Law firms need to take steps across the firm to secure data including unlikely access points like printers, says HP's Gary Tierney.
Advances in technology have made data a legitimate currency in 2015. Used properly, it can fuel a law firm’s growth; giving them the ability to delve through complex case histories or grant access to a client’s financial records at the touch of a button. But what of the risks associated with firms becoming this goldmine of data? And more pressingly, how prepared are law firms to protect this incredibly valuable – and sensitive – data?
With threats ranging from home-grown hacktivists to international spies, organisations across the globe need air-tight network infrastructures. But with a store of sensitive, confidential and often commercially valuable client data on file, law firms are starting to register on the radar of cyber criminals.
What’s more, the threat has exploded exponentially in recent years due to the proliferation of devices and access points that are now able to collect, transmit and store sensitive data. As the threat of cyber-security breaches has increased, protecting sensitive client data has become a major concern for Partners, boards and IT departments alike.
In light of these risks, the ICO issued a warning to law firms following a string of data breaches, reminding them that a serious breach of the Data Protection Act could result in a fine of up to £500,000. While most law firms will have the basic security procedures in place, the techniques used by the adversary to infiltrate an organisations network are becoming more innovative, particularly if the reward on the other side – in this case sensitive and potentially valuable client data - is deemed worth the effort.
Securing from the ground up: from hard-drives to printers
In the current climate of headline grabbing cyber-hacks, it’s not uncommon for clients to demand that their law firms take steps to guard against security breaches intrusions that could compromise their sensitive information. The New York Times reported last year that some have even banned flash-drives or storing files on portable devices – like tablets or mobiles.
Computers and servers tend to be the first technologies to be secured within any IT infrastructure. Yet businesses often overlook “behind-the-desk technologies” like printers. In fact, 90 percent of organisations have suffered data loss through unsecured printing according to a June 2014 study by Quocirca.
Printers pose an unlikely access point to an organisations data. From sensitive documents being left on output trays, to control panels or physical data storage devices being tampered with, the office printer can be a clear way in to an organisation’s sensitive information. Organisations are now also faced with the added risk of data being intercepted by hackers as it’s electronically transferred to the printer.
To ensure their client’s data remains secure, a fundamental component of any law firm’s data security strategy should include enabling two-step verification processes - activating additional personal password protection to prevent specific systems from being accessed by unauthorised users - as well as data encryption.
Any policy should also include tightening file protection policies and security groups, again to prevent data falling into the wrong hands. Firms should also consider using security information and event management (SIEM) technologies to track user activities and ensure that data is not being accessed or used inappropriately.
However it is also important that security solutions reflects how people work which is why many of HP’s LaserJet Pro devices help users to work smarter by allowing them to scan and send digital files directly to the cloud, email, network folders or to a USB drive, or to access content quickly and launch tasks from touch screen. It also allows users to securely store print jobs, then print only what they need via secure authentication.
PINs or other user-ID verifications can help to reduce these risks as well, as can using printers installed with physical locks and shielding on input trays and data storage points to avoid theft or loss of documents. Data encryption protocols can also prevent documents from being intercepted while travelling across a network, whilst advanced security controls and authentication through PINs, biometric solutions or smart cards that have to be used before access is granted, can also secure a device’s control panel.
Beyond this, it is also crucial that firms implement robust monitoring to identify any potential vulnerabilities or threats, be they internal or external. This needs to be accompanied by up-to-date incident response plans so staff act swiftly and decisively in the event of a breach.
A new cyber-threat landscape for law firms
Research carried out by the Ponemon Institute earlier this year found that cyber-crimes continue to be very costly for organisations; the mean annualised cost for 38 benchmarked organisations is £3.56 million per year, with a range from £544,964 to £14 million each year per company. Clearly, this underlines that firms need to understand their vulnerabilities. Once firms know how they could be attacked, they can start to protect themselves from security breaches.
One thing is clear however; this is a challenging and advanced threat landscape for law firms and one they will need to traverse will caution and skill, sooner rather than later.With so many threats to data security, devising a protection mechanism that works for your firm will involve planning, testing and refining your strategy. Staff need to know what is expected of them and their own personal responsibility for keeping information safe. But keeping data secure also involves using the tools available to plug gaps in your technology and print infrastructure and making sure that security is reviewed and updated regularly.
Gary Tierney is Category Director Printing & Personal Systems Group, HP (UK & Ireland)