The final event in the current series of UKLTA (www.uklta.org.uk) online forums took place yesterday, where our expert panel shared their top tips for information and cyber security, considering how practices have adapted during lockdown and how technology can help.
Chaired by Heather Anson (Anson Evaluate), our panellists Peter Wright (Digital Law UK), Jen Williams (Lawyer Checker) and David Baskerville (Baskerville Drummond) provided clear and practical advice on what firms can do to help protect themselves from cyber and information security threats.
The recording of the event is available online for the next seven days – so catch it while you can!
Some of the key points of the wide ranging discussion included:
- The likelihood is that your firm will suffer a cyber attack at some point, so having a plan in place to handle the attack when it comes is critical.
- Cyber security has to work for your business and it has to work for your staff too.
- More can be done to educate staff on the risks of cyber and information security.
- Whilst we can put technology in place to try and shield staff from certain dangers (such as clicking dodgy links in emails), it is no replacement for training your team about the risks, as well as adopting a culture where they are happy to question something that doesn’t look right.
- IT teams should be included in any cyber training. Being familiar with IT does not automatically mean a familiarity with the cyber risks facing your firm. IT is a very broad subject – IT professionals aren’t experts at everything and cybersecurity is a very niche area.
- Technology can be helpful in preventing security breaches, however it will only add value if you have already reviewed your internal processes to ensure they are as good as they can be from a security perspective.
On a practical level, our panel advised firms to:
- Implement Two Factor Authentication (2FA) for logging into systems.
- Ensure that user accounts/access for people who have moved on from your business have been removed.
- Make sure that operating systems are regularly updated and patched.
- Ensure staff aren’t sharing passwords or writing them on post-it notes.
- Ask staff to log off from their computer at the end of the day so your IT team can push updates, and ensure other devices (mobiles, laptops etc.) are also kept updated.
- Ensure that if personal devices are being used to access work systems, that these are regularly updated too.
- Migrate from legacy software as soon as possible (for example if you are still using Windows 7 the platform is no longer updated by Microsoft, so you should migrate to Windows 10).
- Be aware of the potential security risk of working from home, highlighting that a recent study showed wide ranging vulnerabilities in home routers (the devices that connect you to the internet from your household).
- Make sure you have a Disaster Recovery plan, that it covers cyber threats, and that it’s regularly tested and updated as necessary.
- If you do suffer a cyber attack, don’t rush to get back to business as usual. Take time to gather experts around you to help identify what has happened and agree on the next course of action. Nominate someone whose only responsibility will be to keep a record of what actions were taken and when, as you will likely need to refer back to it once the suspected incident is over. Only go back online when you are absolutely sure you have identified the cause of the problem and fixed it, otherwise you may just suffer from another attack.
There are plenty of resources available for firms wishing to review and improve their cybersecurity, including:
- Today’s Legal Cyber Risk provides news and information on the latest cyber threats.
- Baskerville Drummond has practical tips on cyber security, Digital Law UK provides five tips for more secure remote working and Anson Evaluate have a recent blog post Cyber Security and Phishing including specific threats relating to the pandemic.
- The National Cyber Security Centre (NCSC) Exercise in a Box helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment
- The NCSC also produces a weekly threat report as well as resources including a small business guide, ten steps to cybersecurity, cyber security staff training as well as addressing specific threats related to the coronavirus pandemic.
- The Law Society England and Wales provides guidance on cybersecurity for solicitors as well as a Cyber Security Toolkit. The Law Society of Scotland has produced a cybersecurity guide.