How secure is your clients’ confidential information?

26 Sep, 2017

As lawyers you are in an elite category of business that holds incredibly confidential personal information.  Your clients are obliged to provide you with ID immediately meaning you potentially have copies of their passports, their driving licence and a utility bill.  Further depending on the nature of the case you are taking on for them, you may details of savings and other assets, commercial investments, bank account numbers, pensions, salary, debts, children, illnesses and more.  This data is undoubtedly data that your clients would expect to be kept confidential.  Equally this data has a value to someone who may want to use it for their own purposes.

Most firms appreciate by now that improved secure technology is a good way to protect your clients’ data.  No doubt as a firm you have put various technological improvements in place to assist your information security.

But do you realise that your staff can be your biggest information security threat?

Have you considered the following which are all examples of how employees within law firms can breach your information security?

• Opening unknown e-mail attachments;
• Forwarding suspicious e-mails (internally and externally);
• Clicking links in e-mails;
• Visiting unsecure websites;
• Leaving confidential paperwork on desks;
• Sending e-mails to the wrong address;
• Sending faxes to the wrong address;
• Leaving voicemails containing confidential information.

And what about these ones?

• Holding conversations about clients in open plan reception areas;
• Allowing unauthorised individuals to wander around your office including window cleaners, maintenance contractors, children or other family of staff;
• Leaving computer screens open with e-mail, documents and systems being easily accessible;
• Taking paperwork out of the office e.g. to Court;
• Home working ;
• Working on public transport;
• Leaving work laptops and documents in cars;
• Using their own devices for work purposes – it’s fairly commonplace for staff to have e-mail access on their mobile ‘phones but what happens if they lose their ‘phone?

So what can you do to help your staff become part of the information security solution for your firm?

Robust Procedures

It goes without saying that the starting point has to be putting robust policies and procedures in place.  All firms should have something in place in this regard.  Policies and procedures should be relevant to your business.  These should not be complex or overly long but cover all the things needed to protect your firm such as e-mail usage, internet usage and document control.  Polices should be in plain English and avoid jargon (see here for what should be included in an information security policy).

Policies should be easy to access by staff and regularly updated to take account of the rapidly changing nature of information security knowledge.

Relevant Training

On policies

You can have all the great policies and procedures you like but if you don’t train your staff in their usage they are all but useless.  Staff training is essential.  All new starters upon induction should be made aware of the policies.  It is best practice to get them to sign that they have read and understood these policies.

As for existing staff, they should be trained as part of integration of the policies.   Policies should be utilised ‘top down’, so senior staff should be the advocates when it comes to using the processes and lead by example.

Staff should be made aware of the importance of the policies i.e. that they are not just there to make their job more difficult.  Staff may try to circumvent processes and procedures if they feel that they are slow.  However, frequent reminders that they are in place to provide a method for securing confidential data will help avoid this.  Further, it will probably serve you well to remind employees that as their employer you hold significant confidential data on them and therefore any data breach could have an impact upon them not just your clients.

On the basics of information security

Whilst it’s a good idea not to seek to scare employees with too much information, teaching them the basics of good information security habits/terms is a good thing.

Firstly, all employees should be made aware of the following:

• Spam;
• Malicious e-mails;
• Phishing whereby e-mail or malicious websites are used to collect personal or financial date or infect machines with malware/viruses;
• Spear phishing targeted against smaller groups;
• Password usage (see our previous article on effective password management here);
• Confidential waste and what is considered ‘confidential’;
• Data encryption in e-mails where you are sending documents;
• Securing paper files in filing cabinets;
• Clean desk policy.

Secondly, all employees should be reminded that any updates that are prompted by their computer/tablet/mobile should be done immediately.  It is easy to hit ‘cancel’ when these pop up but it is important to have the most up to date software to handle the most recent viruses and bugs.

Ongoing Training

Training of staff should be ongoing.  Even if your polices don’t change, ongoing staff training acts as a useful reminder for staff about the things they should be doing to minimise your threat of an information security breach.  Further it helps to keep on top of emerging threats and how to deal with them.  As a minimum we would suggest quarterly updates for staff.

Open reporting environment

The key thing for employees is to create a safe environment for them to report if they feel either that they have breached your information security policy or if they feel another member of staff has.  You should operate on a no blame basis where employees learn from errors to ensure that the same thing does not occur again.

For more information on information security and how ISO 27001 can help you and your staff please click here or contact our Client Services Team on 01905 670303.