In my last blog I talked about the importance of securing your information systems from internal threats with appropriate access control measures.
In today’s article I wanted to talk about the other side of the coin: securing your information systems from external security threats.
We only have to open a newspaper or turn on the news these days to hear about some new cyber security threat or data breach that has occurred. Showing that you have protected your firm’s personal data against such breaches forms an important part of GDPR compliance, and as such needs to be factored into your processes and procedures when preparing for GDPR.
There are a wide range of factors to consider here, which will include:
1. How is your network secured from threats like malware, ransomware and hackers?
In days gone by a firewall and some antivirus software would largely do the job, but with the constantly evolving threat landscape this is no longer the case and a much more sophisticated suite of business procedures, processes and technologies is needed to provide full protection.
2. What are your procedures for applying security updates to your systems?
New security threats are emerging daily and software vendors are releasing a constant stream of fixes and patches to try and mitigate the risks from these threats. Therefore it is critical that you apply these security fixes to both your servers and your PCs and laptops in a timely fashion. Indeed, the timeliness of updates has now become even more critical since some cyber criminals are now reverse engineering the fixes from vendors such as Microsoft, in order that they can see what vulnerabilities have been fixed, and using that information to directly target those vulnerabilities in customers who have not applied the appropriate update to their systems.
3. What are your procedures around physical security of your servers and IT equipment? Having good cyber security in place is critical, but if someone can walk into your building and pick up a laptop or access your server room then the very best cyber security systems can be rendered useless.
4. How do you manage secure disposal of old PC and server equipment?
Equipment that is end-of-life and being replaced will often contain confidential business data or emails, and therefore it is important that it is properly wiped, and certified accordingly, to guarantee that data cannot be restored.
5. How are your staff educated to ensure they are aware of the latest cyber security threats?
It is all too easy to click on seemingly legitimate attachments or web links which may actually contain malicious code, and with new threats constantly emerging, the vigilance of your staff in being able to spot such scams will form part of your defence strategy.
6. How and when are your procedures around cyber security reviewed and updated?
Given the constantly changing threat landscape, it is critical that procedures and controls around cyber security are regularly reviewed and updated. I hope this has given you a useful insight into some of the key areas to consider around cyber security when preparing your law firm for GDPR. Should you need help on assessing your readiness for GDPR or advice on technology solutions that will assist with GDPR compliance, such as Epoq IT’s MySecurity service, which provides expert security management of all your systems for an affordable monthly fee, please do not hesitate to contact me on (01494) 444065 or email firstname.lastname@example.org.