[BreachExchange] The five biggest IT threats to your firm’s GDPR compliance

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 12 18:56:18 EDT 2017


http://www.legalfutures.co.uk/blog/five-biggest-threats-
firms-gdpr-compliance

Law firms hold a wealth of sensitive information, all of which will be
subject to the General Data Protection Regulation (GDPR), which will apply
in the UK from 25 May 2018.

Specifically, article 5 of the GDPR requires that personal data shall be
“processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical
or organisational measures”.

This blog highlights five risk areas for law firms when it comes to
ensuring that IT systems are secure enough to meet your firm’s obligations
under article 5.

1. A relaxed attitude to security

If your firm is growing and opening new offices or acquiring other firms,
IT can become cumbersome to manage as you scale up your resources. Merging
systems together and adding servers in various locations can mean security
becomes a challenge.

Often it’s assumed that if you have followed all the guidelines and
implemented recommended security measures, then your data should be secure.
But how often do you test this theory?

It could be something as simple as a missed software update that causes
your data to be stolen and systems to be down for days. And in this
situation, could your firm prove that you’ve taken the appropriate steps to
keep your data safe?

Solution:

At the most basic level, you should have security policies in place to
ensure you keep on top of patching and updates. And you should have clear
file permissions set for different user levels so you know who has access
to what.

You should diarise regular penetration tests on your systems and enlist the
help of ethical hackers who will be able to identify the weak spots in your
IT.

You should also commission a third-party review of your infrastructure to
identify security risks. But it’s not all bad news – this type of audit is
also likely to find improvements that can optimise performance and identify
wasted resources.

Often managers are reluctant to put their IT to the test in case it reveals
flaws that are expensive and cumbersome to fix. But in this situation
ignorance is not bliss and, often, many of the issues identified by this
type of audit will be simple to fix but could be catastrophic if discovered
by a hacker.

2. Lack of protection against cyber attacks

Our recent blog highlighted how the GDPR heightens the risk of cyber
attacks. The frequency of attacks is on the increase and, not only are
hackers using ransomware to demand payment for data they are holding
hostage, but they are now taking a copy and selling the data online.

With firms facing increased fines as a result of the GDPR, these types of
cyber attacks are increasingly becoming a concern.

With most attacks launched via malicious email attachments and websites,
have you implemented basic measures to protect your firm?

Solution:

The first step is to make sure your employees are informed. Do they know
about ransomware? Can they recognise the signs of a phishing email? And do
they know what to do if they’re unsure about any content they’ve received?

However, you cannot lay the responsibility solely with your employees,
particularly when there is software out there that can protect your firm. A
high-volume conveyancer may receive hundreds of emails in a day and, sooner
or later, someone will get caught out.

To reduce the risk, your firm should be taking advantage of the latest
email security and web filtering technology. These tools are relatively
easy to implement and will immediately minimise the risk of malicious
content being accessed.

3. A non-existent password policy

This one should be easy but it’s more complicated that it first appears.

Forcing users to change their password is the most commonly used strategy,
which does provide some protection, but you’ll often find that people will
then choose something that’s easy to memorise and simply change one digit
each time. This is a problem as weak passwords are easy to crack and
provide an easy route into your IT systems for hackers.

However, keeping the same password forever isn’t a good strategy either –
it’s a catch 22.

Solution:

Despite the risk of users choosing simple passwords, we still recommend
that firms force users to change their passwords regularly. But employees
should be educated to understand that using their company name, partner’s
name or using the same password for everything is a bad idea.

Many firms are now adding a further layer of protection via two-factor
authentication (2FA). This inserts an additional step into the log-in
process to ensure your users are who they say they are. You should consider
this if your users tend to log on remotely.

4. Out-of-date software

>From case and practice management applications to operating systems, law
firms use many different pieces of software.

Once a product reaches ‘end of life’ (EOL), it is no longer supported by
the provider and, importantly, no longer receiving critical security
patches. This puts your firm at risk because unsupported environments mean
that known vulnerabilities are not patched, allowing hackers to easily
exploit them.

You should be familiar with your hardware and software providers’
retirement calendars and upcoming EOL products should be highlighted to
your firm’s management team as a known risk. If you don’t keep track of
this, how can you prove that you are meeting your GDPR obligations and keep
your IT systems secure?

Solution:

The solution is clear, you need to update (if possible) or move to new
software if yours is EOL. However, moving to a new case or practice
management system can take up to two years and it’s likely to be costly.

Large firms will typically appoint a consultant to support with such a
complex project as there are many stages to implementation. As an
infrastructure provider, we should warn you that newer, or higher-level
enterprise software, often requires increased IT resource and a completely
different set-up.

Even the largest firms get caught out here and costs can spiral out of
control if you do not get the right advice from an IT provider who has
experience of the applications you’ll be using.

Alternatively, you may have the option to pay for extended support but,
inevitably, you will have to move at some point, so it pays to be prepared
early. Rather than paying out for support for an old system, your budget
will likely be better spent on a newer system with improved features which
give your firm a competitive advantage.

5. A weak back-up and disaster recovery plan

First of all, it’s important to understand the difference between back-up
and disaster recovery. Your firm will most certainly be completing regular
back-ups but your back-ups may take days or weeks to restore. Disaster
recovery enables you to immediately move to a secondary environment that is
capable of sustaining your business continuity.

To protect against accidental data loss, it’s vital to ensure your back-ups
are functional. Your back-up and disaster recovery plan does not just refer
to the technology that you are using, but also to your ability to prove
it’s working effectively.

Solution:

The only way to identify flaws in the plan is to robustly test. To do this,
you must involve employees from different departments and test for a
worst-case scenario. Only then will you know how long it will realistically
take to get your firm back up and running in the event of a disruption that
takes down your entire IT environment.

If you discover that you cannot recover all of your data, or that you can’t
do it quickly enough, you may be able to fix the issue, or you may need to
look at other technologies to achieve your objectives.

There are many steps that can be taken to make IT systems secure and
hopefully this blog has given you an indication of where to start.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170612/8fd4b9dc/attachment.html>


More information about the BreachExchange mailing list