These days, much of our work is digitalised. Organisations adapt their business strategy and processes to a more data driven approach. This has a lot of advantages, but also comes with a risk, as a lot of these processes contain personally identifiable or sensitive information. This, in turn, means a higher risk of data breaches and could potentially even lead to reputation damage.
For law firms specifically, digitalisation has a big impact. Law firms process a lot of personal data, not only about clients, but also about managers, executives, … It’s a growing trend to obtain sensitive customer information, which makes a law firm a reasonable target for cyber attackers. Some of the most prestigious, as well as smaller firms have already had to deal with being hacked. So, why and how is information security one of your priorities right now?
Reputation is everything.
Data breaches or the disruption of your business operations can cause financial losses and damage to your organisational reputation. This kind of reputational damage can also negatively affect your competitive edge. Implementing sound measures sends a signal of your organisation’s trustworthiness to customers, third parties, stakeholders and business partners. It also helps you build a stronger reputation ánd increases confidence in your organisational practices. This furthers the potential benefit of being a driving force behind an organisation’s quality assurance efforts.
Where is all your information stored?
A lot of organisations struggle with mapping their information structures (where is the information, where is it coming from, why is it collected, how is it processed, what is the processing goal etc.) For personal data, organisations are legally obliged by GDPR to know what personal data is being processed. You need to keep track in your Records of Processing Activities (RoPA). Non-personal data can also be added to this document, to ensure you have all of your data processing activities in a large data register.
Who wants to steal your information?
You might be wondering who on earth would want to steal your organisation’s data. Especially smaller organisations often struggle seeing the importance of data security. Yet, there are plenty of criminals who might be interested in your data:
- The hacktivist: This is someone who hacks for social or political purposes. They are mainly triggered by what they consider “unfair”.
- Organized crime: They are a group of hackers who combine their knowledge and resources to commit major crimes. Think of possible ransomware to obtain ransom money.
- Competitors: They could reap benefits from gaining your information. They could use this information to win court cases.
- Nation-states are also important hackers. They attack another nation-state to defend national sovereignty and project national power.
- Insiders. Think of unhappy employees. They could sell the information or just steal it and damage the reputation of your company.
How would they try to steal your information?
The individuals mentioned above can steal data or cause continuity problems within your organisation in several ways. The most popular ways are social engineering such as phishing, malware and ransomware.
- Social engineering involves manipulating people into performing certain actions or disclosing information.
- Phishing is a type of social engineering. The hacker sends a fraudulent message with the aim of tricking its target into revealing sensitive information.
- Malware is software with the purpose to disrupt or gain unauthorized access to a system.
- Ransomware is at this moment the most common and well-known hacking method. It blocks access to a system until you pay a certain amount of money.
All these attacks impact the confidentiality, integrity, or availability of your organisation’s data. Often people think that a data breach or incident is just the leaking of data. However, this is only the case when we talk about a breach of confidentiality or unauthorized access. A breach of integrity means that the data is somehow corrupted and cannot be trusted. A breach of availability happens when you can’t access the information and the continuity of your business is disrupted.
Any information security management measures you take will reduce the likelihood of a breach of the confidentiality, integrity, or availability of information.
How can you protect important information?
The IT-manager isn’t the only one who is responsible for information security. Any employee within a company can take measures to reduce risk. It starts with common sense. Good practices, such as deleting documents when no longer needed and storing them securely are good first steps. In practice, this means setting up and following through on a well-rounded retention policy and strategy, shredding documents and not leaving them unattended on desks. Digitally, it’s best to store documents securely and if possible, encrypted.
Other examples are:
- Don’t be fooled by social engineering, think twice before giving certain information or before clicking on a link.
- Use strong passwords and use a password manager (for example LastPass).
- When you expect visitors, always accompany them, and never let them out of sight.
- Work with a visitor pass.
Congrats! You’ve just conducted a Risk Assessment!
If your organisation collectively keeps the above mentioned good-practices in mind, it means you are taking a risk-based approach.
Not every organisation is the same and therefore not every information security approach is the same. Every organisation has different risks depending on the nature of the organisation, the type of data one processes, core business, size, etc. Therefore, it is important to take a risk-based approach. If you already consider everything we have discussed above, then you are already doing that! If you want to manage your information security better or do so according to certain standards, there are also frameworks and standards that can help. This is how you get a sustainable and workable information security management system (ISMS).
The best-known standard for information security is the ISO 27001 standard. This risk-based framework explains on different levels what your organisation should implement in your ISMS based on the risk you have as an organisation. Any ISMS contains policies and procedures on organisational or technical measures. The ISO 27001 divided these Organisational and technical measures in four topics:
- Organisational controls,
- People controls (HR related),
- Physical controls
- Technical controls.
When you as an organisation implement these controls, you can obtain a certification. Since the development of information security does not stand still and there are always new threats, your ISMS must also be kept up to date by means of the plan-do-check-act cycle. This means you think about what should be in place (act), what is implemented (do), review the controls that you have implemented (check) and improve and act upon developments and updates (act).
Are you considering obtaining ISO27001 certification? Or would you like to gain insight into what it would mean for your organisation? CRANIUM has already completed several successful ISO27001 certification projects. We gladly support you further in the area of information security and/or ISO 27001!
In collaboration with Annick Montulet, Lina Stroobants, Marloes De Bruin and Vanessa Knez.