5 Practical Steps to Secure your Law Firm’s Data for GDPR

With the clock rapidly ticking down towards GDPR go-live, this week I was reading the newly published government survey, “Cyber Security Breaches Survey2018: Preparations for the new Data Protection Act” and I have to say I was amazed by some of the findings. The survey was looking at how aware businesses and charities are of the incoming GDPR legislation and how they are actively preparing for the change. Having been immersed in GDPR, both for my own organisation and for our clients, for well over a year now, I was particularly surprised to learn that overall only 38% of businesses had even heard of GDPR! And among those aware of GDPR, only just over a quarter of businesses had made changes to their operations in response to GDPR’s introduction.

However, of those who had made changes to how they operate, 49% said that some of the changes made related to cyber security practices. This doesn’t come as a surprise to me as we are currently in the throes of conducting an independent cyber security vulnerability scan, or a more in-depth cyber security check-up, to many organisations as part of their GDPR preparations, and we are finding, almost invariably, that cyber security is an area where there are some deficiencies that need to be corrected.

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.

Article 32 of the GDPR states that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

It goes on to list some more specific measures which you may wish to consider, amongst others, which are:-

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

By the nature of data security, it is impossible for the legislation to be prescriptive, because the security threat landscape is constantly evolving, and as such, what constitutes a secure network today almost certainly will not constitute a secure network tomorrow.

Whilst the ICO (the data protection regulatory body in the UK) have produced guidance documents on many sections of the GDPR, there is not yet updated guidance around IT security for small and medium size businesses, so I thought it would be useful today to try and explain some practical steps for securing your data, in-line with IT industry best practice.

1. Cyber Security Defences
It is important to realise that there is no single product that will provide a complete guarantee of security for your firm. The recommended approach is to use a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security. The type of products you should be considering are likely to include:-

• Virus protection 
• Malware protection 
• Ransomware protection 
• Email filtering 
• Web filtering 
• Constantly updated firewall protection 
• Encryption of data in transit 
• Encryption of data at rest 
• Mobile working policies 
• Data loss/leakage prevention technology 
• Strong passwords 
• Two factor authentication 
• The ability to remotely wipe data from any user device that is lost or stolen 
• A system for securely wiping old servers and PCs prior to disposal 
• Regular or continuous vulnerability scanning 
• 24/7 monitoring against threats 

2. Implement an Effective Security Patching Regime
I recently wrote a detailed article on this subject, so won’t repeat myself here, but the full article can be found at -> http://legalsectorit.blogspot.co.uk/2018/02/preparing-for-gdpr-key-considerations.html 

3. Protect Data from Insider Threats

• Access control procedures (staff and third parties) 
• Starters and leavers procedures 
• Mobile working policies 
• Data leakage prevention 
• Ongoing staff education on cyber threats 
• More on protecting data from insider threats can be found here -> http://legalsectorit.blogspot.co.uk/2018/01/gdpr-for-law-firms-how-to-protect-your.html 

4. Implement Effective Data Backup Procedures

• A multi-layered approach to data backup to protect against different types of threats 
• Actively monitored backups 
• Backups tested regularly to ensure they are recoverable 
• More on effective data backup can be found here -> http://legalsectorit.blogspot.co.uk/2017/12/gdpr-compliance-for-law-firms-data.html 

5. Review and Test your Disaster Recovery Procedures

• Up to date plans 
• Regularly tested 
• Deliver proven recovery times 
• More on disaster recovery planning can be found here -> http://legalsectorit.blogspot.co.uk/2018/01/gdpr-compliance-for-law-firms-disaster.html 

I hope this provides you with some useful practical insight into how to secure your data in readiness for GDPR. If you are unsure whether or not your current data security practices are adequate for GDPR, then the best thing to do is to contact me to discuss getting an independent vulnerability scan or full cyber security audit. This will give you a good benchmark as to whether or not you are doing the right things around cyber security management, and if you are not, give you practical steps to remediate any vulnerabilities prior to the GDPR go live date on 25th May. If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________  
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

The Cyber Crime Wave: 5 Practical Steps to Protect your Law Firm

Cyber-attacks are becoming ever more frequent and ever more costly, with estimated annual losses from cyber-crime now topping $400bn (£291bn), according to the Center for Strategic and International Studies.

And the effect of cyber-attacks on law firms is wide-ranging: disruption to the firm, the potential for large financial losses (the average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims) and the reputational damage that a cyber-attack is likely to cause the firm. In addition, many cyber-attacks lead to a breach of personal data which in itself has major regulatory ramifications, both under the current Data Protection Act and the forthcoming GDPR.

