Following last week’s NHS hack-attack, Tim Hill, technology policy adviser at the Law Society provides some practical advice for avoiding IT meltdown and where to look to for help
Modern life seems to be in a never-ending race to catch then overtake science fiction. But as we trade our Star Trek-inspired flip phones for the latest smart multi-gadget and wait eagerly for our hover-boards, it seems we must take the good with the bad.
Cyber attacks, once the domain of computer-geeks and Hollywood hyperbole, have become an everyday reality for us all. Businesses must not only secure the office door, but the office Windows as well, as an online break-in can be more damaging to business and reputation than a real life one.
Events of the past week have illustrated yet again the consequences of a breach of our cyber security defences. Losing the ability to work while the problem is resolved may only be the start of the problem, when irreplaceable business or client information risks being lost forever.
For professionals such as solicitors, who hold sensitive personal information about their clients, this is not just a business risk, but a risk to their reputation, to their compliance with regulatory requirements under data protection law, and to ethical and conduct obligations.
In threatening a solicitor’s ability to keep their client’s information confidential, and their money secure, an IT breach or scam strikes at the essential trust which exists between solicitor and client – trust that underpins our justice system.
In our contemporary network society even the intelligence agencies cannot live in digital fortresses. For them, as for us, risk assessments are never absolutes but difficult balancing exercises.
For small businesses and professional firms, including the vast majority of law firms, cybersecurity judgments involve risk, expense and resources. Up-to-date computer software, well-trained users and IT support staff, and effective anti-malware processes are not cheap.
Many firms will feel they are on a treadmill of replacement and expense: an endless cycle of new technology and new threats in what many commentators have already suggested could be a never ending war between cyber attackers and defenders.
So how are small solicitors firms to cope? Can you do effective cybersecurity on a shoe-string budget? Thankfully, there is a lot of support and advice out there, from the Law Society, from government and from law enforcement – much of it available free or at only moderate cost.
First, it really does help if you get some basics right. We would all like to dismiss scams as something that only happens to other people, people who are not as technically capable as us. Yet basic weaknesses, such as insecure passwords, out-of-date or unpatched software, or just opening the wrong link or file, are what cyber-criminals prey on.
A failure to up-to-date or patch software appears to be at the root of the recent malware attack that caused such chaos across the world and across the UK’s National Health Service.
A good place to start to make sure that you and your staff get the basics right is the government’s Cyberaware programme, which has specific resources and guides for small business.
For the next step up, keep yourself informed on what’s happening in cybersecurity. The Law Society provides a range of resources aimed specifically at solicitors, from regular coverage of cybersecurity issues in our weekly Profession Update and Law Society Gazette to a steady feed of updates, advice, resources and guidance on our cybersecurity and scam prevention page.
For those able to invest a little more time and money into their cybersecurity, the National Cyber Security Centre publishes a series of advice sheets on ten steps to different aspects of cybersecurity which delve into more specific detail on topics such as network security, incident management and preventing malware. There is also free online training available on Cyber Security for Legal and Accountancy Professionals, developed by the Law Society, the government and the ICAEW.
Another important resource for those looking to make the essential investment in cybersecurity is the government-sponsored Cyber Essentials certification programme, which was developed in collaboration with industry groups. While there will be a modest cost, depending on the size of your firm and your exact needs, Cyber Essentials will help you ensure your business has the basic level of protection against the most common online threats.
Finally, make sure you back up your data regularly and have an up-to-date and well-rehearsed incident plan. No one can ever be 100% safe, and there is always more that can be done, small firms shouldn’t feel like good cybersecurity is a luxury that only the big firms can afford. Good cybersecurity is essential, and unavoidable. No one is in the game of prevent and detect any more: we all need to be able to detect and respond.