Risk-based assessments

Make a risk-based assessment of your firm’s information security requirements. Take these steps to make information security part of your normal business risk-management procedures. Disseminate key security principles among your staff to ensure they become part of your firm’s culture.

  • Ask if others have been affected – consider whether your firm could be a target. Ask around to see whether any of your major clients or any similar firms in your area have been attacked, so you can learn from their experiences.
  • Carry out an audit of any assets that are potentially at risk – identify the financial and information assets that are critical to your firm, and the IT services you rely on, such as the ability to take payments via your website. Assess all the IT equipment within your firm, including mobile and personal IT devices. Understand the risks to these by considering how they are currently managed and stored and who has access to them.
  • Assess strength of passwords – assess the levels of password protection required to access your equipment and/or online services by your staff, third parties and clients, and whether it is enough to protect them.
  • Policy on data security– you should prepare and issue a clear policy on data use to staff. Appoint a member of staff to oversee the policy, which should include: advice to your employees on the use of business internet facilities for their personal matters; use of social media; and, policies on bring your own device (BYOD).
  • Education and training – education, which can take many forms, is at the heart of understanding the scope and breadth of data protection. Ensure that your staff have read this guide and have received appropriate awareness training, so that everyone understands their role in keeping the firm secure. As well as explaining procedures, the training should incorporate advice on the risks the systems are designed to avoid and their potential consequences.
  • Expert advice – decide whether you need to seek expert advice to get the right security controls in place for your firm.
Systems and security controls

Many security safeguards will be built in to your computer systems, including anti-virus software, algorithms that check for unusual activity, automatic backup and so on. Ensure that your IT systems are fit for purpose. Take these steps to put security controls in place for your firm.

If you use third-party managed IT services, check your contracts and service level agreements, and ensure that whoever handles your systems and data has these security controls in place.

  • Malware protection – install anti-virus solutions on all systems and keep your software and web browsers up to date.
  • Network security – protect your networks, including your wireless networks, against external attacks by using firewalls, proxies, access lists and so on.
  • Secure configuration – maintain an inventory of all IT equipment and software. Identify a secure standard configuration for all existing and future IT equipment used by your business. Change any default passwords.
  • Manage your user privileges appropriately – allow staff and third-parties minimal access to IT equipment, systems and information. Access controls should be allocated on the basis of business need. Keep items physically secure to prevent unauthorised access.
  • Restrict access to inappropriate websites – this will lessen the risk of being exposed to malware. Create a policy governing when and how security updates should be installed.
  • For solicitor signatures, encourage use of Smartcard Digital Signatures - there are several issues around both wet and digital signatures, but in many settings a digital signature will offer greater certainty and security. The signature also “locks” the document and prevents any amendment – compared to a paper contract where a page could be carefully removed and replaced, for instance. There is further advice on this on our website.
  • Encrypt sensitive data – ensure that sensitive data is encrypted when stored or transmitted online so it can only be accessed by authorised users.
  • Removable media – restrict the use of removable media, such as USB drives, CDs, DVDs and secure digital cards, and protect any data stored on such media to help stop data being lost and to prevent malware from being installed.
  • Cloud computing – cloud computing is in common use. Make sure that you and your employees recognise when a cloud-based system is being used and when it might not be appropriate to send or store information via a cloud-based system.Reduce risk of invoice hijacking – ensure your firm’s anti-virus software is up to date; warn your clients never to send funds to a new account without speaking to the relevant person in the office first; remind clients to check the addresses of any emails purportedly sent by your firm, particularly if they relate to payment of funds. More information on how to avoid invoice hi-jacking, is included in the Lockton guidance (locktonlaw.scot). Consider adopting a cybercrime disclaimer warning on your terms of engagement letters and as a footer on all correspondence. This could advise that the firm’s bank account details will not change during the course of a transaction; the firm will not change bank details via email; and that clients should check the account details with the firm in person if they are in any doubt.
Reviewing systems and procedures

Take these steps to review your security and respond to any changes or problems you identify, including attacks or disruption to your firm.

  • Ongoing monitoring – test, monitor and improve your security controls regularly to manage any change in the level of risk to your IT equipment, services and information.
  • Disposing of programs or physical devices – remove any software or equipment that you no longer need, ensuring that it contains no sensitive information.
  • Managing user access – review and manage any change in user access, such as the creation of accounts when staff members join the firm and deletion of accounts when they leave.
  • Your firm’s website – websites can be altered fraudulently, and without a firm’s knowledge, to include the insertion of false email addresses and phone numbers, leading to clients being lured into providing personal details or paying money into the wrong account. Check your own website regularly or get an outside agency to do so.
  • Post-breach review – if your firm is disrupted or attacked, ensure that the response includes removing any ongoing threat – such as malware – understanding the cause of the incident and, if appropriate, addressing any gaps in your security that have been identified following the incident.