Stress test
What technical security measures should solicitors’ practices put in place to minimise their risk of suffering a cybersecurity attack – and to mitigate the effect of any attack? Tanya Moeller, Nicola Kiely and Deborah Leonard get testing.
In our first article, ‘Attack mode’ (last issue, p24), we introduced the concept of cybercrime and how important it is for employees to understand that human behaviour is key to keeping firms safe.
Technical measures complement such essential organisational awareness and prevention. In fact, article 32 of the GDPR requires both “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” to personal data.
So, what type of technical measures are most relevant for practices?
Let’s get physical
Many people forget about physical IT security measures. These can include physical access restrictions to IT assets, such as securing windows and doors appropriately, installing CCTV, or locking laptops with a laptop cable overnight.
Retired devices should be safely destroyed if files are stored on the hard drive (see below, ‘Share and share alike’). Firms should consider maintaining a log of work laptops and work-related mobile devices. Consider appointing an employee to maintain and control this log.
On the road again
A public Wi-Fi network can expose your computer to a virus or malware due to its lack of security if it is compromised by a hacker. A similar threat can occur if a Wi-Fi password is insecure. (For more information on strong passwords, see last month’s article.)
If the staff of your law firm frequently work outside the office or their home, you should consider using a ‘virtual private network’ (VPN), ideally in combination with a mobile hotspot.
A VPN is a system whereby your internet traffic is routed through an encrypted private server. In this way, VPNs protect you on public Wi-Fi, because your real IP address is hidden and nobody can see what you are doing. Sensitive data is cloaked and cannot be intercepted.
VPNs are not as complex to set up as they sound – there are software providers who specialise in this.
Mobile hotspots enable your laptop to connect to the internet using your mobile-phone network. This is a safe manner to access the internet when working on the road, as the mobile phone hotspot is protected by a password (see network settings in your mobile-phone main menu). It is, however, dependent on your mobile-phone provider’s network speed and data allowance.
Privacy screens are thin sheets of plastic that adhere to the monitor of your laptop. These should be used to obscure the monitor.
When you are travelling on public transport or working in a crowded room, the person looking over your shoulder will not be able to view your information from an angle.
All devices should automatically lock if unused for a short period of time. You can change that in your laptop settings – make this an office-wide requirement.
It is important to understand how apps are used on mobile-phone devices. For example, if the office uses Microsoft Outlook as a SaaS (‘software as a service’) application in the cloud, a mobile version of Outlook can be downloaded and used by employees on the go.
Therefore, the use of personal devices for work purposes should be controlled, and some organisations create a ‘bring your own device’ policy for this reason. Work information should be deleted from that device at the end of employment. As that may not always be possible, some organisations issue work mobile phones to maintain clear boundaries.
Share it
Storing files on a hard drive or using USB sticks or portable electronic storage devices should be discouraged, as they can be easily accessed, lost, or stolen, and they can be carriers of corrupted files.
If you must allow such practices, consider reducing your risk by using strong, up-to-date anti-virus software, and encrypting your hard drive and information on portable electronic devices.
However, it is the norm nowadays that information is shared using cloud-based software, such as central case-management systems, Microsoft Office, or Google Suite. These all allow staff to access, edit, and share files remotely because the information is stored in the cloud (that is, in their servers).
Having said that, while storing files on your software provider’s servers is convenient, enjoys industry best availability levels, protects against loss of data (due to continuous backups), and is highly secure, this carries its own risks (see below, ‘She sells sanctuary’).
It is possible to use such software on an ‘on-premises’ basis and create your own, firm-internal cloud, but that requires your firm to operate its own servers and internal network, which carries its own risk and operational complexity.
As part of overall device management, firms should consider how they are passing equipment between their employees. Passing equipment between employees can often lead to unintentional data breaches if residual files of the former employee remain on the device and are accessed by the new employee.
Firms are advised to ensure they use an appropriate partner when considering the re-use of electronic equipment, so that respective cleansing can take place.
That said, if a firm does not wish to pass equipment between staff, it is necessary to retain the services of a professional data-destruction service.
This avoids breach of confidentiality and data protection if an unauthorised third party accesses firm files on electronic devices. In addition, it minimises the firm’s digital footprint to only what is absolutely necessary. This, in turn, helps to avoid unnecessary risk associated with excessive information retention.
Out of control
Access to information by staff to files should be centrally controlled, so that it is limited to only what is strictly necessary.
Equally, at the end of the employment, cloud-based access should no longer be possible and all devices should be returned, using your device log (see above).
