Firms warned over security risk of WFH
Law firms jave been warned to rethink remote working policies to avoid cyber attacks and data breaches. The “Future of Working from Home” white paper has found that 41% of data breaches are caused by a lost or stolen device, highlighting the requirement for many legal firms’ IT departments to carefully consider working from home policies in relation to data protection and security.
The publication of the white paper comes at a pertinent time given recent reports of a cyber attack on listed city firm Gateley in which 0.2% of its client data was stolen, resulting in an 8% downturn in share value. This attack along with the recent Hiscox Cyber Readiness Report 2021, which highlights a significant increase in the number of organisations targeted by cyber criminals, clearly demonstrate that the risk of data breaches and cyber attacks to all firms is very much alive.
Due to the effects of the Covid-19 pandemic, remote and flexible working has become far more common place with most firms engaging in remote working practices, many of which are set to continue after Covid restrictions are fully lifted.
However some industry reports suggest that businesses are concerned about data retention policies and whether remote employees are abiding by required data retention protocols . If data is breached the cost to businesses can be vast with the UK Government estimating that the cost of cyber crime is £27bn a year.
The Future of Working from Home white paper highlights the perhaps rather obvious differences between office and remote working, in that the office environment usually employs much higher degrees of physical security than home offices such as locks, security guards, doors, cameras and alarms to guard valuable assets, but it also questions how businesses are protecting data contained on physical devices, should they be lost or stolen.
In modern business, and especially data sensitive industries like the legal profession, the data stored within these devices can be more damaging to lose compared with physical assets. With regulations such as GDPR in place, businesses can receive serious fines for losing personal data and it is estimated that the average data breach costs $3.86M to resolve.
The white paper reveals that organisations storing personally identifiable information are among the most susceptible and are highly prized targets. In the current business climate, this sensitive data is often stored on laptops within remote workers’ homes, and their small size and portability makes it easy for them to be stolen. It is thought that one in ten laptops will be stolen from an organisation over the lifetime of each computer.
It is also found that in more than 90% of cases where a computer or laptop screen is exposed, confidential data is accessed. The white paper suggests that visual hacking is actually one of the least considered, yet most vulnerable data risks within many organisations.
The Solicitors Regulation Authority (SRA) has previously warned firms to be vigilant in matters of cyber security, particularly in the midst of the Covid-19 pandemic and remote working, and has issued guidance in response to the growing numbers of legal professionals now working from home.
Tom Lyes, Director of Engagement at cyber security specialists Lawyer Checker suggests that firms must prioritise resource in this area, commenting;
“The traditional security boundary has been spread far and wide with flexible and remote working meaning the modern workplace is no longer a simple place to secure. The whitepaper highlights some key considerations in terms of securing devices and having policies around this. The tricky bit for IT managers will be the implementation and enforcement of some of these. There needs to be a risk based approach when looking at some of the recommendations from the report, for instance staff who travel regularly are at higher risk of device theft and should be the first people protected. “
The white paper also includes several recommendations for increasing the physical security of devices, such as:
- Creating a device policy for employees outlining the proper use and storage of devices.
- Implementing the use of physical and biometric locks on devices.
- Using privacy screens
The white paper can be accessed here