On top of this law firms have the added complication of the impact an attack has on their SRA regulatory obligations.

It follows then that risk management around cyber-crime is now a major issue for all businesses. Law firms are particularly at risk given they are dealing with so much confidential material, ranging from personal data, to trade secrets, to large financial transactions, through to the personal affairs of high profile clients. As such, it is critical that cyber security is not just treated as an IT issue, and that there is ongoing Senior Partner involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

Many firms are turning to cyber insurance as a way of mitigating the risks around cyber-crime, but the reality is that a cyber insurer will assess your business processes around cyber security in order to understand their own level of risk and make decisions over the acceptance and pricing of your policy accordingly. So whilst taking insurance may be a prudent step, it does not mitigate the requirement to implement suitable processes, controls and technologies around cyber security management.

This is where a highly structured and methodical approach to IT management becomes critical as it is easy to lose sight of the relentless attention to detail that is needed to manage a law firm’s risk around cyber security. There is so much more to cyber security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding cyber security. Some practical steps that I would recommend every law firm implements to lessen their risk of falling victim to cyber-crime are as follows:-

1. Implement an effective security patch management policy Software vendors are releasing a regular stream of patches to mitigate newly discovered security flaws. As I discussed in my recent blog “Key Considerations for an Effective Security Patching Regime”, having a methodology to ensure every device on the network receive patches in a timely fashion is vital.
   
   
2. Get an INDEPENDENT vulnerability scan carried out to benchmark your cyber security defences Because it’s very easy to be too close to a system and potentially overlook a security loophole, we frequently get called on to conduct independent security vulnerability scans, or fuller complete security audits for law firms. An independent security review by a third party who has no vested interest in the system is more likely to give objective, impartial feedback.
    
3. Implement a multi-layered data backup strategy With ransomware now extremely prevalent, effective procedures around data backup are paramount. More information can be found here.
   
   
4. Review and test your disaster recovery procedures I see so many disaster recovery plans that, for a plethora of reasons, don’t work when used in anger. Testing is essential to prove all your data is being backed up successfully and that your entire system can be restored in a timescale that is acceptable to the business. I wrote a blog on this subject recently, which you can find here.
    
5. Consider Cyber Essentials Certification The Cyber Essentials scheme is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security. More information can be found here.  

There’s no doubt that managing the risk around cyber-crime is not easy, and needs dedicated resources and strict procedures which are rigorously adhered to. I think that is probably why so many firms are now moving towards partnering with a specialist IT company to provide this function, someone who can monitor their system from a security perspective at all times and is not distracted by the day-to-day operations of the firm. This is certainly the trend we’re seeing here at Connexion, where we are working with law firms to provide all of the above services on a fully managed basis.

If this article has raised questions or concerns over your firm’s cyber security strategy or you would like more information on Connexion’s services which include security vulnerability scans, patch management solutions, cyber essentials certification, backup solutions and disaster recovery solutions, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing for GDPR: How do you know if your Law Firm’s Data is Secure?

As those of you who follow my blog will know, I have recently published a series of articles on preparing for GDPR, which cover key issues such as cyber security considerations, protecting your data from insider threats and effective data backup strategies.

However, the GDPR obliges firms not only to safeguard the data that they are holding, but also to be able to demonstrate that they are safeguarding it effectively.

And this raises an interesting question: how do you know if you are securing your data effectively? The truth is that many organisations are not aware that their controls around data security are ineffective until a data breach or cyber-attack comes to light – and by then of course, it is too late.

In some cases, even when there has been a data breach, organisations are not aware until long after the event - in some cases not until data is made public weeks, months or even years later. In itself this will be an issue under GDPR, which requires that data breaches are notified to the regulator within 72 hours.

The effectiveness of any firm’s data security is made even more difficult to measure as the cyber security landscape is a constantly moving target, with fraudsters continually devising ever more ingenious scams to gain access to data and money.

In addition, businesses are constantly evolving, with increasing use of technology and more remote working which can leave them exposed if the necessary controls are not put in place. M&A activity can also lead to a secure system suddenly becoming insecure – for example the high profile data breach that earned TalkTalk a £400,000 fine in October 2016 under the current Data Protection Act was reportedly caused by data being stolen from a database inherited through TalkTalk's acquisition of Tiscali, and accessed through three web pages with inadequate security. The "significant and sustained cyber attack" cost TalkTalk £42 million and resulted in the loss of 101,000 subscribers in the third quarter of 2015 as users fled to other networks. This highlights how cyber security is a Board Room/Senior Partner issue rather than just an IT issue, with data security considerations needing to be built into every business decision, in order to ensure that an organisation’s defences remain robust.

