Of the many fads and three letter acronyms scattering the annals of the technology odyssey, two have emerged as key components on any CIO’s top 10 list of strategic positions, namely: big data and cybercrime.
The increasing amount of client sensitive data amassed by law firms, the move to an ‘everything online’ digitalisation model and the historic relatively low cost of storage has created a huge online stockpile for law firms that has put the management of ‘big data’ firmly on the risk register of every firm.
Buying disk space is only part of the equation. Making this data safe is a critical issue, which means understanding the data and ensuring it is secured and ready to be recovered in the event of adversity. Further, retention policies need to be overlaid to ensure that when the regulator comes knocking, there is not too much or too little information buried in disks spread across your firm.
Few would disagree that the data explosion generated by every business is overwhelming; we appear as a species to be creating content at an exponential rate and that data needs to be stored, which presents a mechanical and commercial challenge. An IDC report in 2011, "Extract value from chaos" reported that the world's data is doubling every two years - growing faster than Moore's Law (Moore’s Law being the observation that transistors on integrated circuits doubles ever two years. The trend was suggested in 1965 by Gordon e. Moore who co-founded Intel). This equates to 1.8 zettabytes (1.8 trillion gigabytes), a figure which has since been upwardly revised by the IDC in 2012 to a staggering 2.8 zettabytes. In practical terms, this is the same amount of information needed to fill 57.5 billion 32GB Apple iPads and would build a 20 foot tall wall around South America!
And it shows no signs of slowing: Data comes from mobile, internet and traditional sources and people are evolving from information consumers to producers by creating their own data. Common but often ineffective coping methods include adding more hardware, pushing data transformations elsewhere, such as down into the database, or custom coding when addressing data performance problems that arise as data volumes grow.
This amount of data and its connectedness has increased the incidents of it being compromised taking us into the darker side of big data, cybercrime. The PWC 2013 Information Security Breaches survey tells us both the average number of and the costs of security breaches for large and small businesses alike have increased, with 93% of large businesses (>250 employees) surveyed having had a breach and 87% for smaller businesses. Cybercrime makes little distinction between large or small businesses.
Cybercrime is not just about businesses being under threat from fraudsters or those looking to cause heavy disruption, there are some other interesting crimes using wired and wireless access. James Lyne, the Director of Technology Strategy at Sophos told us on TED in September 2013 that with eight new users joining the internet every second and 250,000 new viruses being released daily, cybercrime is now a well organised and highly professional industry. It’s even possible to buy services to launch denial of service attacks (DDOS) on your competitor’s websites.
Google, a pillar of the technology world, has had its own data management difficulties in recent years. In 2012 it admitted that it had not deleted users' personal data gathered during surveys for its Street View service. In May 2010 it was revealed that it had scooped up about 600 gigabytes of personal data from unsecured wireless networks while gathering images and location data for Street View. The data was collected for years in 30 countries while Google compiled information for the mapping service. The Information Commissioner’s Office (ICO) is involved and this is a reminder of how data is ‘leaking’ and how readily it can be vacuumed up by those who know how.
Since November 2010 the ICO has had to serve civil monetary penalties to organisations large and small, totalling over £1.5 million, for failing to take the necessary measures to keep personal information secure. In the legal sector where reputation is a significant asset, a fine for a lack of professional diligence around confidentiality would be devastating. So what can be done
- Put in place a risk management committee to review and manage the risks. This governing body should be connected to the board. Ignore data management and security at your peril. If the regulator comes knocking there won’t be much sympathy for those showing no awareness or competence.
- Establish ownership for data protection and information security and make it responsible to the risk committee.
Put in place some simple but effective data access policies and controls to systems and key data, as well as detailing who should have access to what.
- Understand your data. Where is your business data and your client data? Design a data strategy or, at least, start with a workable retention policy which covers both paper and electronic material.
- Take advice around your IT security position to ensure you have a reasonable level of defences against external attacks and malware, as well as ensuring penetration tests on your systems are a regular event.
- Take an honest view of your capability and consider moving data and applications to a competent cloud operator. Cloud operators of substance make security a centrepiece of their proposition and commit more money to the matter than you could possibly do.
- Contact the Information Commissioner’s Office (ICO) for its guide for small and medium sized businesses. This guide shows a series of clear, practical steps to help make your IT systems safe and secure.
Richard Hodkinson is Chief Technology Officer at law firm DWF and non-executive director of Converge TS.