Implementing these measures also improve your data-protection comp-liance, as any personal data should be processed only on a minimal basis (need to know), and unauthorised access to information beyond the end of employment can result in a reportable data breach.
Also, any malicious actor who is impersonating the employee will logically see less if the employee has limited access only.
Another brick in the wall
Firewalls screen information based on a set of security rules. They act as a barrier between your device and the internet to protect against unauthorised access by an outsider.
Firewalls are provided by security-software providers who issue regular updates to ensure that the firewalls remain effective. Many firewalls can be centrally managed by an administrative officer, so that the latest version is enabled for all.
Virus
Antivirus, or anti-malware, software works by detecting and deleting malicious software, such as viruses, ransomware, or Trojans (see previous article). Some products also include protection from phishing and malicious URLs.
Antivirus software runs in the background to check every opened file, such as executable files (‘EXE’, which run a program), zip archive files (which compress files), or actual files (which can contain infected macros). This is often referred to as ‘real-time protection’.
It is not a good idea to use antivirus software that does not scan on this continuous basis because, once your system is infected, it will be much harder to remove the virus. In the HSE breach of 2021, for example, the HSE monitored computers for viruses during daytime hours only.
Real-time protection also avoids the need to run full-system scans (although these can be helpful on computers with legacy files, or repaired computers that may still contain hidden malware).
Encrypted
Even if your firm is cloud-based and you prohibit the storing of files on hard drives for security, file management, and business-continuity purposes, it is recommended that hard drives are encrypted ‘at rest’, in case a device does get stolen and information was saved by a user on a hard drive, contrary to policy.
The loss of a hard drive that is not encrypted ‘at rest’ may constitute a notifiable data breach.
In addition, files need to be encrypted in transit when shared on the internet. One way to do so is to use a cloud-based vendor who encrypts your emails or files automatically, and large providers such as Microsoft Office or Google Workspace do this.
There are alternative encryption software providers on the market, and you should consult an IT professional for advice on how encryption software would complement your cybersecurity set-up in your law firm.
Update
Electronic devices should be updated regularly, as updates include security features that will patch an identified vulnerability. This includes mobile-phone devices, apps on mobile phones, software on the computer (if downloaded), and the computer operating system itself.
She sells sanctuary
The above examples show that robust file management and technical-security measures rely on a suite of specialised service providers. Due to their software-as-a-service business model, these can be large global companies that may not be in a position to individually create a bespoke product.
Service contracts must comply with applicable legal requirements, including data-protection laws. Further information can be found, for example, on the website of the Data Protection Commission.
Law firms should evaluate the extent to which the use of a third-party service provider poses a risk to their information. Some cloud-based vendors are better at reducing this risk than others, and any residual risk is commonly accepted. However, it remains necessary to evaluate vendors on a case-by-case basis.
Important questions to ask include:
- Which security measures are in place?
- Is the risk tolerable, bearing in mind the information shared with this vendor?
- What security incident notification timelines exist?
- What encryption functionalities exist?
Some service providers allow you to create a special encrypted space within their cloud.
An alternative is that you use an organisation-wide pseudonymisation system for extremely sensitive clients, such as code names (as is already done in M&A transactions).
However, this is not possible when you record conversations with individuals over cloud-based video communications software, if the vendor stores recordings in its own cloud. Mobile telephone data can also be accessed (but watch developments in this space).
You should always research each provider carefully as, logically, no third-party provider will provide you with full protection. This brings us to the final point in this article – the fact that no security can ever be 100% means that you will need to carry out ongoing risk assessments.
Risk
Carrying out a risk assessment is an essential ingredient when considering the extent to which you wish to invest and implement technical security measures.
No security measure operates in a vacuum: any security measure must be evaluated in the context of the risk it is intended to reduce – either through prevention (before the fact) or mitigation (after the fact).
This leads to the question: how do you implement and carry out such a risk assessment? Do you identify vulnerabilities, and do you have a plan in place to respond to a cybersecurity attack?
While ISO 27001 certification is obtained by some law firms, it may not be necessary to implement and follow responsible information-governance principles. We will discuss risk assessment, insurance, and security breaches in the next article of this series.
Tanya Moeller is in-house counsel with ServiceNow and vice-chair of the Law Society’s Technology Committee. Nicola Kiely is a partner in Comyn Kelleher Tobin LLP and a member of the Technology Committee. Deborah Leonard is secretary to the Conveyancing Committee.
Look it up
LITERATURE:
Read and print a PDF of this article here.
Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland