Law firms hold a wealth of sensitive information. This blog highlights five risk areas for firms when it comes to ensuring that IT systems are secure enough to protect data and comply with the GDPR.
1. A relaxed attitude to security
If your firm is growing, opening new offices or acquiring firms, IT can become cumbersome to manage as you scale and merge systems. It could be a missed software update that causes your data to be stolen and systems to be down for days.
You should have security policies in place to ensure you’re on top of patching and diarise regular system penetration tests. You should also commission a third party review of your infrastructure. Often, many of the security issues identified by this type of audit will be simple to fix, but catastrophic if discovered by a hacker.
2. Lack of protection of against cyber attacks
The frequency of attacks is increasing and most are launched via malicious email attachments and websites.
The first step is to make sure your employees know about ransomware and can recognise the signs of a phishing email. But employees cannot be solely responsible. Your firm should take advantage of the latest email security and web filtering technology. These tools are easy to implement and will immediately minimise the risk.
3. A non-existent password policy
Policies that force users to change their password frequently are common, but you’ll often find that people choose something easy to memorise and simply change one digit each time. This creates a problem as weak passwords provide an easy route into your IT systems. However, keeping the same password forever isn’t a good strategy either.
Despite the risk, we still recommend that users change their passwords regularly. Many firms add a further layer of protection via Two-Factor Authentication (2FA) to verify the identity of users when they log on. You should consider this if your users work remotely.
4. Out of date software
Once your case management, practice management or operating system reaches End of Life (EOL), it’s no longer receiving critical security patches. This puts your firm at risk because unsupported environments allow hackers to easily exploit vulnerabilities.
You should be familiar with your hardware and software providers’ retirement calendars and upcoming EOL products should be highlighted to your management team as a risk. Larger firms typically appoint a consultant to support with transitioning to new software as there are many stages to implementation and newer software often requires increased IT resource and a different set up.
5. A weak disaster recovery plan
Your firm will be completing regular backups, but it may take days or weeks to restore. Disaster recovery enables you to immediately failover to a secondary environment that’s capable of sustaining your business continuity. Your disaster recovery plan doesn’t just refer to the technology you’re using, but also to your ability to prove it’s working.
The only way to identify flaws is to robustly test so you know how long it takes to get your firm back up and running in the event of a disruption. If you cannot recover all of your data, or you can’t do it quickly enough, you may be able to fix the issue, or you may need to look at other technologies.
There are many steps to making IT systems secure and hopefully this blog has given you an indication of where to start.