And, as I discussed in my blog, having a firewall and some anti-virus software is just the tip of the iceberg these days when it comes to cyber security defences. A plethora of technologies are now needed to achieve a joined-up approach to cyber security management and these must be combined with highly structured and methodical processes if you are to keep your firm one step ahead of the cyber criminals.

So how do you know if you have got everything covered?

Most businesses I ask this question of say that they “hope” their defences are adequate, which is quite a scary answer when a firm’s reputation and financial stability are at stake. And this seems to be part of a wider perception about IT as a whole – many firms I talk to are surprised when I tell them that the effectiveness of their IT should be measurable and aligned to their business objectives, just like every other element of their business. After all you wouldn’t dream of running your firm without knowing how many billable hours you were charging, yet it never ceases to surprise me how many people don’t see their IT in this light.

Of course, when it comes to cyber security, there are different levels of protection and a commercial risk management decision must be made regarding your firm’s appetite for risk and consequently what level of investment in cyber security is appropriate. If you get a really determined hacker, who has a personal vendetta to target your firm, then it can be very difficult and very expensive to ensure your defences will keep them out. But these types of bespoke attacks are the exception; the vast majority of cyber-attacks are what in the trade we call “commodity attacks”, (more details of which can be found in my article “SRA Compliance and Client Confidentiality: Why Law Firms need to Think like Cyber Criminals!”), which exploit known vulnerabilities to obtain access to an organisation’s data.

And measuring your organisation’s defences against commodity attacks is something that can be done. Here at Connexion we have tools that allow us to scan a customer’s network from outside and/or inside their organisation to highlight any vulnerabilities from external cyber criminals or insider threats. This can either be done to provide a one-off security benchmark, on a periodic basis or even now on a continual real-time basis.

There are also accreditations such as the Government’s Cyber Essentials scheme, which I talked about in my article “Risk Management in Law Firms: Protecting your Firm from Cyber Crime”, or ISO 27001 for those organisations where the risks demand a higher level of data security.

For those organisations wanting a more in-depth audit and report on the state of their cyber security, with recommendations of any remedial actions they should implement in readiness for GDPR, we also conduct full GDPR cyber security readiness audits.

These types of vulnerability scanning services, accreditations and audits provide firms with a clear measure as to whether or not their cyber security defences are conforming to best practice, and also provide that vital documentary proof for GDPR compliance purposes (and indeed for your prospective customers and the SRA too), that you are taking cyber security seriously and doing everything in your power to safeguard the data your firm holds.

If this article has resonated with you and you would like more information about vulnerability scans, GDPR cyber security readiness audits or the Cyber Essentials scheme, then please do not hesitate me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Preparing for GDPR: Key Considerations for an Effective Security Patching Regime

In recent weeks most of you will have heard media coverage around the discovery of serious security flaws, known as Meltdown and Spectre, which affect almost every modern computer, and could potentially allow hackers to steal sensitive personal data. The three connected vulnerabilities have been found in processors designed by Intel, AMD and ARM.

I therefore thought today that it would be well worth sharing some information on not just these particular threats, but the wider issue of patching computer systems in order to protect confidential and/or personal data against the latest security threats.

Patches, also known as software fixes or updates, are released by software vendors on a regular basis and are designed to fix bugs within the software and put in place measures to mitigate newly discovered security threats. Patches are released regularly for operating systems (like Microsoft Windows) and for most business software applications, as well as for technical software such as anti-virus and backup programmes.

Applying these patches is very important for a number of reasons:-

 * It helps to reduce your risk of falling victim to ransomware attacks, which, as the Wannacry attack in the NHS demonstrated last year, are extremely disruptive and can cause major business problems through downtime and loss of data, not to mention reputational damage and regulatory consequences.

* Exploiting known vulnerabilities is one of the commonest ways that cyber criminals may hack into or compromise your network. Known as “commodity attacks”, more information on types of attacks can be found in this blog. These commodity attacks often lead to data breaches and ensuing reputational damage to the business, commercial impact with customers and again, potentially serious regulatory consequences.

Which brings me nicely on to GDPR.

