Skip to main content

LAW FIRMS AT RISK OF CYBER ATTACK WARNS BIS by Brian Miller Solicitor



The Head of Cyber Security at the Department for Business, Innovation and Skills (BIS) has warned that security breaches have reached an all time high, with 93% of larger businesses suffering a security breach within the last year and 87% of smaller businesses being similarly affected, a jump of 76% since 2012.  Often the breach is not always from the outside: many of these breaches are staff related.

Costs to remedy these breaches can range from a few thousand pounds to hundreds of thousands when the breach affects the reputation of the business, for instance, if it is publicised. A survey carried out by BIS showed that the cost to smaller businesses was on average between £35,000-£65,000, whilst that for large businesses ranged from £450,000-£850,000. One company in London last year was estimated to have lost £800m in revenue from a cyber attack.

Law firms are no exception when it comes to cyber attacks.  In many ways, they are a greater target, as they store large amounts of sensitive information about many clients which can be of great value to competitors, particularly in an acquisition scenario. In one case in the US, a law firm acting for one party on a large piece of litigation had its servers hacked for information about one party which was then sold to the other in order to give it an advantage in the case or even force a compromise.

BIS advises firms take the following steps to manage the threats from cyber attackers:
  1. Identify the organisation’s key information assets. This could be client lists, client information, financial  information and so forth.
  2. Consider the impact on your organisation if critical information were compromised or online services disrupted. Obviously, these are things like system downtime, as well as damage to reputation.
  3. Identify the threats to these information assets. These are things like competitors to your business, cyber terrorists looking to steal information of value to sell to others or your own employees (possibly those soon to be ex-employees), either wishing to do your organisation harm or accidentally compromising your systems.
  4. Identify how your organisation could mitigate these risks.  BIS outlines various steps you can take to help safeguard your critical business information:
    1. Information risk management. Ensure you have a regime in place to check out your security, as you would to any other matter affecting your business, such as regulatory or financial requirements. Make sure staff are aware of the regime and follow it.  
    2. Configure Your Network Securely.  Protecting your network with effective security to protect against both internal and external threats is critical to ensure there are no unlawful intrusions.
    3. Manage user privileges effectively.Only let users access on a strictly ‘need to know’ basis and nothing more.
    4. Regular Training.  Make sure your staff are aware of the risks and know how they can avoid or mitigate them as best as possible, should a breach occur.
    5. Disaster Recovery and Incident Management. Make sure you have a plan in place to deal with matters effectively, should the worst happen.
    6. Monitoring.  Make sure you monitor your network regularly, preferably with the use of automated systems (including alerting tools).  The best way to deal with an attack is to know about it as soon as it happens, not after it is too late.
    7. Lock Down Removable Media. Do your staff really need to have access to the USB and other media ports (eg SD card slots) on their PC?  Can they access other cloud networks and leak data in and out from them? Should this be allowed?
    8. Mobile workers. These arguably present the biggest risk, as it is much harder to control the security of mobile devices, particularly if you have a BYOD (or bring your own device) policy, thereby allowing staff to use their own equipment.  This can only really be secured by implementing the use of special software which will ring fence office data from personal data and should also secure the device in question. It is also key to minimise the amount of storage on the mobile device, so all business content can be controlled and secured remotely.
Observing ideally all of the above guidelines will help keep your network secure and avoid some of the most damaging events which can beset an organisation, namely a data breach.  The Information Commissioner now has power to fine an organisation up to £500,000 for each data breach occurring.

Brian can be contacted at Stone King LLP.  For further news and information on legal topics of interest, please visit Brian's other blogs:



Comments

Popular posts from this blog

ICO imposes fine of £250,000 for data protection breach by Scottish council

A Scottish council hired a man known as ‘GS’ to “digitise” its employees’ pension records with no written contract in place between the Scottish council and GS containing the data processing and security requirements specified by the Information Commissioner’s Office (ICO).   Files containing Council employees’ names, addresses, national insurance numbers and, in some cases, individual’s salary and bank account details, had been dumped in a supermarket’s recycling bank and found by a member of the public.   In its civil monetary penalty notice, the ICO said that approximately 8,000 pension records, some of which included details of ill health benefits, had been digitised by GS.  GS would send to the council by standard post unencrypted discs containing the information.  It said that the council was unaware that GS was disposing of the paper records in recycling banks.   The ICO said in its civil monetary notice “ The Commissioner is satisfied that the contravention w

Cloud Service Providers Now Subject To Scrutiny Of Assurance Registry

After mounting concerns relating to the security of cloud computing, a new online platform is to enable users to assess the security features of registered cloud providers. The Security, Trust & Assurance Registry (STAR) hopes to encourage providers to improve their data protection security thanks to this increased transparency, as well as aid organisations using the providers to comply with data protection laws. The Working Party drew attention to firm’s lack of control over customer’s personal data when using cloud services. As cloud computing uses an internet based network in place of local computing resources, they stated that there is risk of "loss of governance, insecure or incomplete data deletion, insufficient audit trails or isolation failures," by organisations using these providers.          Operated by not-for-profit body the Cloud Security Alliance (CSA), STAR hopes to limit such risks to data protection. The CSA’s members include Google, Microsoft and m

Thirteen Point Guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (“ GDPR ”) will come into force and apply to all EU member states from 25 May 2018. The UK’s decision to leave the EU will not affect the commencement of the GDPR. It contains eighty-eight pages, 99 articles and 173 related recitals and is therefore no small piece of legislation. Overall, the principles under the GDPR are similar to those under the current Data Protection Act. However, there are new elements and significant enhancements; particularly in relation to accountability. The GDPR puts the onus on organisations to show how it complies with the data protection principles and there is a greater emphasis on documenting specific activities. Other  key changes  to be aware of include: Wider scope of application  – certain definitions under the GDPR have been broadened, for example, the definition of “personal data”. Higher penalties  – the GDPR introduces tougher sanctions, including administrative fines for non-com