Cyber risk (including data theft) has become one of the fastest growing threats to businesses of any size from small firms right up to big multi-nationals – government figures in May 2016 found 65% of large firms detected a cyber-security breach or attack in the past year. ( Ipsos Mori, Cyber Security Breaches Survey, May 2016 ).
Working away from the office (remote working) adds an additional layer of cyber risk with many smaller law firms unaware of the threats they face including: loss or theft of personal data through misplaced or stolen IT equipment; loss or theft of commercially sensitive information; and vulnerability to malicious attacks through the use of public Wi-Fi.
Develop a remote working policy
As a legal professional, it is likely that you will hold information on clients or customers, including names and addresses as well as legal case details. When working away from the office it’s important to protect this information and your business systems. Top of every law firm’s list should be the development of a remote working policy to cover off the following areas:
What data can be accessed by employees away from the office?
Understanding how sensitive the information is that can be accessed remotely should be a first step and how this data can be managed in accordance with any contractual requirements for example.
Has it been classified into confidential/restricted data?
Some data will be confidential – sensitive client information for example – which could expose your law firm (and your clients) to financial and reputational damage if lost; while other data might be restricted or for internal use and, while less sensitive, could still cause reputational damage if lost or compromised.
What devices are allowed to connect to networks?
The range of different devices – smart phones, laptops, tablets – that can be used to connect to networks remotely should be assessed and precautions taken such as the use of anti-spyware, regular system updates, screen locks set to activate after periods of inactivity, as well as adequate password protection. A further precaution is the use of ‘dual factor authentication’ which requires the use of two different components such as a password for example, plus the use of fingerprint identification or a USB stick with a token.
Can IT departments remotely wipe devices that are lost?
A laptop/tablet goes missing – is the storage area protected by encryption technology? Also, can that information be wiped remotely to prevent any loss of sensitive data?
Do employees understand the policy?
Employee training is also key to make sure everyone is aware of the policy and aware of the requirements around accessing data remotely. Regular training and awareness raising amongst staff should take place and they should always be kept up to date on any changes to company policy.
If the worst happens?
Despite taking these precautions, if your law firm should suffer a cyber attack, Hiscox Cyber and Data Risks Insurance can protect your business should the worst happen. To find out more about how Hiscox Cyber and Data Risks Insurance can protect you, visit www.hiscox.co.uk/lawsociety or call 0800 840 2781. Law Society members save 5%.
Matthew Webb is Head of technology, cyber and data, at Hiscox UK & Ireland