Earlier this year the Law Gazette reported that dozens of law firms were investigated for potential data breaches by the Information Commissioner’s Office (ICO) but should we be surprised? After all, malicious data breaches are caused by criminals following the money, and given the top 50 law firms in the UK achieved combined revenues of £13.7 billion in 2014 there is certainly a lot of it.
The Law Gazette article stood out, not just because of the surprisingly high number of investigations but also because it was published in the first place. Typically, a data breach will make headline news because it involves a large well-known organisation, such as the recent TalkTalk incident. As a result there is a widespread misunderstanding that smaller organisations are safe from attack and have little to fear. Sadly, they could not be further from the truth.
Lack of understanding leads to vulnerability
Dr Emma Philpott of IASME (an organisation that assesses and certifies organisations against its own standard and the Cyber Essentials scheme) recently commented that, “Understanding is low among SMEs who need a reason to implement security.” If organisations are not hearing about data breaches or cyber-attacks that are hitting their industry and/or size of operation then why would they be concerned? What is more, for those who do understand the importance of strong security it can be a challenge to access and afford the knowledge and expertise they need.
Clearly, law firms come in all shapes and sizes, but one area of common ground is the fact that everyone is time poor. This can and does lead to what IT security professionals would consider the most rudimentary steps being overlooked, especially for the smaller firms with small or non-existent IT teams. Philpott also observes how often even the most basic security steps are being missed, such as failing to protect mobile devices, or working from home (a daily occurrence for many partners) via a router that has not had its default password changed. Law firms as well as every business should be practicing secure data privacy, storing their backups in the most secure of locations can greatly decrease the risk of a data breach, many businesses will look at safe ratings to compare the best safety for their physical documents and information.
Passwords are one of the major areas of weakness for legal firms and indeed any organisation that uses them. They place an unnecessary burden of security on those who use them and all too often it is a person that is found to be the weak link in the security chain, whether they are innocent or complicit.
Tackling the password problem
The problem with passwords is that they rely on secrecy but if you are expected to share that secret every time you use it, then it is no longer something only you know.
To put it in simple terms. You have been invited to your Law Society Christmas Ball. You are greeted at the entrance and are asked to give your name, they check that against the guest list and then you can head straight to the Champagne. Next someone without an invite walks to the door and uses a common name and he gets in as well. Now he is drinking free Champagne and listening in on private conversations. This is exactly how it works in the world of data breaches. However, in the digital world the perpetrator can steal the guest list and can use that to access a myriad of other things.
To carry the analogy one step further the organisers of the Ball may send out tickets that you also need to bring in order to ‘authenticate’ yourself (in IT we call this an additional layer or factor of security). However, many people will forget to bring it with them. Do you turn them away or do you trust them!
For security to be effective it needs to be very simple and convenient for the non IT people who are using it. Passwords are neither simple (have you tried creating and remembering a so called ‘Strong’ password) nor effective.
Time for a new approach
One international law firm based in the UK recently announced that passwords would not feature in the future of its security and authentication procedures. Its IT Director recognised that in order to succeed it would require a carrot rather than stick approach, with the biggest carrot being the ability to free partners from ever needing to change their password again.
Meanwhile, South African law firm Webber Wentzel has implemented PINgrid from Authlogics. The IT Information Security Risk Manager, Pierre Liddle explains: “The product meets all of our requirements, and best of all, it’s cost-effective without burdening the user with a new security bottleneck.”
The solution works by installing an app on the users mobile device. The app displays a six-by-six number grid in which the digits randomly change every minute. Looking at the grid they then set a pattern that they will easily remember. Now, when they need to log-in they simply look at the grid and type the corresponding numbers into the challenge box presented on their desktop PC or laptop. This is called two-factor authentication.
Now, in our scenario at the Ball the guest has their invitation on their phone and they can authenticate themselves at the door by sharing a code that only they could know at that exact moment in time.
“Of all the products we looked at, this was the only one where we knew we’d be happy to use it to provide access to sensitive client documents and information,” adds Liddle.
Your firm may not be one of those investigated by the ICO but if you are not taking the right precautions you are at risk of a data breach. For an industry that relies so heavily on confidentiality, hard earned reputation and credibility the risk of the repercussions can have a lasting impact.
You are not expected to be IT security experts but it is vital to understand that there are risks and you need to mitigate your vulnerability to them. Organisations such as IASME and the Cyber Essentials scheme can help to provide the education, and organisations such as Authlogics can deliver the solutions that every legal firm needs to keep its organisation, employees and clients secure.
How secure are your business’s applications? Web applications, in particular, are vulnerable to attacks. With the use of a web application scanner, you can close in on exploitable vulnerabilities and do something about them before someone else does.