When we think of 'cybercriminals' we conjure up images of shadowy figures, cloaked in darkness spending countless hours trying to breach security firewalls and IT systems. If this is your view, then you're most likely thinking "Why would cybercriminals target me?" or "It'll never happen to me." If this was the only risk, I might agree with you. However...
External threat Vs Insider threat
We need to remember that the word 'cyber' has very little real meaning, but generally is accepted to mean 'digital system'. So this includes mobile phones, tablets, laptops, PC's, Macs, Servers, 'Cloud' etc. So a 'cybercriminal' is someone who uses 'digital' to do you harm.
Whilst Hollywood would have us believe the only threat is from external hackers, you are in fact far more likely to have data stolen by an employee. This is the 'Insider Threat'. This is the person you employed, that you trust to use your systems to help you and your practice. But what happens when they leave, taking your entire case management system with them? Or take your Client list? Or information about a merger?
Malicious Vs Accidental
I'm not saying that ALL employees will eventually 'go rogue', because they won't. But we all have bad days too. How many of us have emailed a document to the wrong email address? I personally once received a confidential email meant for the person I was in dispute with, which was great for me but not so good for the other party. 52% of Data breaches are caused by human error, and these breaches can land you in hot water both with the SRA and the ICO but also with your clients.
So what should you do?
The key thing to remember is that you can suffer a data breach from both external AND internal players. Once you recognise this, you can start to build a plan to address the risks.
- Write an 'Acceptable Use Policy' which covers Email, Internet, System and Social Media use
- Have an induction/training programme that includes acceptable use of your systems
- To prevent 'Malware' gaining access to your systems, train your staff to be on the lookout for 'suspicious' emails & "Think Before You Click"
- Ensure everyone has their own login and password for your Case Management System (so that you have audit trails)
- Speak to your IT department and ask how you can restrict the use of USB ports on your systems. Unless USB memory sticks are necessary for your practice, they can be used to drain all your systems of confidential information and large quantities of data
- Change 'Admin' or 'privileged' passwords on a routine basis or if someone leaves who has access to them
- Have a process to remove access to your systems once someone leaves the practice
- Develop an Incident and Data Breach response plan. Think about what you would do, who you would call and write it down.
- Develop a culture of openness. If someone makes a mistake and there is a data breach, you need to respond promptly so encourage people to escalate any issues quickly.
If we continue to think of cybercriminals as shadowy strangers in strange lands, trying to steal from us, we will always think "It'll never happen to me". But you might be missing that member of your Practice who has just downloaded the contents of your case management system, just before handing in their notice. Or that tired paralegal who just emailed personal medical records to the wrong person.