Peter Wright, managing director of Digital Law and author of the Law Society Cyber Security Toolkit, gives his tips for minimising the risks
- Make security a priority, and even then don’t think it won’t happen to you. Even firms with top quality cyber capabilities aren’t invulnerable.
- Ensure that all staff are aware of your cyber security and data protection policies, with training at least annually.
- Provide regular refresher training on new threats and updated guidance on best practice. Make sure that staff are aware of the threats and how they need to modify their day to day behavior.
- Include cyber security and data protection training as part of the induction process for new starters.
- Understand the trade-off between the benefits and risks of integrated systems. Can you segment systems and data to limit the impact of a breach?
- Be alert to the potential security risks from third party software and services. Implement strict policies for selection and use.
- Ensure that all software systems and operating systems are up to date. Look out for vulnerabilities in old ‘legacy’ systems using outdated software – if necessary, prioritise investment in up-to-date IT infrastructure.
- While your law firm may want to achieve a high profile for marketing purposes, be aware that this makes you more of a target for cyber attacks.
- Make sure responsibility and accountability are clear – both within the firm and with any external suppliers.
- Document your systems and suppliers, so that you know where to look and who to involve if there’s a problem.
- Make sure you have a communication plan (including contact details) that you can use if your computer system is down.
- Make sure you have a breach response plan in place to deal with the immediate aftermath of an incident – including the need (under GDPR) to report breaches involving personal data to the regulator and the individuals affected.
If your systems are hacked, be ready to act quickly.
- Stay calm.
- Your best immediate option may be to take down the system that has been compromised until you can work out how to start putting things right.
- Work out your priorities, so that you can focus your efforts on restoring key systems.
- Notify relevant insurers, such as cyber liability or professional indemnity insurers. Many insurers will want to see any breach response notification that has to be sent to a regulator.
- If necessary, notify the police of any third party intrusion onto the system. Obtain a crime reference number that can be included when notifying other third parties of the breach.
- If financial records have been compromised, it is crucial to notify banks and other financial service providers so that they can take the appropriate fraud prevention measures.
- Be open within the firm, so that everyone knows what has happened and how to respond to client enquiries.
- Decide what you will say to clients, including those who have and have not been affected.
- For very large scale breaches, consider issuing a press release to get your side of the story out before the news leaks anyway. Explain how the firm was doing everything required from a legal and regulatory perspective – and more – to safeguard personal, confidential and sensitive data.
- Get partner-level involvement in the recovery effort – don’t just leave it to the IT team.
- Get support from your suppliers. Consider bringing in an outside adviser.
- Find out what went wrong and address any weaknesses you find.
- Check carefully to ensure that any backups you use to restore systems and data don’t themselves include malware.