A post about the data you keep and what you can do to protect it.
Today’s fascinating webinar from The Register, delivered by Richard Cassidy, highlighted the current crisis in cybersecurity and what we should be doing about it.
Is your clients’ data is safe under your chambers’ cyber security? The answer is unequivocally ‘no’. The Information Commissioner’s Office (ICO) Article 25, hand-in-hand with Bar Standards Board Core Duty 6, will be unforgiving if you haven’t taken reasonable steps to ensure your personal cyber-resilience.
The prize that cyber criminals seek, says Richard Cassidy, is the data you store. Data has value: either in itself as information that an attacker may use or sell on; or that they can freeze, isolate, corrupt or copy as an extortion tool. You don’t have to be big business or a PLC to be a target – you just have to be ever-so-somewhat vulnerable.
Further to my February post, here are some more simple protective steps that require little expense and no technical expertise on your part. They will not afford you complete protection, but they may go some way to reduce your risk.
- Know precisely where your ‘client data’ is stored and keep it in one securely protected location, rather than spread across software. If local, this may be a separate secure detached drive (cyber inaccessible), or encrypted in the cloud.
- Encrypt as you go: end-to-end email encryption converts your data into ciphertext and renders it no-or-low-value. Google and Apple’s iOS will encrypt your data by default. Using secure email gateways such as Microsoft Defender for Office 365 will add protection to the information you send. Data stored in some, but not all cloud providers is automatically encrypted whilst at rest – and frequently whilst in transit. Clearly it is vulnerable whilst open on your device.
- Anonymise your precedents. Don’t retain identifying features of a client, e.g. name, address, contact details, bank/investment details, names of their children or location of their schools. Replace all personal information with symbols *%$&; retain the anonymised document as your precedent, and use ‘find and replace‘ to substitute new data for symbols in a copy.
- Remove all non-current data (old billed cases) from your devices. If you need to store data locally (to meet professional regulatory requirements), move it to a detachable drive that is cyber-inaccessible. If you use or transfer it cloud storage, especially OneDrive, remember to cull old data that is no longer required.
- Import data intelligently. Remember that it may be one unchecked attachment that gives cyber access to your device and data.
- Export your data intelligently. Always double check the destination address and ensure that attachments avoid unintentional exfiltration.
- Remember, every time you send an email you create a metadata vulnerability. Hackers will use your email address for phishing, tricking, installing malware and exploiting the apps that have your permission to access your media accounts.
Large language models will in time result in a greater awareness of anonymised activity and risk potential, but will never be the solution to avoiding thieves seeking your data. Apparently, according to Richard Cassidy, our data estate is to increase seven fold in the next five years. If you don’t manage it now, that is a heck of a lot of data to watch over in 2031!
Advertisements appearing within or below this post are placed by the platform not the poster. They are neither monetarised nor endorsed.
*
*
*
*
Stephen Twist's Barrister Blog 