Back to Blog

Why external cybercriminals aren’t your biggest cyber problem

Post by |

Cybercriminals

When we think of 'cybercriminals' we conjure up images of shadowy figures, cloaked in darkness spending countless hours trying to breach security firewalls and IT systems. If this is your view, then you're most likely thinking "Why would cybercriminals target me?" or "It'll never happen to me." If this was the only risk, I might agree with you. However...

External threat Vs Insider threat

We need to remember that the word 'cyber' has very little real meaning, but generally is accepted to mean 'digital system'. So this includes mobile phones, tablets, laptops, PC's, Macs, Servers, 'Cloud' etc. So a 'cybercriminal' is someone who uses 'digital' to do you harm.

Whilst Hollywood would have us believe the only threat is from external hackers, you are in fact far more likely to have data stolen by an employee. This is the 'Insider Threat'. This is the person you employed, that you trust to use your systems to help you and your practice. But what happens when they leave, taking your entire case management system with them? Or take your Client list? Or information about a merger?

Malicious Vs Accidental

I'm not saying that ALL employees will eventually 'go rogue', because they won't. But we all have bad days too. How many of us have emailed a document to the wrong email address? I personally once received a confidential email meant for the person I was in dispute with, which was great for me but not so good for the other party. 52% of Data breaches are caused by human error, and these breaches can land you in hot water both with the SRA and the ICO but also with your clients.

So what should you do?

The key thing to remember is that you can suffer a data breach from both external AND internal players. Once you recognise this, you can start to build a plan to address the risks.

  • Write an 'Acceptable Use Policy' which covers Email, Internet, System and Social Media use
  • Have an induction/training programme that includes acceptable use of your systems
  • To prevent 'Malware' gaining access to your systems, train your staff to be on the lookout for 'suspicious' emails & "Think Before You Click"
  • Ensure everyone has their own login and password for your Case Management System (so that you have audit trails)
  • Speak to your IT department and ask how you can restrict the use of USB ports on your systems. Unless USB memory sticks are necessary for your practice, they can be used to drain all your systems of confidential information and large quantities of data
  • Change 'Admin' or 'privileged' passwords on a routine basis or if someone leaves who has access to them
  • Have a process to remove access to your systems once someone leaves the practice
  • Develop an Incident and Data Breach response plan. Think about what you would do, who you would call and write it down.
  • Develop a culture of openness. If someone makes a mistake and there is a data breach, you need to respond promptly so encourage people to escalate any issues quickly.

If we continue to think of cybercriminals as shadowy strangers in strange lands, trying to steal from us, we will always think "It'll never happen to me". But you might be missing that member of your Practice who has just downloaded the contents of your case management system, just before handing in their notice. Or that tired paralegal who just emailed personal medical records to the wrong person.

About the Author:


Gary Hibberd was appointed as Managing Director of Agenci back in 2012. Gary’s passion for all things cyber was sparked in 1985 when he began his as a programmer. As a result of that passion Gary went on to become a renowned expert on ISO 27001 and GDRP. Today, Gary is a passionate practitioner and regular speaker on cyber security.

Gary speaks across the Globe to both large and small business as well as private and public organisations. He loves to engage the next generation of cyber experts speaking in schools, colleges and universities. As part of his busy life Gary has authored books on cyber security and business continuity as well as contributing to government initiatives on cyber security and counter terrorism. If that wasn’t enough in his personal life Gary is an avid obstacle race participant and fitness fanatic. Gary can count the Worlds Longest Obstacle race amongst his many personal achievements.

| See all our contributors
Back to Blog