It’s not surprising that the legal sector represents a goldmine for hackers; it is a vital component of UK business and government infrastructure. Law firms don’t just handle highly sensitive IP, business critical and financial data for clients but also personally identifiable information (PII), making them a highly attractive target.
PwC's annual Law Firm Survey 2017 found that over 60 percent of all law firms had reported suffering some form of security incident during the last year. The most common security incidents continue to be phishing attacks, with 12 percent of firms under attack on a daily basis.
It’s clear that the stakes couldn't be higher. UK privacy watchdog, the Information Commissioner’s Office (ICO) revealed a 173 percent increase in PII-related incidents in the sector over the past quarter. That’s bad news considering the forthcoming EU General Data Protection Regulation (GDPR) could increase fines for non-compliance to up to 4 percent of an organisation’s global annual turnover or 20 million Euro, whichever is higher. That’s up from the current maximum ICO fines of £500,000.
To complicate things further, the new regulation covers not just loss or theft of PII but could also apply to any attacks which involve “unauthorised access” to or “unlawful destruction” of personal data. That means the GDPR could cover outages caused by ransomware, one of the biggest threats to modern organisations, which ripped through international law firm DLA Piper in June 2017.
Punitive fines and reputational damage are facing those who fail to take data protection seriously. So, what can the industry do to fight back?
Hackers are increasingly targeting the sector because of the highly sensitive data it holds, but also because law firms are typically viewed as an easier target than some other sectors. This is because many of the challenges associated with data protection in the legal sector come from the mobile nature of the workforce. Data often has to be carried and stored outside of the office, putting it at risk of theft or accidental loss. In fact, loss or theft of paperwork and unencrypted devices were two of the main issues affecting the legal profession according to a report by the ICO.
A combination of educating employees, establishing better processes and implementing the right technology can boost security and make the sector a less attractive target for hackers. A comprehensive awareness and education programme for employees with sufficient training to prevent against security attacks and/or breaches is a necessity. Law firms should implement strict secure remote working policies and ensure these extend to partners and contractors. Policies must include encryption of all sensitive data, both at rest and in transit, particularly for removable storage devices. In fact, the GDPR recommends that the controller or processor of the regulation should implement measures such as encryption in article 32 of the regulation. Encrypting removable media, such as USB drives or portable hard drives, is a simple step towards GDPR compliance and often missing within organisations. To avoid the potential for human error when data is being transferred outside of the network or between systems, organisations need to research, identify and mandate a corporate-standard encrypted mobile storage device. In addition, the use of the device should be enforced across the organisation through policies – such as locking down USB ports so they can accept only approved devices.
With access and transfer of data extending beyond the corporate network, firms must also tighten access controls by rolling out two-factor authentication for accounts and limiting privileged accounts, with remote access to systems authenticated and logged.
Further best practice steps include enforcing appropriate security measures such as advanced anti-malware at the endpoint, network, gateway and server layers, and ensuring patches are deployed promptly and IT systems configured securely. Regular checks and continuous monitoring of all IT systems to help detect any intrusions is a must. Should a breach occur, firms should also be prepared by having an established incident response plan in place.
Under current data protection law, holders of personal data are responsible for ensuring adequate measures are in place to avoid data breaches. The GDPR will introduce various new requirements that law firms processing personal data will have to comply with. Firms must ensure that they are well placed to meet these obligations by May 2018.
What remains the most important aspect of protecting sensitive data within law firms is consistency. IT teams, C-Suite and employees all need to be educated on, and adhere to, the policies in place to ensure that sensitive data doesn't end up in the wrong hands.
Copyright © 2019 Legal IT Professionals. All Rights Reserved.