Posted by Nigel Wright, managing director of Legal Futures Associate ConvergeTS 
Law firms hold a wealth of sensitive information, all of which will be subject to the General Data Protection Regulation (GDPR), which will apply in the UK from 25 May 2018.
Specifically, article 5 of the GDPR requires that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
This blog highlights five risk areas for law firms when it comes to ensuring that IT systems are secure enough to meet your firm’s obligations under article 5.
1. A relaxed attitude to security
If your firm is growing and opening new offices or acquiring other firms, IT can become cumbersome to manage as you scale up your resources. Merging systems together and adding servers in various locations can mean security becomes a challenge.
Often it’s assumed that if you have followed all the guidelines and implemented recommended security measures, then your data should be secure. But how often do you test this theory?
It could be something as simple as a missed software update that causes your data to be stolen and systems to be down for days. And in this situation, could your firm prove that you’ve taken the appropriate steps to keep your data safe?
At the most basic level, you should have security policies in place to ensure you keep on top of patching and updates. And you should have clear file permissions set for different user levels so you know who has access to what.
You should diarise regular penetration tests on your systems and enlist the help of ethical hackers who will be able to identify the weak spots in your IT.
You should also commission a third-party review of your infrastructure to identify security risks. But it’s not all bad news – this type of audit is also likely to find improvements that can optimise performance and identify wasted resources.
Often managers are reluctant to put their IT to the test in case it reveals flaws that are expensive and cumbersome to fix. But in this situation ignorance is not bliss and, often, many of the issues identified by this type of audit will be simple to fix but could be catastrophic if discovered by a hacker.
2. Lack of protection against cyber attacks
Our recent blog  highlighted how the GDPR heightens the risk of cyber attacks. The frequency of attacks is on the increase and, not only are hackers using ransomware to demand payment for data they are holding hostage, but they are now taking a copy and selling the data online.
With firms facing increased fines as a result of the GDPR, these types of cyber attacks are increasingly becoming a concern.
With most attacks launched via malicious email attachments and websites, have you implemented basic measures to protect your firm?
The first step is to make sure your employees are informed. Do they know about ransomware? Can they recognise the signs of a phishing email? And do they know what to do if they’re unsure about any content they’ve received?
However, you cannot lay the responsibility solely with your employees, particularly when there is software out there that can protect your firm. A high-volume conveyancer may receive hundreds of emails in a day and, sooner or later, someone will get caught out.
To reduce the risk, your firm should be taking advantage of the latest email security and web filtering technology. These tools are relatively easy to implement and will immediately minimise the risk of malicious content being accessed.
3. A non-existent password policy
This one should be easy but it’s more complicated that it first appears.
Forcing users to change their password is the most commonly used strategy, which does provide some protection, but you’ll often find that people will then choose something that’s easy to memorise and simply change one digit each time. This is a problem as weak passwords are easy to crack and provide an easy route into your IT systems for hackers.
However, keeping the same password forever isn’t a good strategy either – it’s a catch 22.
Despite the risk of users choosing simple passwords, we still recommend that firms force users to change their passwords regularly. But employees should be educated to understand that using their company name, partner’s name or using the same password for everything is a bad idea.
Many firms are now adding a further layer of protection via two-factor authentication (2FA). This inserts an additional step into the log-in process to ensure your users are who they say they are. You should consider this if your users tend to log on remotely.
4. Out-of-date software
From case and practice management applications to operating systems, law firms use many different pieces of software.
Once a product reaches ‘end of life’ (EOL), it is no longer supported by the provider and, importantly, no longer receiving critical security patches. This puts your firm at risk because unsupported environments mean that known vulnerabilities are not patched, allowing hackers to easily exploit them.
You should be familiar with your hardware and software providers’ retirement calendars and upcoming EOL products should be highlighted to your firm’s management team as a known risk. If you don’t keep track of this, how can you prove that you are meeting your GDPR obligations and keep your IT systems secure?
The solution is clear, you need to update (if possible) or move to new software if yours is EOL. However, moving to a new case or practice management system can take up to two years and it’s likely to be costly.
Large firms will typically appoint a consultant to support with such a complex project as there are many stages to implementation. As an infrastructure provider, we should warn you that newer, or higher-level enterprise software, often requires increased IT resource and a completely different set-up.
Even the largest firms get caught out here and costs can spiral out of control if you do not get the right advice from an IT provider who has experience of the applications you’ll be using.
Alternatively, you may have the option to pay for extended support but, inevitably, you will have to move at some point, so it pays to be prepared early. Rather than paying out for support for an old system, your budget will likely be better spent on a newer system with improved features which give your firm a competitive advantage.
5. A weak back-up and disaster recovery plan
First of all, it’s important to understand the difference between back-up and disaster recovery. Your firm will most certainly be completing regular back-ups but your back-ups may take days or weeks to restore. Disaster recovery enables you to immediately move to a secondary environment that is capable of sustaining your business continuity.
To protect against accidental data loss, it’s vital to ensure your back-ups are functional. Your back-up and disaster recovery plan does not just refer to the technology that you are using, but also to your ability to prove it’s working effectively.
The only way to identify flaws in the plan is to robustly test. To do this, you must involve employees from different departments and test for a worst-case scenario. Only then will you know how long it will realistically take to get your firm back up and running in the event of a disruption that takes down your entire IT environment.
If you discover that you cannot recover all of your data, or that you can’t do it quickly enough, you may be able to fix the issue, or you may need to look at other technologies to achieve your objectives.
There are many steps that can be taken to make IT systems secure and hopefully this blog has given you an indication of where to start.