From client data to cyber-risk prevention, whether a one-off project or a recurring issue, joining-up and integrating tech and IT applications is ultimately the lifeblood of every law firm. Alex Loquens explains
A good starting point to come to terms with the vast subject that is law firm technology is the importance of cyber-attack prevention and building IT security into the heart of the business-critical applications within your organisation.
For firms fortunate enough to have a team of developers, application security is of utmost importance. I’m not talking about basic application security, such as username and password, but about taking a very real and, dare I say, pessimistic view that your application will be hacked, your data compromised, and sensitive data stolen and made available on the web for all to see or even buy, if we scratch under the surface and touch on the dark web.
DEALING WITH THREATS
My advice is to have your application security tested by an external certified security vendor, a process that is commonly known as ‘pen- etration testing’, and preferably by a Crest or Check certified organisation. This is a commodity service and any number of penetration testers will be able to undertake an internal or external vulnerability assessment based on a very clear scope of works that takes into consideration whether your application is Internet facing or internal only.
And bear in mind that even if your application is internal only, it does not mean it isn’t vulnerable. The penetration testing can use basic vulnerability scanning, utilising external services from vendors such as AppCheck.
AppCheck is one of several web-based security-scanning tool for SMEs. It can conduct IT vulnerability scanning on your internet applications, and, as it is very intuitive, can be configured quite easily by a non-IT professional. AppCheck will scan network services such as external connectivity (VPN - virtual private network access) and websites. It will provide a detailed remedial action plan for resolving any identi ed vulnerabilities, and will generate a very detailed testing assessment report. This being said, seeking professional IT expertise to address and resolve any vulnerabilities is strongly advised.
Also consider ‘ethical hacking’. Ethical hackers are essentially computer hackers who are onside with the ‘good guys’. Again, this is a commodity service and hackers can be employed to try and crack your application to test its robustness.
If they succeed, the ethical hacker will explain how, and what measures will ensure the vulnerability is plugged. You can find out more about ethical hacking online - see Google Read Teaming or Falanx.com.
When it comes to probes of your application (with the scope and levels of course dependent on available budgets), I would advise not ac- cepting vendors’ claims that basic checks have been undertaken, or that the software has been developed using best practice and is ‘good enough’ to thwart cyber attacks. Insist that security is as important to the development lifecycle of their product as the product itself. With Commercial Off-the-Shelf Software (COTS) and the vendor selection process, it’s imperative you ask what testing has been conducted, to what standard, and who’s completed the assessment.
In the very least, I would expect an internal vulnerability assessment to have been carried out. Engaging with a specialist security vendor to complete this assessment is in order. There are several trustworthy organisations, such as Sec Data, which specialises in traditional vulnerability assessments, and can assist with areas such as GDPR compliance, Cyber Essentials+ ( find out about the scheme by searching the government’s website, www. gov.uk, for ‘cyber essentials scheme overview’) and if applicable, ISO27001, the gold standard in IT security physical security controls and accreditation (search the British Standards website, www.bsigroup.com, for ‘information security’).
Sec Data and other similar providers will work with your firm as a trusted security adviser, thereby removing the headache of trying to manage your IT security and risk internally. The benefit is you are engaging the dedicated and specialist services of a business specifically qualified and with the expertise to thoroughly manage it. Third-party application security gaps for them to look out for would be around vendors’ consideration of the encryption of data, both in flight and at rest.
While software vendors are unlikely to deploy their own encryption, it’s useful to know and understand the application supports modern standard encryption levels, i.e. the encryption vendors they work with, and also to reference client sites that have adopted a data encryption approach.
WITHSTANDING CYBER ATTACKS
Don’t accept as a given that the applica- tion can withstand the most common cyber attacks (see box below) and then rush ahead and adopt and implement the product. Instead, insist the vendor takes cyber security seriously, is able to thwart common internet attacks, and is protecting your and your cli- ent’s data. Ultimately their asset and reputation are at stake within the market place. At this juncture it’s probably an appropriate time to wave the GDRP stick.
MOVING TOWARDS INTEGRATION
Integrated applications such as your practice management system (PMS) with your customer relationship management system (CRM), your document management system (DMS) for automatic document creation, and automatic matter billing, are ultimately, the lifeblood of your firm. These systems ensure the firm is meeting client expectations and staying on top of an ever-increasing workload, which is only possible by ensuring work flows are streamlined and automated where possible.
They also ensure your organisation is operating at its most e cient with the ‘least number of clicks’ for the fee earner, so they are not over- burdened with multiple application screens. All this is wholly dependent on how data travels around your firm. Here are some areas for consideration:-
1 Data networks and network separation: clear demarcation lines as to where your local (trusted) network begins and ends, and how your IT team must look at deploying segregated networks, ensuring access to internal systems in the event of a system being compromised, so data access is limited.
2 Employing the services of network security experts - ensuring IT systems are designed with IT security at the very core.
3 A detailed understanding of the ‘where and how’ a hacker could compromise your firm - spanning your internal or external facing applications, and asking ‘How could it be attacked?’ ‘What data’s exposed?’ ‘Does the data contain Personal Identifiable Information (PII)?’ ‘Is the data encrypted?’
4 Is the application locked down to only those sta who need it? Look at integrating application authentication linked to your staff computer sign-on. This increases effciency by ensuring your fee earners are getting into and working on applications quickly, and also enhances your IT security posture signi cantly (one user account to then disable in the event of sta leaving).
5 Security advice – is security advice on how applications integrate and pass data between systems appropriate? Can two-factor authentication be incorporated, for example (this is where an 8-12 digit PIN as well as network username and password authentication are required to gain access to your internal IT systems.) Also, ensure data passed across your estate is done so using bank-grade-level encryption, and understand that if client data is leaving the perimeter of your network, this can be negated, or at the very least that data is encrypted both at rest and in flight, and using SSL encryption (as used by banks) which is a secure communication channel.
6 Ensure you have an assigned Data Protection Officer. This individual will essentially ‘owns’ all security measures where client information may be impacted in the event of a data breach.
7 Software - ensure the software is the appropriate supported version, is patched, and that local servers’ rewalls are switched on. Patching should also be done at the operating system level. Using a patch management process is recommend- ed, and ensuring this is rigorously carried out and audited.
Even closer scrutiny is required when dealing with applications that directly integrate with back-end financial systems; I can’t stress enough looking at COTS - going down the path of developing your own software must only be embarked on with your eyes very much wide open.
Finally, read the SRA’s ‘IT security: keeping information and money safe’ Whitepaper. It’s an excellent document and one I often refer to when talking with our partnership.
Most common cyber threats
- Denial of service: a DDOS occurs where websites or ex-ternal facing applica ons are ooded with tra c causing the site or service to become unavailable.
- Malware: email or so ware programs harbouring harmful content.
- Phishing emails: emails that purport to be from someone known to the organisa on, or from someone from within the rm; typically these emails are a emp ng to extract client funds or client data.
- Ransomware: like Malware, but Ransomware a acks will commonly encrypt cri cal data and demand payment for the password (encryp on key) to unlock your data. Payments are made in Bitcoin so are untraceable. So, ensure your data backups are robust and thoroughly tested.
Alex Loquens is IT director at Lodders