How easy is it for your intranet to get hacked, perhaps with unauthorized data and document downloads? And how can you reduce the risk of confidential information falling into the wrong hands? John Nicklin, MD of intranet specialist – Sorce – explains.
No firm is too big or too small to suffer online security breach as stressed by the recent report by the UK government’s intelligence, security, and cyber agency (GCHQ), which warns law firms about current cyber security threats.
In fact, 32 per cent of U.K. businesses and 24 per cent of U.K. charities have experienced breaches or attacks within the last 12 months.
This figure rises to 69 per cent for large businesses, with the single most disruptive breach from the last 12 months costing each business an average of £1,100.
And if the Information Commissioner’s Office (ICO) becomes involved, the financial penalties could run into tens of thousands of pounds. But such breaches aren’t just about financial loss.
Given the sensitivity and vast amount of data that law firms manage, the publicity of a leak could do untold reputational damage.
With the legal sector being one of the most at-risk industries when it comes to both accidental and intentional data breaches involving the likes of malware and phishing, it’s surprising that some firms are still without secure systems for safely storing and accessing their information.
It’s all too common to find sensitive data and documents stored on local networks without adequate IT controls in place. With such a set-up, the risks of a data breach are highly likely.
For instance, leading criminal law firm Tuckers was fined £98,000 by the ICO after a ransomware attack that encrypted nearly a million files exploited its poor IT security.
Tuckers’ IT systems simply weren’t fit for purpose with the ICO saying that the data breach occurred “due to a criminal and malicious cyber-attack that exploited negligent security practices”.
Strong IT security requires storing documents and information on a cloud-based intranet platform with robust cyber-security.
If firms choose to go down this route, there must be a multi-layered approach to security to ensure that the firm’s infrastructure, endpoints, mobile devices and internet connections are all adequately protected.
For instance, any integrations into the intranet mustn’t expose any vulnerabilities that external parties could use to gain access to the system. Plus, there must be the option of having sensitive data encrypted.
An access control system will also ensure that certain information and parts of the intranet are restricted so that only approved groups or individuals are assigned permissions to access it.
This can include restrictions on page content, navigation and functionality as appropriate. For instance, when setting-up an ‘onboarding hub’, new starters are only permitted access to limited information such as training resources, policy documents and team contact details. The HR, finance and compliance teams may also want to introduce restricted page access.
To make intranet access highly secure, multifactor authentication (MFA) should be provided as an option as this requires the user to provide two or more verification factors to gain access.
Alternatively, users could use single sign-on (SSO), which is when employees can access a range of apps, including the intranet, through a single password log-in.
The advantage of this approach is that employees only have the one password to remember, meaning it’s easier to enforce a strict password policy in terms of password complexity and the need to regularly change passwords.
Of course, the intranet system must be backed-up regularly, and it’s important to have in place robust ongoing support from the intranet supplier, especially if the firm is lacking internal IT expertise.
This will ensure the system is kept up-to-date and the provider can offer guidance to ensure there are no weaknesses that hackers could exploit.
It must be noted however, that an intranet system is only as secure as the policies and procedures that surround it.
It’s no good having a highly secure intranet if employees are then accessing it through unsecured devices or networks, including via home networks with weak WiFi passwords.
With 61 per cent of employees using their own mobile phones and 44 per cent using their own laptops for business purposes, a strict policy around the use of personal devices for accessing confidential data and documents must be in place.
Keeping data and documents secure can prove a complex process, however it’s made considerably easier when the underlying technology used to store, share and access sensitive and confidential information has been designed with security in mind.
Failure to invest in the right technology is simply inviting a data breach, and who wants to do business with a law firm that can’t be trusted with a client’s most precious secrets?