Just this week I was reading a blog by the Information Commissioners Office (the data protection regulator in the UK), which defines their stance around patching in relation to GDPR, and I quote:-

“Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty. And, under the General Data Protection Regulation taking effect from May 25 this year, there may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.” 

This statement brings clarity to the importance of applying security patches to your systems in a timely fashion. However, this may not be as straightforward as it first sounds. Firstly for larger businesses with remote workers or staff who use their own laptop or device for work, there is the logistical issue of how to ensure updates (which are coming out constantly) get deployed to all these end-user devices.

There are also servers to be updated which requires a structured process to ensure technical expertise is made available, suitable testing is carried out and the updates are organised in such a way as to minimise disruption to the business, such as arranging business-friendly downtime slots should the servers need to be rebooted in order to apply the patches.

Timeliness is also an issue, since cyber criminals are now actively “reverse engineering” fixes from software companies like Microsoft, so that they work out what vulnerability the update addressed, and then exploit that vulnerability in organisations who have not yet installed the appropriate patch.

There’s then the issue of testing patches to ensure they are not going to cause a problem with other software you are using on your PCs or servers or cause your IT system to grind to a halt. There has already been much speculation around how much the updates for Spectre and Meltdown may slow down computers, and over the years I have seen several updates that have caused problems on customer’s networks. Having a roll-back plan that will work is vital to mitigate the risks when deploying any widespread PC update.

Finally, your cyber defences are only ever as good as your weakest link on any given day, so when it comes to patching, getting 99% of your devices updated is just not enough. With many cyber threats set to seek out the one device that isn’t patched, and enter your network via that device, it is vital that organisations have in place systems that give clear visibility over all devices on the network and their current patch status, and raise an alert for any device which has not been patched or where a patch has failed to deploy for any reason. It is all too easy for one computer to slip through the net if your systems for deploying updates are not highly structured – perhaps the device was turned off, the user rejected or postponed the update or there was a technical problem such as the computer running short of disk space.

I hope this article has provided a useful insight into both the importance of, and the potential complications around, patching your computer systems. Here at Connexion we have highly structured processes and methodologies to deliver patch management to our customers, which include providing timely deployment of patches to all devices, clear visibility and alerting of any device that is missing a patch, and structured change control and rollback plans to minimise the risks around patch deployment. If you would like to find out more, please do not hesitate to contact me for a no obligation conference call on 0118 920 9600 or email james.stratton@connexion.co.uk.

 ________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR for Law Firms: How to Protect Your Data from Insider Threats

In my recent blog I shared my 8 top tips to protect your data from cyber threats. However, threats to your data do not just come from external cyber criminals, so today I wanted to talk about ways to protect your data from insider threats.

So what do I mean by an insider threat?

Well this can be something like a rogue employee or a disgruntled ex-member of staff, but more likely it will be a genuine member of staff who accidentally causes a security breach or data loss.

Human error is actually one of the commonest causes of a data breach. In fact, according to Security Magazine, up to 70% of data breaches can be linked to internal security gaps. Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (Article 32), it is important to put in place policies and controls that will minimise the risks of such an occurrence.

Password policies would be one such measure. I'm sure most of us would agree that we would prefer to choose an easily memorable password, but these are often very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as I have seen firms who have implemented very complex password policies, which demand long passwords with complex character sets and frequent password changes, which have resulted in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

With a recent survey by PwC having shown that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, there is also a whole new set of challenges to address around data security. Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid, stolen or hacked. Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/smartphone/home computer and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area.

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to give staff only the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate. Staff education is also vital in ensuring that your systems are not compromised by fraud or ransomware, which are often started via rogue emails.

Controls around what software employees can run on their computers are also important, as it is all too easy for employees to unwittingly install software that creates network vulnerabilities which could allow a hacker to access the network. Alongside this, there is also the need to have processes in place that ensure all devices on the network are updated with the latest software security patches. These are released by the various software companies on a regular basis. Of course it is human nature if given a choice that staff will click on “no” or choose to postpone the installation of such updates, so as to avoid disruption to their busy working day, but by doing this staff can leave your network highly vulnerable to security threats. It is therefore important to have a centralised system for managing security updates, something I will discuss in more detail in a future blog.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Hopefully the examples above serve to illustrate that a wide range of controls are needed to ensure that your firm is protecting its data from insider threats. From a GDPR perspective it is important that law firms are able to demonstrate that they have understood what personal data they hold, where it is stored, who has access to it and for what purpose. Since there is an obligation to be able to demonstrate that risks have been assessed and an appropriate level of security has been implemented, I would recommend that all law firms review their data access control policies, procedures and technologies to ensure that they are protecting their data in accordance with current best practice.

