³ÉÈËÓ°Òô

According to , there were 1.6 million computer misuse offences in the last 12 months. Although cybercrime affects all types of businesses and individuals, the legal sector is particularly vulnerable to malicious hacks due to the highly confidential nature of client data.

As well as the data protection rules which apply to all businesses under the Data Protection Act and General Data Protection Regulation (GDPR), businesses have an additional obligation to keep client information confidential, under Rule 4 of the SRA handbook. Failure to implement sufficient cybersecurity measures can therefore lead to enforcement action from both the Information Commissioner’s Office (ICO) and the Solicitors Regulation Authority (SRA). Furthermore, a hack can lead to serious reputational damage. So what lawyers do to prevent their data being compromised?

The importance of cybersecurity awareness

As a first step, all companies and business leaders should be aware of the main types of cybersecurity threat, which include:

• Password hacking - malicious hackers often use software which automatically attempts to obtain someone’s password by trying to log in to their account over and over again with different permutations of possible passwords until they find one which works - a process known as ‘brute force cracking’.
• Phishing - this normally takes the form of an email which purports to be from a legitimate business or organisation and invites the recipient to divulge their login details. Phishing emails often have sophisticated ways of disguising themselves and appearing genuine, such as using logos and masking email addresses.
• Malware - this is software which needs to be installed on a victim’s computer and then works in the background to collect personal data or lock someone out of their own files. Malware is often injected onto a device via a phishing email which encourages the recipient to click on a file. A ransom will sometimes be demanded to unlock files or prevent publication, in which case it is called ransomware.
• DDoS -  Distributed Denial of Services (DDoS) attacks are a technical method used by malicious hackers to target a company's website, often slowing it down or crashing it entirely.
  

Aside from technical cyberattacks, cybercriminals also extensively use social engineering to target businesses and their clients. In an age of social media, individuals are increasingly accessible to malicious hackers who can manipulate or blackmail their victims in an effort to access their login details. They also lure disgruntled employees to sell sensitive data.

6 top tips for lawyers to ensure their data remains secure

Preventing IT systems being compromised is largely down to awareness of risks and using common sense to avoid devices becoming exposed to unauthorised access. Some of the key measures include:

1. Audits - firms should carry out regular assessments of their cybersecurity risks. Note down any potential vulnerabilities and plan how to plug security holes.
2. Passwords - to prevent brute force cracking, ensure that any passwords used to access accounts are sufficiently long and complex. Passwords should be at least 12 characters long and include numbers and special characters (ie ?!%& etc). Also, do not use a password which can be guessed such as the name of a pet. Finally, use a different password for each account, so that if one is compromised the others remain secure. It can be helpful to use a password manager such as to keep track of multiple complex passwords.
3. Updates - don’t ignore those software update reminders. Updating software and applying security patches regularly to all your internet connected devices is an essential part of cybersecurity housekeeping.
4. Encryption - make sure your data is encrypted. This is particularly important when it comes to confidential client data. Most new software and hardware comes with encryption built in, but make sure that any stored files are encrypted, particularly on older systems.
5. Cloud - embrace cloud software where possible. This is automatically updated with all the latest security patches and any data stored in the cloud is normally encrypted as standard. Furthermore, using cloud storage means that confidential files do not need to be transferred between different devices using insecure methods such as USB sticks. Finally, cloud software activity generally includes an audit trail which can be useful (eg if a member of staff downloads a sensitive file just before it is leaked this can provide evidence in a follow-up investigation).
6. Staff training - it is widely acknowledged that one of the weakest links in any organisation’s cybersecurity defences is its staff. All partners, employees and contractors should be briefed on their data protection responsibilities and taught at least the basics of how to keep systems and data secure.

How ³ÉÈËÓ°Òô can help

Explore our cybersecurity & cybercrime content and sign-up for a free trial by clicking here, or using the form below.

LexisPSL offers practice notes, precedents and Q&As to help you prepare your business.

• See here for our Cybersecurity content for in-house lawyers: Cybersecurity
• See here for all Cybersecurity legal guidance content:  Cybersecurity (all)