of signature files. If not, it will soon be of little value. How often does the antivirus application do a sweep of files; daily? If not, then it too will soon be of little value. Unfortunately, and this is a fact of on-line life, antivirus will not help with zeroday malware; therefore, other controls will be required to compensate for this weakness
Will patching help – possibly, if it is done. This is patching of operating systems and other applications used by the firm. If there is no patching procedure in place or the firm is running with ‘out of support’ (read old) operating systems and other applications, then expect the worst. ICO sends Marriott and BA an intention to issue a penalty notice - how big could the fines be? In today’s highly connected world, new risks emerge every hour of every day. Connecting to the internet opens up the possibility (if not probability) of a criminal targeting your business. Cybercrime is becoming big business, and cyber risk a focus of businesses and governments globally. Monetary and reputational risks are high if businesses don’t have an appropriate cyber security plan.
Some examples demonstrated on the Law Society web page advice:
A law firm (and indeed any other business) should already have put in place, “appropriate technical and organisational measures” before GDPR and DPA2018 came into existence. Firewalls, switches, antivirus, patching, use of encryption etc. are all technical measures, but what of the organisational measures that the firm has put in place? Will there be any? In any business there are two key phrases – consistency (of approach), and constant improvement. In the world of information and cyber security these two key phrases play their part. Be consistent with the management and application of information and cyber security and ensure that the firm has an objective to constantly improve upon what (hopefully) it has in place. Armstrong Watson is moving ahead of the times by having a Client Technology service that helps clients to deal with issues such as Cyber Security, but also how to get the most out of your technology generally to be able to improve your business. Timely reminder post-election: Keeling Schedule to the The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU exit) Regulations 2019 for UK-GDPR, DPA2018 and at some point, PECR2003.
For advice on keeping your law firm safe from Cybercrime or for any other technology queries, please contact us Director or visit our client technology section on the website.
