The third in our ‘Data access v security tips’ blog series focuses on practical instructions to operating more safely by following a nine-step plan and viewing the data security lifecycle in Google’s terms of four stages.

 

Improve your security in nine simple steps

Transforming the security of your data doesn’t have to be a painful and costly ordeal. By focusing on these nine main areas, you can nullify some of your biggest threats without going drastically over budget.

1. Physical security

There’s still a place for physical security in this digital world. Alarms, locks, shutters and a clean desk policy are your first line of defence against opportunistic intruders. This extends to those working in cafes, courts, trains, police stations, libraries or their homes.

2. Staff security

Sometimes, the threat is internal. Take care when onboarding new employees to read their references and ensure the right checks have taken place. Check in with remote workers regularly and keep an eye on tailgating in the office — when an unauthorised person slips in behind an authorised user.

3. Staff licensing

There are certain registration fees your law firm will need to pay throughout the year if you want to adequately protect yourself from money laundering, phishing and data protection breaches.

4. Staff policies and training

Employees can be your greatest weapon against cybercrime. Everyone in your law firm, from paralegals to partners, should have an understanding of security, and should be aware of any potential security risks that could arise during their work. Build effective training sessions into your induction processes and update them annually.

5. Passwords

Use passwords for everything. Don’t share passwords on email and consider storing them in secure, password management software instead. Better yet, use multi-factor authentication for everything, especially if users can access your data remotely.

6. Cloud configurations

It’s your IT department or specialist partner’s job to make sure your routers are configured correctly to ensure certain users can’t access things they shouldn’t. The same applies to those working from home. Family members should not be able to access your work documents.

7. Accreditations

It’s well worth undergoing the extensive audit process to get your hands on accreditations like Cyber Essentials, ISO 27001 and the Law Society’s Lexcel and Conveyancing Quality Scheme standards. You’ll notice a whole host of issues which you didn’t realise were there and it’s a badge of proof that your law firm will do everything in its power to operate securely and protect client data.

8. Insurance

Professional indemnity insurance and cyber insurance can prevent you from losing a fortune when things go wrong. What’s more, having good security protocols in place can reduce premiums, helping you to get cover at a cheaper price.

9. Third-party protocols

Just because you’ve got strong security doesn’t mean your cloud provider does. Be sure to audit your suppliers and data processors to confirm whether they too are operating securely. If they’re not, then you’ll be guilty by association.

 

The data security lifecycle

Data has a long lifecycle. And not a simple, linear one either. It’s an amalgamation of smaller lifecycles running in different operating environments. In nearly any phase, data can move in, out of, and between these environments. And it’s your job to keep it safe every step of the way.

It isn’t simply a case of securing the data at source. You need to be aware of the whole ecosystem of components and protocols that surrounds your data, including your users, your access, your platforms and your applications.

To complicate things further, there’s the fact that conflicting laws exist. For example, HMRC can ask to see your data for up to seven years. On the other hand, data protection laws would ask you to delete that data in a lot less time.

So, how do you stay on top of it all? We find the best thing to do is to follow our partner Google’s lead, and view the lifecycle in four distinct phases.

The data security lifecycle, according to Google

1. Classify data

Some data is more important than others. The classification stage is simply the process of categorising your data to organise it more efficiently and identify what data needs to be protected.  Remember, data can become more valuable over time, which means its classification will need to change accordingly.

2. Apply controls

Based on the classification of your data, you can begin applying controls to protect it. In simple terms, “controls” are just mechanisms you can use to detect, mitigate and prevent cyber threats — think firewalls, data encryption and multi-factor authentication.

3. Monitor

It’s important to monitor who exactly has access to your data through a constant process of authentication and authorisation. Not only does this ensure people only access the data they’re allowed to, it can also validate the controls you’ve put in place and detect when people aren’t complying with the rules.

4. Data deletion

A fundamental principle of data security is that any information which isn’t necessary for you to conduct business shouldn’t be kept. It’s a principle known as data minimisation and it helps prevent unnecessary harm. Make sure you understand and plan for the deletion of your data, or simply redact the data if you’re unsure.

 

DOWNLOAD E-BOOK

 

Want to read our earlier blogs in this series? Access ‘Data access v security tips #1: The time is NOW to strike the right balance between access and security‘ and ‘Data access v security tips #2: Cyber risks facing your law firm in the new world‘.