Such controls not only put firms back in control of their valuable data, but also minimise the risk of a data breach under GDPR.

I hope this article has given you a useful insight into the ways that you need to protect your data from insider threats, as well as external cyber security threats, when preparing for GDPR. If, having read this article, you are concerned that your data security policies may not be adequate for GDPR, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help. Our services include providing independent GDPR cyber readiness audits, vulnerability scans and consultancy around implementing technologies and processes to ensure your data security defences are in line with industry best practice.

                                                                                                                                                               

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Disaster Recovery Considerations

In my last blog, I talked about data backup considerations when preparing your law firm for GDPR.  Today I wanted to talk in more depth about disaster recovery.

With the best planning in the world, sometimes the unexpected does happen. We only have to look at the chaos caused in the NHS by the Wannacry ransomware attack to see the operational and commercial impact that computer systems downtime can cause, as well as the reputational damage.

It is therefore important that as part of your GDPR obligations to safeguard the data that your firm holds, that you have in place suitable disaster recovery plans that you could fall back on should the worst happen.

Part of this will be about having a technical disaster recovery plan in place that ensures you can recover your data and systems successfully and in a timely manner. Equally importantly, there also need to be plans in place to cover how you would operate in the interim and how you would communicate details of an IT failure to customers, staff, suppliers and the relevant regulator(s) to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.

And to bring the subject of disaster recovery planning into perspective, whilst many law firms I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable. For example, according to Intermedia, 72% of companies infected with ransomware suffer two days or more without access to their files, while 32% are locked out of their files for at least 5 days.

Whether an outage is caused by ransomware, hardware failure, software failure or a wider scale disaster, it is critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. I find many businesses that put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as use of technology in law firms has moved on rapidly, and what was an acceptable recovery plan even a year or two ago may now be totally inadequate. In addition, systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.

So in order to ensure ongoing compliance and relevance, I always recommend that law firms continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their business and their regulatory compliance obligations. Some points to consider would include:

1. How long could your firms manage without access to each of its IT systems and data repositories? This is likely to vary from system to system; for example you may be able to tolerate no downtime on your email, but it may be acceptable for an archived cases folder to be restored within 72 hours. So your disaster recovery plan needs to consider each system and data repository that you use, assessing how long your firm could cope without access to that system or data repository.

2. How much data, if any, could you afford to lose?
For each IT system and data repository you need to be clear how much data loss, if any, would be acceptable to the firm, in both commercial and regulatory terms, and tailor your backup and disaster recovery plans accordingly. If no data loss is acceptable, then a real-time replication solution should be considered, as part of a multi-layered backup approach (see more details in this blog). If some data loss is acceptable in a disaster scenario, then backups which run daily or hourly may be acceptable.

3. Does your current disaster recovery plan accurately reflect 1 and 2 above?
Your disaster recovery plan needs to be designed such that your objectives around downtime and data loss as defined above can be met.

4. Would your plan work if used “in anger” and are you able to demonstrate this?
In order to ensure success it is vital that the disaster recovery plan is tested on a regular basis. Testing, in my experience, almost always highlights errors or omissions in the plan which would cause an issue in a live disaster recovery invocation. Whether that’s a practical problem (something technical or operational in the plan doesn’t work) or whether it reveals that the time taken to carry out the recovery does not meet business objectives, or that all data cannot be recovered successfully, testing is paramount to provide the peace of mind that the plan will actually work when used “in anger”. Tests of disaster recovery plans also need to be documented, so there is clear evidence that plans exist, testing has been conducted, the plan has been shown to meet business and regulatory requirements and that any necessary remedial actions highlighted by the test have been actioned.

5. What is the process for reviewing and updating your disaster recovery plan?
With our use of technology constantly evolving, and regular changes to legislation, it is important that plans around backup and disaster recovery are regularly reviewed and re-assessed against the commercial and operational needs of the firm, as well as regulatory compliance requirements in relation to the SRA and GDPR.

I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing for GDPR. If, having read this article, you are concerned that your current disaster recovery plan may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include providing independent consultancy as well as (where required) implementing technologies and processes to ensure your disaster recovery plans meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

GDPR Compliance for Law Firms: Data Backup Considerations

In my recent blogs, I have penned a number of articles round preparing your law firm for GDPR from an IT perspective, including six key steps that firms need to be taking to ready themselves for GDPR, understanding where your data is stored, controlling access to your data and cyber security considerations.

