Craig Matthews of the Legal Software Suppliers Association and CEO of Pracctice ltd gives some practical tips on IT security and how to educate your staff to minimise security risks to your practice.
The most frequently used passwords are 123456 and password. Others often used include QWERTY and abc123. For passwords that require eight characters the most common one is unsurprisingly 12345678.
Most of us appreciate the importance of strong passwords. Make sure your staff use a mixture of numbers and letters, both upper and lower case. Introducing special characters can greatly improve your password strength. Passwords should be a minimum of 8 characters long, making them too complicated can actually be equally as dangerous as using simple passwords. The least secure password, no matter how complex, is the one you can’t remember so instead you choose to keep on a post-it note by your monitor. Even the most inept hacker will be able to get into your machine if you provide them with your password. Common sense is normally the best way to keep your data safe.
The same applies to the physical security of your equipment. Introduce a clean screen policy and ensure no machines are left open and susceptible to unauthorised intrusion. A clean screen policy instructs all your firm’s employees to lock their computers when leaving their desk and to log off when leaving for an extended period of time. This ensures that the contents of the computer screen are protected from prying eyes and the computer is protected from unauthorised use. You can very quickly and easily set up your machine to lock after xx minutes of inactivity. Educating your staff on the potential threats will also help them consider how they behave and what risks are exposed by their behaviour.
The General Obligations of the CQS Protocal stipulates that “…all incoming data is loaded on the system and made available to the person dealing within a day of receipt…” which points towards an expectation that to work efficiently you must use automated systems. When using automated systems you must use ensure that you are your staff and using them safely and securely.
Restrict physical access to your hardware and backups, and ideally utilise secure Hosted Services for critical data and applications, as the levels of security provided by such suppliers will be far in excess of that available to any one individual firm. This way your data will be safe and secure and will also be replicated and backed up. You should also know where these data centres are and your software provider should be more than happy to arrange for you to visit them if you so wish to do so.
SRA regulation requires that “where you outsource legal activities or any operational functions that are critical to the delivery of any legal activities, you ensure such outsourcing is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;” Clause 7.10 (b). It is of paramount importance that not only can you trust your software provider but that they also consider your responsibilities and factor this into their product and service.
With the proliferation of emails comes new threats to your firm. Again, by following sensible precautions you can mitigate these risks. The first is to ensure that your email provider uses both anti-spam and anti-virus protection. It’s often recommend to use two different anti-spam and anti-virus products to reduce the risk even further of rogue emails getting to your mailbox. Although anti-spam and anti-virus filters will help greatly they will not be 100% accurate and some unwanted email will still make its way to your computer. It is therefore crucially important that you do not open emails from unknown senders or emails that appear suspicious. Only open attachments if you trust the sender and are expecting to receive an attachment from them. If you are unsure then err on the side of caution and telephone the sender to confirm the email and the attachment are legitimate. Never send emails that contain personal information, passwords or usernames. Any organisation who may require this kind of information will have policies in place to request this information and will not simply request it via email. Again, if in doubt, err on the side of caution.
If the trends in cyber-crime continue the methods used will become more complex and the scams more elaborate and convincing. Taking a practical approach to your IT security and educating your staff on the potential risks will be a major step forward and will help your firm avoid falling victim of cybercrime.