Ensuring your firm and client security

Greg GillespieTacet Global

Greg Gillespie, managing director of Tacet Global, talks through how to ensure the security of your firm and your clients. He discusses the impact of homeworking due to COVID-19 and how you can identify the threats and make your firm more secure.

Using a laptop and mobile phone

As both a business owner and a professional marketeer, I put in place measures that had a huge impact on the way data was handled and stored when GDPR came into being a couple of years ago.

Along with many of my law firm clients, I was pleasantly surprised that business didn’t stop and that client confidence actually increased.

However, the effect of COVID-19 in the workplace has thrown so many different spanners in the works.

Home working and different working patterns have made firms more vulnerable to various types of cyber attacks and breaches of data. Nine months ago, I couldn’t imagine that the UK workforce would be working from home, away from colleagues and customers and relying even more on technology just to enable a business to function.

But, this adaptation of the workplace has unwittingly created an opportunity for fraudsters and hackers to exploit.

From my own experiences, there are some pretty basic rules and ways of thinking that can make your legal business more secure.

What is cyber security?

It’s important to look at the correlation between “physical” security and “cyber” security. Often the term “cyber” security confuses the issue. It makes people think it would not affect them or that it is too complicated an issue for them to deal with but in essence all the term "cyber" really refers to is “technology”.

We use technology in our businesses and in daily life to make things easier and more convenient. It is this technology that is vulnerable to exploitation. Therefore, when you hear the term cyber security, simply think of any electronic devices or systems that may be used such as mobile phones, tablets, laptops and WiFi networks.

What is the cost of a cyber attack?

The cost of a cyber attack can be measured in many ways. The financial cost alone of trying to resolve the repercussions of a cyber attack can be eye watering. A recent report by IBM showed that the cost of a single record taken was, on average, £115.

The average overall cost to a business as a result of a data breach is estimated to be a staggering £211,000. What’s more, the same IBM report suggested that the average time taken to just identify a breach, let alone secure it, was 279 days.

Apart from the financial cost, there is also the reputational damage associated with a business not having suitable procedures in place. This reputation damage may be an unquantifiable monetary sum, but the trust and confidence of existing, let alone potential clients could take years to rectify.

Identify the threats

There are many types of cyber threats to small legal businesses but below are three common attempts to look out for.

Phishing emails

Phishing is a type of blanket email sent to multiple email addresses with the objective of acquiring personal details of the recipient. These emails come in various forms from claiming to be from a trusted source to the suggestion of the recipient winning a prize.

The sender intends for the recipient to click on one of the links, which may result in malware being installed onto a computer, or for them to hand over their details on the promise of some kind of return.

Spear phishing emails

This is a far more targeted form of phishing with more thought and preparation required from the sender. An example would be someone receiving correspondence from a retailer, with whom they had made a recent purchase, claiming there is an issue with payment and that they require the payment details to be reinserted.

The objective is the same as a standard phishing email, but it is targeted and tailored to the recipient.

Smishing

This also has the same objectives as phishing emails except that the communication comes from a text or WhatsApp message. Smishing is a combination of SMS (short message services – better known as texting) and phishing.

How you can reduce the risk to your firm

If simple and low cost solutions are available to address this type of threat, why don’t people and their businesses already do it?

Mindset

Security considerations in the physical sense are now common place. No one would leave their home unlocked or have valuable items on show on the back seat of their cars when they park in a public carpark.

These considerations have been brought about by common sense, personal experiences and awareness campaigns which could be as basic as a sign in a carpark saying “don’t leave valuables on display".

When it comes to cybersecurity it’s not so simple to grasp the same level of security considerations. But, a few pointers could help you:

  • Knowledge – physical security is often a matter of simple commonsense but effective technology security measures, whilst not complicated, require you to have some basic knowledge. Don’t be afraid to seek professional advice
  • Systems and procedures – you need properly audited systems and procedures to be in place in order to protect your firm against any threats
  • Human error – even the best processes cannot completely eradicate human error be it driven by malice, ignorance or oversight, but having a properly trained team following a rigorous, audited process can reduce the chances of being a victim of a hostile cyber threat

A checklist to make your firm more secure

Training

Train your staff (and yourself) in the basics of countering cyber threats. This could be done internally after conducting extensive research or by an outside source.

Processes

By taking the time to map out the data points and communication channels, basic and often very cost effective processes and procedures can be put in to place to ensure that all aspects of data storage and communication are made as secure as possible.

Map data

At the outset of looking to secure anything is to evaluate what needs to be secured and where it is. By mapping where data is held in a business, steps can then be taken to identify how best to secure it.

With the impact of COVID-19 on the workplace, this will now include devices and networks outside of the office such as employees’ homes where it is unlikely for procedures and measures to be in place.

Making a data map means not just identifying where data is stored but identifying how it is transferred and by whom.

Passwords

When securing a physical location such as at home, the locks and keys used are of paramount importance. In the cyber world this could be equated to passwords. The common mistake is to use an easily guessable password such as the person’s name and date of birth.

Passwords should be a mix of letters (both lower and upper case), numbers and punctuation marks. There are even online tools to help people select suitable random and secure passwords.

Maintain copies

In the event of a data breach it is highly beneficial to have backups of the data available, but this can also help secure a business and limit the exposure with regards to where backups are stored. For example, having offline backups decreases the risk of compromise and ensures that should any online attack take place, then the data is secure.

2FA

Two factor authentication (2FA) is an easy to use feature and ensures that only the right people have access to the right areas. It works on the principle of access to a certain area being allowed based on two separate devices verifying access.

For example, a secure email account would require a password on the email system and then a code would be sent, via text message, to the registered mobile for the account. This code is then entered into the email account to enable access. If someone were to try and access the email account without the code sent to the registered mobile, they would not be able to log in.

Encrypted email systems

There are various products available in the market but encrypted email systems offer numerous benefits in addition to the extra layers of security they provide.

Encrypt sensitive documents

Encrypted email systems do incur an additional cost, but as mentioned earlier the cost of preventing security breaches far outweighs the cost of having to deal with an issue once it has already occurred.

If the budget is tight then taking the effort to send documents as encrypted and password protected PDFs should be considered. The key is then to send the password via a different method.

For example, all case documentation handled by Tacet Global is sent via a password protected PDF and the password is communicated verbally over the phone or sent to the client’s mobile phone by text message or WhatsApp.

Audit

There are many firms who are members of the Association of British Investigators who can provide companies with both a physical and cybersecurity audit including various levels of penetration testing to see where the vulnerabilities in a business may currently lie.

While this will incur a level of financial outlay, in comparison to the potential costs, issues and reputational damage a business would incur as a result of a cyber attack or data breach, it's a far lower investment and far easier to manage.

What to do next?

The first thing to do is to go through the steps listed in this article and see how they apply to you, your team and your working environment. You can then either research the possible solutions yourself or you can speak to a specialist who will fast track the process for you.

The Law Society has several business partners that can help you protect your business and bring real peace of mind.

Greg Davies is the managing director of Tacet Global.

The Association of British Investigators is the UK’s leading industry trade association that represents litigation support and investigation experts. It is an exclusive partner of the Law Society and represents a wide range of members across the UK and around the world.

If you’re looking for a specialist agent in your area, visit the ABI website to search members, their services and their locations or call the secretariat on 020 8191 7500.