This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Cyber targets: Why law firms need to prioritise data security

Feature
Share:
Cyber targets: Why law firms need to prioritise data security

By

Law firms that fail to take data security seriously are putting themselves at risk of cyber crimes, warns Richard Hodkinson

Law firms that fail to take data security seriously are putting themselves
at risk of cyber crimes, warns Richard Hodkinson

Over the past 20 years, technology has evolved at a pace that few could have predicted. For the most part, it has both revolutionised business and comprehensively invaded our personal space. Personal and business data is seemingly connected to everything and everyone all of the time. Meanwhile, the amount of sensitive client data that has been amassed over the years has put data management high on the risk register of every law firm. Big data and cybercrime have become key items on any chief information officer's top 10 list of strategic issues.

Consumerisation - particularly of tablets and smartphones - has probably been the single biggest catalyst that has raised the data production ante. Businesses moving
to an 'everything online' digitalisation model are an additive factor to the booming data-driven economy.

Another influencer for the malaise in dealing with the growth of data has been the relatively low cost of storage which, for many in a fast-moving world, means throwing disk storage at data problems.

Historically, a gigabyte of storage took 34 years (starting in 1956, the year the IBM RAMAC disk system was introduced) to drop from US$10 million to around $10,000 (in about 1990). The time to the next three order of magnitude drop (to $10/gigabyte) took ten years (about 2000) and the next (to $0.01/gigabyte) took another 10 years (about 2010). However, the costs and risks of storage are not to be overlooked and, analysed properly, they are likely to be significant.

Data management

Handling large sets of data is mechanically time consuming and expensive and, in data protection terms, not easy to resolve. Buying disk space is only part of the equation. Making this data safe is a critical issue. It involves understanding the data and ensuring it is secured and ready to be recovered in the event of adversity.

Then, retention policies need to be overlaid to ensure that, when the regulator comes knocking, there is not too much and not too little information buried in disks spread across the organisation. The effort involved in designing and implementing an effective data retention policy should not be underestimated. Data collection does not stop at the electronic archive but also includes the vast quantities of paper normally associated with law firms.

We appear as a species to be creating content at an exponential rate and that data needs to be stored, which presents a mechanical and commercial challenge. A 2011 IDC report, Extracting Value From Chaos, found that the world's data is doubling every two years. It suggested that1.8 zettabytes (1.8 trillion gigabytes) was created and replicated in 2011; this was revised in 2012 to 2.8 zettabytes.
This is equivalent to the amount of information needed to fill 57.5 billion 32GB Apple iPads, which would build a 20-foot high wall around South America.

There are many sources of data that are contributing to this remarkable data growth. Data comes from mobile, internet and traditional sources, and people are evolving from information consumers to producers
by creating their own data.

Common but often ineffective coping methods include adding more hardware, pushing data transformations elsewhere (such as down into the database), or custom coding when addressing data performance problems that arise as data volumes grow.

 

Data security tips for law firms

  • Ignore data management and data security at your peril. Regulators won’t have much sympathy for those showing no awareness or competence. Put in place a risk management committee to review and manage the risks. This governing body should be connected to the board.

  • Establish ownership for data protection and information security and make it responsible to the risk committee.

  • Put in place some simple but effective data access policies and controls for systems and key data – who should have access to what?

  • Understand your data. Where is your business data and your client data? Design a data strategy or, at least, start with a workable retention policy which covers both paper and electronic material.

  • Take advice around your IT security posture to ensure you have a base for a reasonable level of defence against external attacks and malware and ensure penetration tests on your systems are a regular event.

  • Take an honest view of your capability and consider moving data and applications to a competent cloud operator. 

 

Threats to data

The amount of data being created and its connectedness has increased the incidence of it being compromised. PwC's 2014 Information Security Breaches Survey found a high level and cost of security breaches for large and small businesses alike. Among the respondents, 81 per cent of large businesses and 60 per cent of small businesses said they had suffered a breach. Also, the research found that the average cost of the worst breach suffered has nearly doubled over the past year for small businesses.

It found that the average cost to a large organisation of its worst security breach
of the year was between £600,000 and £1.15m (up from £450,000 to £850,000
a year ago). Meanwhile, the average cost to a small business of its worst security breach of the year was £65,000 to £115,000, up from £35,000 to £65,000 a year ago.

But, cybercrime is not just about businesses being under threat from fraudsters or those looking to cause heavy disruption, there are some other interesting crimes using wired and wireless access
to systems.

James Lyne, director of technology strategy at Sophos, said in September 2013 that, with eight new users joining the internet every second and 250,000 new viruses being released daily, cyber crime is now a very organised and highly professional industry. It's possible to buy services to launch denial-of-service attacks on your competitor's websites.

In 2012, Google admitted that it had not deleted users' personal data that it gathered during surveys for its Street View service. In May 2010, it was revealed that Google had collected about 600 gigabytes of personal data from unsecured wireless networks in 30 countries while gathering images and location data for its mapping service. The Information Commissioner's Office is involved, but this does demonstrate how data is leaking and how readily it can be vacuumed up by those who know how to - even by a business that says 'don't do evil' is its motto.

Avi Rubin, professor of computer science and director of the medical health security lab at John Hopkins University US, has noted that other areas in which data and digital systems can be compromised include the following.

  • In 2006, a pacemaker with network capability was fitted to then US vice-president Dick Cheney. According to October 2013 reports, Cheney's doctor disabled the heart defibrillator's wireless function in 2007 to prevent would-be assassins from interfering with it and causing a fatal heart attack.

  • Researchers managed to compromise a modern car's 'brain' via both the wired and wireless networks. Researchers broke both short and long-wave wireless services and accessed the diagnostic ports on the engine management.
    The car's speed displays were rigged
    to display false information, apply/disable the brakes, malware was inserted to change the car's characteristics at various speeds and doors were unlocked remotely with the immobilisers bypassed.

  • Fabian Monrose Lab at University of North Carolina filmed people on buses using iPhones. Their phone key depressions reflected in their sunshades. A software algorithm was then developed to analyse the reflections and replicate the keystrokes, allowing the researchers to access a number of email accounts.

Civil penalties

Since November 2010, the Information Commissioner's Office has served civil monetary penalties totalling over £1.5 million on organisations that have failed to take the necessary measures to keep private data secure. Organisations large and small, public and private have received fines. In the legal sector, where reputation is a significant asset, a fine for a lack of professional diligence around confidentiality can be devastating.

Cybercrime is a 21st century industry and a menace that is not going to go away, but will force us all to be more diligent and deploy more resources to manage it. Particularly for law firms sat on mountains of sensitive client, data information management and data security has to
be a strategic consideration.

Richard Hodkinson is chief
technology officer at UK law firm
DWF (www.dwf.co.uk)