The way that we digitally share information has changed dramatically in recent years, thanks to the rapid evolution of cloud storage and increasing intelligence of smart phone technology. What each of these innovations has allowed is more mobility with our data, giving individuals access to vital files and documents from multiple devices almost anywhere in the world. This mobile nature of data allows us to be more efficient with how we share things, and access them, but it does also bring with it inherent risks in terms of digital security.
The legal sector, perhaps more than any other, regularly faces these risks, with firms not always capable of dealing with their data correctly. One common issue for legal firms that is routinely ignored is the ability for employees to access their personal accounts not just from their office machines, but also through a home computer, tablet, or phone. Although this may seem to be a more convenient way to operate, as it enables the team to continue working outside of office hours, the risks are very real.
In an office environment, you will hopefully have a secure network that protects all machines under company ownership. This in turn will keep all valuable files under lock and key. This cannot be said for a personal device that is used at home. Should the employee’s PC or mobile phone become compromised, they are then giving unrestricted access to confidential data when they log in to their work account.
Problems can also occur when an employee is at a client site or in court. There is of course a need to consistently access information that relates to a case or client when performing your duties. One thing that you must never do though, but is nonetheless incredibly common, is send valuable information via email. We have heard numerous horror stories that involve people phoning colleagues, asking them to log in to a personal account and then email across the relevant files.
This highly insecure means of moving data can lead to major leaks of information, or breaches of personal login accounts. There is also the issue, as touched upon already, of the personal device that you use to receive the information becoming compromised. What companies need, perhaps legal firms above all others, is joined-up thinking within their organisation. If you are a company that is non-tech based, it is critical that you not only embrace technology, but also understand and implement the appropriate safety measures to keep your data safe.
Data sharing sites such as Onedrive, Dropbox etc are another area where company data is moved outside of the control of the organisation. Often these sites are used for very genuine reasons and give staff the ability to work on documents when they leave the office, but such sites give the organisation little idea of who else might be viewing the documents or worse still sharing them with third party sites which are used to whistle-blow or use information as a bargaining tool against a company during a malware attack.
Protection of data is important for many reasons. There is of course the damage that can occur when company details are released early, for example during a merger or acquisition process, or if competitors were to get hold of a client list or company account details. Equally, there is a firm’s reputation. Should you be at fault for a leak of client data, you should rightly expect client trust to drop, and ultimately that you will lose work as a result.
Perhaps most damaging of all though will be the upcoming introduction of GDPR; the replacement for the outdated Data Protection Act. This regulation will put immense pressure on organisations to handle personal data carefully especially should personal devices be used within the working toolkit of technology; personal data could be mixed in with corporate data and thus opening an organisation to fines as they are not handling personal data correctly. With fines for breaches that equate to up to 4% of a firm’s turnover, digital security has never been more important to comply with.
Given data is now highly mobile, used on multiple devices it is now imperative the data is protected wherever it resides and the only technology which can travel with the data is encryption. This technology must now be at the foundation of every company’s data security policy and be enforced on personal devices if the use case is strong enough for the individual to use their own equipment. But time is running out as GDPR will be enforced from May 2018 so the clock is ticking!