Read the original article by Steve Whiter, Appurity Managing Director, on law.com
Cybersecurity 101: Politicians show us what not to do
Falling foul of data protection and cybersecurity practices is a nightmare scenario for every diligent firm. For some of the UK’s most high-profile politicians, this nightmare recently became reality.
Last month, reports revealed how former Prime Minister Liz Truss’s phone had been hacked earlier this year, with attackers gaining access to sensitive information – including discussions about the Ukraine war with foreign officials. In tandem, home secretary Suella Braverman also demonstrated bad cybersecurity practices when it was revealed that she had been using her personal mobile device for work-related communications.
Instances like these should be a caution to everyone working in, or with, regulated industries. In the legal sector, not unlike in politics or national security, organisations and individuals are expected to adhere to the highest data protection standards. When a security breach happens, the consequences are severe.
What went wrong for Truss and Braverman, and what can firms take away from these mistakes to ensure their workforce is protected, secure, and taking cybersecurity seriously?
Strengthen your BYOD policies
Firms know that their lawyers use personal devices and communications tools – email, SMS, WhatsApp – to communicate with clients and conduct business.
These tools can be a net positive for firms, with quick response times improving client relations and building trust. But without a robust strategy in place for how personal devices and communications tools are used across a firm, compliance and regulatory issues could arise.
Take Braverman’s security breach, which could have been easily prevented. It’s straightforward, with the right technologies and tools in place, to limit sensitive emails or those being marked as confidential from being forwarded. Similarly, if a user tries to download or move a sensitive file to their personal phone, then this can be managed and constrained.
Critically, mobile devices can and should be protected in all circumstances. BYOD policies and the use of messaging or social apps don’t need to be written off altogether. But a firm must always have a grasp of the devices used across its entire fleet – even personal mobiles or laptops used to access corporate data. Visibility is key and will ultimately help protect firms against potential breaches.
Introduce mobile threat defence
To protect against potential attacks, and to ensure their data is protected, firms should implement mobile threat defence software on all devices as a minimum. Many businesses have policies that encourage users to install this kind of software. But for the most robust protection against phishing, malware and other forms of attack, encouragement is not enough. Instead, firms should require this software to be installed across any and all devices that are used to access corporate data and networks.
There are several benefits of mobile threat defence software for those within regulated industries
Firms should look for a threat defence solution that continuously performs risk assessments across all endpoints in their fleet. By doing this, firms can gain complex and in-depth risk insight and behavioural analysis into how devices are used across the organisation and see where gaps, weaknesses, or vulnerabilities are. With this kind of information, firms can act to strengthen their defences before an attack has taken place.
Compliance is everything, and with the right mobile threat defence software in place, firms can integrate their specific access and compliance requirements. What this means in practice is that if, for example, a device is hacked, a firm’s corporate data or documents can be protected from being accessed. These granular data access and control permissions can be set at the organisational level and monitored continually, to provide the highest level of security for a firm’s devices.
Protect against human error
Mobile devices are more vulnerable than ever to sophisticated security attacks and vulnerabilities, as users respond at speed, on-the-go, often without thinking about the implications of the files they’re sending, who to, and even the networks they’re connected to. Users are the biggest threat to any organisation’s cybersecurity, and bad actors know this. Unfortunately, innocuous mistakes can cause severe operational and reputational damage, not to mention regulatory and compliance violations.
With this in mind, all firms should consider how to strengthen their human defences with ongoing security training that includes best practices specifically for securing devices and protecting corporate data.
Earlier this year, a social engineering test by Appurity showed that, on average, 25% of law firm employees will click on phishing links within email and SMS messages. With phishing attacks becoming more advanced, more frequent, and distributed through ever-increasing means (social media, messaging apps, email and SMS included), keeping users up-to-date on emerging threats and how to spot them is a crucial step in any organisation’s cybersecurity strategy.
Security and data breaches can – and do – happen. And the recent cases of cybersecurity malpractice in the British government show that mistakes are made even by high-profile individuals working in industries that should take cybersecurity seriously.
This is why it’s important for firm’s to strengthen their cybersecurity defences: make employees aware of the risks, have complete visibility and control over every device used for work, and leverage software and technologies to protect devices against malicious attackers, malware and spyware.
If implemented correctly, these suggestions will help firms protect their own, and their clients’, critical data.