Data access v security tips #3: Data security tips straight from experts at Google06/02/23
The third in our ‘Data access v security tips’ blog series focuses on practical instructions to operating more safely by following a nine-step plan and viewing the data security lifecycle in Google’s terms of four stages.
Improve your security in nine simple steps
Transforming the security of your data doesn’t have to be a painful and costly ordeal. By focusing on these nine main areas, you can nullify some of your biggest threats without going drastically over budget.
1. Physical security
There’s still a place for physical security in this digital world. Alarms, locks, shutters and a clean desk policy are your first line of defence against opportunistic intruders. This extends to those working in cafes, courts, trains, police stations, libraries or their homes.
2. Staff security
Sometimes, the threat is internal. Take care when onboarding new employees to read their references and ensure the right checks have taken place. Check in with remote workers regularly and keep an eye on tailgating in the office — when an unauthorised person slips in behind an authorised user.
3. Staff licensing
There are certain registration fees your law firm will need to pay throughout the year if you want to adequately protect yourself from money laundering, phishing and data protection breaches.
4. Staff policies and training
Employees can be your greatest weapon against cybercrime. Everyone in your law firm, from paralegals to partners, should have an understanding of security, and should be aware of any potential security risks that could arise during their work. Build effective training sessions into your induction processes and update them annually.
Use passwords for everything. Don’t share passwords on email and consider storing them in secure, password management software instead. Better yet, use multi-factor authentication for everything, especially if users can access your data remotely.
6. Cloud configurations
It’s your IT department or specialist partner’s job to make sure your routers are configured correctly to ensure certain users can’t access things they shouldn’t. The same applies to those working from home. Family members should not be able to access your work documents.
It’s well worth undergoing the extensive audit process to get your hands on accreditations like Cyber Essentials, ISO 27001 and the Law Society’s Lexcel and Conveyancing Quality Scheme standards. You’ll notice a whole host of issues which you didn’t realise were there and it’s a badge of proof that your law firm will do everything in its power to operate securely and protect client data.
Professional indemnity insurance and cyber insurance can prevent you from losing a fortune when things go wrong. What’s more, having good security protocols in place can reduce premiums, helping you to get cover at a cheaper price.
9. Third-party protocols
Just because you’ve got strong security doesn’t mean your cloud provider does. Be sure to audit your suppliers and data processors to confirm whether they too are operating securely. If they’re not, then you’ll be guilty by association.
The data security lifecycle
Data has a long lifecycle. And not a simple, linear one either. It’s an amalgamation of smaller lifecycles running in different operating environments. In nearly any phase, data can move in, out of, and between these environments. And it’s your job to keep it safe every step of the way.
It isn’t simply a case of securing the data at source. You need to be aware of the whole ecosystem of components and protocols that surrounds your data, including your users, your access, your platforms and your applications.
To complicate things further, there’s the fact that conflicting laws exist. For example, HMRC can ask to see your data for up to seven years. On the other hand, data protection laws would ask you to delete that data in a lot less time.
So, how do you stay on top of it all? We find the best thing to do is to follow our partner Google’s lead, and view the lifecycle in four distinct phases.
The data security lifecycle, according to Google
1. Classify data
Some data is more important than others. The classification stage is simply the process of categorising your data to organise it more efficiently and identify what data needs to be protected. Remember, data can become more valuable over time, which means its classification will need to change accordingly.
2. Apply controls
Based on the classification of your data, you can begin applying controls to protect it. In simple terms, “controls” are just mechanisms you can use to detect, mitigate and prevent cyber threats — think firewalls, data encryption and multi-factor authentication.
It’s important to monitor who exactly has access to your data through a constant process of authentication and authorisation. Not only does this ensure people only access the data they’re allowed to, it can also validate the controls you’ve put in place and detect when people aren’t complying with the rules.
4. Data deletion
A fundamental principle of data security is that any information which isn’t necessary for you to conduct business shouldn’t be kept. It’s a principle known as data minimisation and it helps prevent unnecessary harm. Make sure you understand and plan for the deletion of your data, or simply redact the data if you’re unsure.
Want to read our earlier blogs in this series? Access ‘Data access v security tips #1: The time is NOW to strike the right balance between access and security‘ and ‘Data access v security tips #2: Cyber risks facing your law firm in the new world‘.
More from our blog
The complete legal practice management playbook
Why is legal practice management important, what impact does it have on risk and compliance, and how can your law firm drive efficiencies and maximise revenue? If you're asking yourself these questions, look no further than our latest blog for the answers.
What is legal project management and why should you care?
Think legal project management (LPM) is the kind of phrase which only the really big law firms need to know about? For the huge cases which require a whole army of lawyers to complete? Think again.
Quill’s Victories at the 2023 Best Companies Awards
Quill is proud to be named one of the best mid-sized technology companies to work for in the North West, according to Best Companies. Read all about our Head of People's experience speaking at the Best Companies Live event at Manchester's MediaCity with Dan Walker.