In today’s article I wanted to focus on data backup, as I find that there can be much confusion about effective, compliant backup, and it is quite common for law firms to think their data is safely backed up, only to find that when a problem arises which causes them to revert to their backup, that for any number of reasons, it doesn’t work as they anticipated. Having an effective data backup strategy forms part of any organisation’s obligations to safeguard the data that they hold, much of which is likely to contain information that identifies individuals, and therefore falls under the scope of the GDPR.

There are a whole host of reasons why you need to backup your systems and data, for example to protect against:-

• Ransomware attacks 
• Deletions – accidental or malicious 
• Data corruption 
• Hardware failures 
• Software problems 
• Fire, flood or natural disaster 

As well as forming part of your firm’s GDPR preparations, having effective backup strategies in place to mitigate the types of risks listed above is also an important part of SRA compliance, since Principle 8 of the Code of Conduct states that you must “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles”.

It is important to realise that there are many different types of backup, and they each provide protection against one or more of the above scenarios, but they do not all necessarily provide full protection against every scenario, so it may well be appropriate to deploy several different layers of backup.

A few things to think about include:-

• If you are using removable media (hard disks or tapes) to backup your system, where do you store your backups? If they are onsite, then there is a danger that say a fire or natural disaster that incapacitates your live system could also wipe out your backup system. If you store them offsite, what is the procedure for recalling them to site in a disaster and how long would it take to retrieve them?
  
  
• How often do you backup your data? If it is only nightly, then in a disaster you could lose up to a whole day’s work. What are your procedures to re-create this data? What about emails that have been lost? Would this be acceptable to the business, to the regulator and to your clients? If the answer is No, then you need to review the frequency that you are taking backups.
  
• Are your backups permanently connected to your live system (e.g. hard disks or online backup that presents itself as a drive on your machine or server)? If so, in the case of a ransomware attack, there is the danger that your backups could be encrypted as well as your live system and effectively rendered useless.
  
• How many copies of your backups do you hold? Some organisations rely on a real-time cloud based backup or replication to another server to hold up-to-date backup data. Whilst this is very useful in some scenarios (e.g. a server hardware failure), as it ensures there is no data loss, in other scenarios in may not work well at all – for example a data corruption that affects your live system will be immediately replicated to your cloud backup or standby server, thereby rendering it useless. It is therefore important that you also have a process in place that allows you to restore your data back to a given point-in-time: in this example, to before the corruption occurred.
  
• Then there’s the question of what to restore your backups onto, which is something not everyone considers. In the case of a deletion, data corruption or ransomware attack you can restore your data back onto your existing hardware. But in the case of a hardware failure, flood, fire or natural disaster, you may no longer have server(s) to restore your backups onto. Purchasing new hardware and restoring backups onto it is no small task and you can expect to be without your data and IT systems for several days if you haven’t pre-planned for this scenario.
  
• This brings me onto the difference between data and systems backups, which is a fine distinction that is not always appreciated, but can make a huge difference in the event of an entire system needing to be restored. With data backups alone, whilst you have copies of your data, you do not have copies of your entire servers, which contain operating systems, software applications, settings, user IDs, policies and a myriad of other configuration settings as well as your data. Data backups provide excellent protection against things like data deletion, but do not provide a quick and easy way to recover a working IT network in the event of a complete server failure or fire, flood or natural disaster. In this case, if the recovery is to be in any way timely, you really need to be looking at a backup that takes a complete image of your entire server, not just your data.
   
• Finally, any data recovery will only be successful if your backups have worked in the first place. I am constantly surprised by the number of businesses who fall foul of this and believe they have a working backup until the day they need to recover some data, or their entire system, when they find that those backups haven’t worked in full or, in some cases, at all. Having a business process in place to monitor the success of backups is paramount, as is regular testing to ensure the integrity and restorability of your backups. 

I hope that this article has helped to highlight that data backup is actually a complex issue, which almost always requires a multi-layered approach, combined with structured business processes, to be successful. If, having read this article, you are concerned that your data backup strategy may not be fully compliant, or may no longer meet your firm’s needs, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help, which include undertaking an independent audit of your backup procedures, and/or providing technologies and processes that ensure your backups meet your regulatory obligations and your business needs.

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/