Ensuring your firm and client security

As both a business owner and a professional marketeer, I put in place measures that had a huge impact on the way data was handled and stored when the UK General Data Protection Regulation (GDPR) came into being.

Along with many of my law firm clients, I was pleasantly surprised that business didn’t stop and that client confidence actually increased.

However, the effect of COVID-19 in the workplace has thrown so many different spanners in the works.

Home working and different working patterns have made firms more vulnerable to various types of cyberattacks and breaches of data.

Before the pandemic, I couldn’t imagine that the UK workforce would be working from home, away from colleagues and customers, and relying even more on technology just to enable a business to function.

But, this adaptation of the workplace has unwittingly created an opportunity for fraudsters and hackers to exploit.

From my own experiences, there are some pretty basic rules and ways of thinking that can make your legal business more secure.

What is cybersecurity?

It’s important to look at the correlation between physical security and cybersecurity.

Often, the term cybersecurity confuses the issue. It makes people think it would not affect them or that it is too complicated an issue for them to deal with but in essence all the term 'cyber' really refers to is 'technology'.

We use technology in our businesses and in daily life to make things easier and more convenient. It's this technology that is vulnerable to exploitation.

When you hear the term cybersecurity, simply think of any electronic devices or systems that may be used such as mobile phones, tablets, laptops and wifi networks.

What is the cost of a cyberattack?

The cost of a cyberattack can be measured in many ways.

The financial cost alone of trying to resolve the repercussions of a cyberattack can be eye-watering.

A report by IBM showed that the cost of a single record taken was, on average, £115. The average overall cost to a business as a result of a data breach is estimated to be a staggering £211,000.

What’s more, the same report suggested the average time taken to just identify a breach, let alone secure it, was 279 days.

Apart from the financial cost, there is also the reputational damage associated with a business not having suitable procedures in place.

This reputational damage may be an unquantifiable monetary sum, but the trust and confidence of existing, let alone potential clients could take years to rectify.

Identify the threats

There are many types of cyber threats to small legal businesses but below are three common attempts to look out for.

Phishing emails

Phishing is a type of blanket email sent to multiple email addresses with the objective of acquiring personal details of the recipient.

These emails come in various forms from claiming to be from a trusted source to the suggestion of the recipient winning a prize.

The sender intends for the recipient to click on one of the links, which may result in malware being installed onto a computer, or for them to hand over their details on the promise of some kind of return.

Spear phishing emails

This is a far more targeted form of phishing with more thought and preparation required from the sender.

An example would be someone receiving correspondence from a retailer, with whom they had made a recent purchase, claiming there is an issue with payment and that they require the payment details to be reinserted.

The objective is the same as a standard phishing email, but it is targeted and tailored to the recipient.

Smishing

This also has the same objectives as phishing emails except that the communication comes from a text or WhatsApp message.

Smishing is a combination of SMS (short message services – better known as texting) and phishing.

How you can reduce the risk to your firm

If simple and low-cost solutions are available to address this type of threat, why don’t people and their businesses already do it?

Mindset

Security considerations in the physical sense are now common place. No one would leave their home unlocked or have valuable items on show on the back seat of their cars when they park in a public carpark.

These considerations have been brought about by common sense, personal experiences and awareness campaigns which could be as basic as a sign in a carpark saying “don’t leave valuables on display".

When it comes to cybersecurity, it’s not so simple to grasp the same level of security considerations. But, a few pointers could help you:

• knowledge – effective cybersecurity measures, while not complicated, require you to have some basic knowledge. Don’t be afraid to seek professional advice
• systems and procedures – you need properly audited systems and procedures to be in place in order to protect your firm against any threats
• human error – even the best processes cannot completely eradicate human error: be it driven by malice, ignorance or oversight. A properly trained team and a rigorous, audited process can reduce the chances of being a victim of a hostile cyber threat

A checklist to make your firm more secure

Training

Train your staff (and yourself) in the basics of countering cyber threats. This could be done internally after conducting extensive research or by an outside source.

Processes

By taking the time to map out the data points and communication channels, you can put basic and often cost-effective processes and procedures into place to ensure that all aspects of data storage and communication are made as secure as possible.

Map data

At the outset of looking to secure anything is to evaluate what needs to be secured and where it is. By mapping where data is held in a business, steps can then be taken to identify how best to secure it.

This will now include devices and networks outside the office, such as employees’ homes, where it is unlikely for procedures and measures to be in place.

Making a data map means not just identifying where data is stored but identifying how it is transferred and by whom.

Passwords

When securing a physical location such as at home, the locks and keys used are of paramount importance. In the cyber world, this could be equated to passwords.

The common mistake is to use an easily guessable password such as the person’s name and date of birth.

Passwords should be a mix of letters (both lower and upper case), numbers and punctuation marks. There are even online tools to help people select suitable random and secure passwords.

Maintain copies

In the event of a data breach, it's highly beneficial to have backups of the data available, but this can also help secure a business and limit the exposure to where backups are stored.

For example, having offline backups decreases the risk of compromise and ensures that should any online attack take place, then the data is secure.

Two-factor authentication

Two-factor authentication (2FA) is an easy-to-use feature that ensures that only the right people have access to the right areas.

It works on the principle of access to a certain area being allowed based on two separate devices verifying access.

For example, a secure email account would require a password on the email system and then a code would be sent, via text message, to the registered mobile for the account. This code is then entered into the email account to enable access.

If someone were to try and access the email account without the code sent to the registered mobile, they would not be able to log in.

Encrypted email systems

There are various products available in the market, but encrypted email systems offer numerous benefits in addition to the extra layers of security they provide.

Encrypt sensitive documents

Encrypted email systems do incur an additional cost, but the cost of preventing security breaches far outweighs the cost of having to deal with an issue once it has already occurred.

If the budget is tight then taking the effort to send documents as encrypted and password-protected PDFs should be considered. The key is then to send the password via a different method.

For example, all case documentation handled by Tacet Global is sent via a password-protected PDF and the password is communicated verbally over the phone or sent to the client’s mobile phone by text message or WhatsApp.

Audit

Many firms that are members of the Association of British Investigators can provide companies with physical and cybersecurity audits.

These audits typically include levels of penetration testing to see where vulnerabilities currently lie.

While this will incur a level of financial outlay, in comparison to the potential costs, issues and reputational damage a business would incur as a result of a cyberattack or data breach, it's a lower investment and easier to manage.

What to do next?

The first thing to do is to go through the steps listed above and see how they apply to you, your team and your working environment.

You can then either research the possible solutions yourself or speak to a specialist who will fast track the process for you.

The Law Society has several business partners that can help you protect your business and bring real peace of mind.