Protecting legally privileged information becomes more complex when your fee earners are working remotely. By taking these six steps your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.
Law has never been the most progressive sector when it comes to adopting new technology. Although many firms began 2020 very much office and paper-based, the coronavirus pandemic has forced them to adopt remote working models that, frankly, some weren’t ready for. However, needs must. Law firms throughout the UK are now taking steps towards a ‘new normal’ operating model, in which office-based work will be complemented by increased remote working.
Law firms hold highly sensitive, legally privileged information that requires high levels of security. Many firms will use a document management system to manage the confidentiality, integrity and availability of this information. However, technology alone is not enough to achieve comprehensive data protection.
In this new hybrid working operating landscape many rules will be generously interpreted to put it mildly, not for malicious reasons but simply to get things done. This may be functional in the short-term, but the new normal will require a reassessment of these rules if they are to remain fit for purpose not just throughout the coronavirus pandemic but also into the future. In this blog post we will provide guidance around how your law firm can protect legally privileged information whilst users are accessing it from outside the safety of the corporate environment.
By taking these six steps your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.
Protecting Legally Privileged Information
When you expand your law firm’s operating footprint, you increase the risks it faces. This happens in two key ways: introducing threat vectors through which cyber criminals can target you, and increasing the chance of users causing an accidental data breach by not paying attention to the data risks they face. For law firms that manage highly confidential legally privileged information, these risks need to be mitigated in order to avoid potential financial, operational and reputational damage.
Fortunately, there are steps your firm can take to protect legally privileged information whilst your users access it remotely. We’ll take you through six of these steps one at a time:
- Implement multi-factor authentication. Properly configured multi-factor authentication (MFA) is the first line of defence against a compromised account. In an ideal world, all accounts should have MFA enabled. However, we appreciate this may not always be a practical solution. You may want to look at alternatives like risk-based authentication, which we describe below.
- Consider risk-based authentication. Risk-based authentication is a good option for law firms looking to enhance cyber security without adversely affecting user experience. Built around a set of rules such as first sign-in from a new location, device, or a user’s risk score which is based on their behaviour. Think about Verified by Visa – if you’re logging into a website you’ve purchased from before, from your home laptop, you’ll be allowed through. If you’re on an unfamiliar website, perhaps on a new device or from a different location, you will be challenged with MFA or even denied. The same principles apply here.
- Use location services. Do you know where your users are? IP addresses are geo-locatable, which is extremely useful when it comes to monitoring and alerting on suspicious activity. Impossible travel alerts, triggered by the likes of a login from a UK location immediately followed by a login from a US location from the same IP address, are an early indicator of a compromised account. And even better, this functionality is included in Microsoft 365 and Azure.
- Train your people in cyber security best practices. Remote working impacts on employees, clients and IT teams. The simple fact is that where you introduce people, you introduce risk. Minimise this risk by providing continual training around cyber security best practices. People are less likely to follow these best practices when working from home, so it’s important that you target this training to make sure they remain educated and alert.
- Review your data management processes. Confidential legally privileged information should be controlled, and your law firm should have processes in place to maintain the confidentiality, integrity and availability of data. However, many processes at many firms have been broken by COVID-19. If your people have legally privileged documents stored locally, you need to get them under control. You should scan remote devices for potential compromises before reintroducing them to the corporate environment. And at the same time, you should check local document stores for any legally privileged information stored there that shouldn’t be – bring it back under central control.
- Optimise your technology. Whether it’s hardware access, connectivity, access to sites/systems, cyber security tools, or even something as seemingly simple as printing privileges, technology has the potential to go a long way towards solving many of the cyber resilience challenges your law firm faces. Productivity tools such as Microsoft 365 have all the cyber security features you will need. However, you need to invest time in configuring your Microsoft 365 tenancy to ensure the most appropriate levels of security, agility and performance.
Adapt to Thrive in the New Normal
By taking the appropriate steps, your law firm can implement people, process and technology measures that will enable your fee earners to do what they do best. At the same time, your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.
If you would like support in enhancing your firm’s cyber resilience, download the Six Degrees of Cyber Security to support your journey, then talk to one of our expert consultants.