The secret's out - hackers have their sights firmly set on organisations handling sensitive personal and financial information. Cyber attacks on UK law firms, for example, jumped 20% from 2014-15 to 2015-16, with nearly three-quarters (73%) of the country's top firms targeted over the past year, according to PwC research.
The stakes couldn't be higher, with punitive fines and reputational damage facing those who fail to take data protection seriously. So, what can law firms and other professional services businesses do to fight back?
The truth is that corporate databases represent a goldmine for hackers; whether state-sponsored or financially motivated. M&A deals in particular are a hugely attractive target for nation state spies looking for intelligence that could help them in geopolitical campaigns.
Sensitive data held by law firms can be abused for profit: in December 2016, three Chinese nationals were indicted in the US after allegedly making over $4m from insider trading scam using data stolen from unnamed legal practices.
Many organisations don't just handle highly sensitive IP and financial data but also personally identifiable information (PII). UK privacy watchdog, the Information Commissioner's Office (ICO), says there has been an 18% increase in PII-related incidents over the past quarter.
That's bad news considering that the forthcoming EU General Data Protection Regulation (GDPR) could increase fines for non-compliance to up to 4% of global annual turnover or €20m, whichever is higher. That's up from current maximum ICO fines of £500,000.
The new regulation covers not just loss or theft of PII, but could also apply to any attacks that involve "unauthorised access" to or "unlawful destruction" of personal data. That means the GDPR could cover outages caused by ransomware, one of the biggest threats to modern organisations, which ripped through a number of law firms recently.
Many of the challenges associated with data protection come from the increasingly mobile nature of the workforce. Data often has to be carried and stored outside of the office, putting it at risk of theft or accidental loss. In fact, loss or theft of paperwork and unencrypted devices were two of the top causes of breaches in 2015/16, according to the ICO.
A combination of people, process and technology can make organisations a less attractive target for hackers. Consider the following to help mitigate data breach risks:
- A comprehensive awareness programme for employees.
- Extend security policies to partners/contractors.
- Implement strict secure remote working policies.
- Encrypt all sensitive data at rest and in transit, especially for removable storage devices.
- Tighten access controls: roll-out two-factor authentication for accounts and limit privileged accounts.
- Establish an incident response plan.
- Advanced anti-malware at endpoint, network, gateway and server layers.
- Ensure patches are deployed promptly and IT systems are configured securely.
- Continuous monitoring of all IT systems will help spot intrusions.
Sponsored post. Copyright © 2017 John Fielding is managing director of Apricorn EMEA, manufacturer of software-free, hardware-encrypted USB drives.