There are lessons to be learnt for law firms following the sorry tales of the MumsNet and Ashley Madison hacks, explains Andrew Taylor, Technical Director at Converge TS
To improve security and prevent another hack, MumsNet upgraded its site security and forced all of its 7.7 million members to reset their passwords, using more complex passwords than they had in the past. For Ashley Madison’s 33 million members, the impact of the hack was catastrophic, as members had hard questions to answer from spouses and families, and from employers where they had used work emails to register their account. An additional issue came as it appeared that some of those listed in the membership list had never used the site and so wanted to know how their details got there.
Both are very different sites, serving different purposes, but both have suffered security and reputational damage, with hard work ahead to win back the confidence of their users in the future. Cybercrime makes little distinction between large and small businesses, or the type of industry or sector it targets. The legal sector is no different.
Minimising breach potential
Law firms hold a mass of client data and, with more firms offering client services online – and often through interactive websites – what actions should firms take to prevent a hacker accessing their site and redirecting clients elsewhere? How can firms ensure client data is protected, and what can be done to minimise the potential for a data breach?
The top two components on a chief information officer’s list of strategic positions are big data and cybercrime. The increasing amount of client sensitive data amassed by firms, the move to an everything online, digital model, and the historically relatively low cost of storage has created a huge online stockpile for firms that has put the management of big data firmly on the risk register of every firm.
Buying disk space is only part of the equation. Making this data safe is a critical issue, which means understanding the data and ensuring it is secure. Further, best practice policies in relation to security need to be overlaid to ensure that, when the regulator comes knocking, there is not too much or too little information buried in disks spread across your firm.
Cybercrime is not just about businesses being under threat from fraudsters or those looking to cause heavy disruption; there are some other interesting crimes using wired and wireless access. With eight new users joining the internet every second and 250,000 new viruses released daily, cybercrime is now a well-organised and highly professional industry. It’s even possible to buy services to launch denial of service attacks (DoS) on competitors’ websites, which is also what happened to MumsNet. DoS attacks render a network unavailable by ‘flooding’ them with useless traffic.
The Information Commissioner’s Office serves civil monetary penalties on organisations, large and small, for failing to take the necessary measures to keep personal information secure. In the legal sector, where reputation is a significant asset, a fine for a lack of professional diligence around confidentiality would be devastating. So, what can be done? Here are a few handy tips:
- Put in place a risk management committee to review and manage the risks. This governing body should be connected to the board. Ignore data management and security at your peril;
- Establish ownership for data protection and information security;
- Put in place some simple but effective data access policies and controls for systems and key data, as well as detailing who should have access to what;
- Understand your data. Where is your business data and your client data? Design a data strategy or, at least, start with a workable retention policy which covers both paper and electronic material;
- Ensure password policies are implemented across the business;
- Train staff to be aware of potential threats, including bogus emails and suspicious requests for information;
- Take advice from a specialist and review your IT security position to ensure you have a reasonable level of defences against external attacks and malware, as well as ensuring penetration tests on your systems are a regular event;
- Take an honest view of your capability and consider moving data and applications to a secure hosted environment.
Further reading: Could your firm recover from a breach?