Lawyer Monthly Magazine - May 2019 Edition

Ransomware attacks typically make an organisation’s data unavailable, rather than steal that data for sale on the dark web. However, according to Article 32 of the GDPR, IT teams must put in place the “appropriate technical and organisational measures” not only to secure the data, but also “to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” This makes backing up an essential requirement for any law firm if the worst-case scenario happens and they fall victim to a ransomware attack. But the devil is in the detail. As World Backup Day on Sunday 31st March reminded IT leaders, best practices require following the 3-2-1 model: three copies, on two different media, with one off-site (e.g. in the cloud). Otherwise, ransomware may find its way into the backup data stores. It’s not easy being an IT security leader in the legal sector. Along with the growing risk from hackers, there’s new digital infrastructure to protect, including cloud deployments which have expanded the corporate attack surface significantly. It’s these details which make the difference between cyber protection that works, and a strategywhichmay actually give the organisation a dangerous false sense of security. You may nominally have disaster recovery and incident response plans, for example, but when was the last time they were tested effectively? Similarly, you might have a watertight server and network security in place, but if your employees are still using password-only logins for accounts; it’s the equivalent of locking the front door to the house and leaving the windows open. As I revealed last year, researchers found over one million email addresses and passwords linked to the UK’s top 500 law firms, up for sale on the dark web. They’d been used by employees to log-in to third party sites like LinkedIn which were subsequently breached. Such troves of corporate log-in data are increasingly common on the cybercrime underground. Time for action It’s not easy being an IT security leader in the legal sector. Along with the growing risk from hackers, there’s new digital infrastructure to protect, including cloud deployments which have expanded the corporate attack surface significantly. That’s not to mention persistent industry skills shortages which can leave IT security teams stretched to breaking point. However, by following best practices it is possible to reduce cyber risk and improve GDPR compliance efforts. It’s all about convincing the regulators you have the best interests of customers and employees at heart. This doesn’t require spending millions on flashy technology, but nor does it mean doing the minimum you believe is necessary to stay under the radar. Consider the following as a start: • Endpoint, network, server and web/email gateway protection, ideally from a single reputable provider • Tight access controls (least privilege) and multi-factor authentication (MFA) • Continuous networking monitoring for threats • End-user education (i.e. phishing simulations) FIRM PROFILE Nasstar is a leading IT pro- vider to the legal sector and has been providing fully managed IT, cybersecurity and cloud services to the industry for over 20 years. For more information, visit the Nasstar website. • Keep all devices and software up to date • Follow best practice standards and frameworks. Start with Cyber Essentials. BS 10012:2017 personal information management system (PIMS) and ISO 27001:2013 information security management system (ISMS) could also help • Consider outsourcing some or all security functions to a managed security services provider Above all, remember that GDPR compliance is not a single process that you can tick off and move on. It will require constant attention and a close eye on what regulators are demanding, as requirements may change over time. Follow the ICO for updates. LM MAY 2019 25 Nasstar www. lawyer-monthly .com