Cyber crime is a critical agenda item for law firms.  With 84%+ of firms reportedly suffering a phishing attack in the last year (according to the 2016 PwC law firms survey) , and email the most common source of information security breaches reported to the Information Commissioner's Office, there is no better time to refresh your awareness of good email practice.

We highlight six steps that can help you keep your and your clients' data safe.

1:  Use a reputable email system

Using an established email system intended for professional business (Microsoft's Outlook is the most commonly known) rather than 'free' accounts intended for personal use (such as Yahoo or Gmail) will not only make your business look more professional, but they tend to provide better security and privacy features.   Designed for UK business use, they also are less likely to store your confidential data outside the EU  - potentially in breach of Data Protection regulations.  


2:  Enable 'two-factor authentication' on your email account

You typically require a password in order to access your desktop including your email account.  This CAN provide a reasonable degree of protection (see 3. below) but, as recent Yahoo data-breaches have emphasised, passwords can be stolen, or breached.  Two-factor authentication' is simply the addition of a second security measure onto your account. 

It is instructive that this is a requirement for achieving CyberEssentials accreditation - because it significantly reduces the risk of system security being breached.  This additional security is most often acheived by entering a random passcode generated and sent to your mobile phone or VPN security device.  You may well have already experienced this with your online banking, paypal or e-bay account. 


3. Choose a strong, unique password

Our latest e-learning module focuses on password security.  For the forseeable future, for business computing systems, passwords will remain the basis of system security. 

Passwords should not be shared, used across different accounts, and need to balance security with memorability.  A key rule:  do not include any part of your name, school, first pet, home address or other personal information - as these things are remarkably easy for serious criminals to find out and guess.  

Look out for our e-learning module launching next week.


4:  Be risk aware

It is difficult to break old habits, but get into the habit of not clicking on links in emails without carefully reviewing the email first.  Check the sender's email address very carefully - and look for any strange errors in the message.   Do not just assume that because the sender appears to be a known one, that it is legitimate.  If in doubt, either cut and paste any links into your browser before opening, or check with your IT department first.


5:  Use public wifi with care

Free wifi may be convenient, but it isn't very secure.  It is much easier for hackers to view exactly what you are viewing - including any passwords you are entering.   Where you must use public wifi for business purposes, try to access your email and other work via a secure, encrypted 'virtual desktop' - and try not to access any other secure accounts or confidential data outside this 'secure environment'.  If in doubt about this, check with your IT team.


6:  Encrypt sensitive data, or don't send it by email

Email is convenient, but it is not secure.  Solicitors tend to exchange an extraordinary volume of confidential data via email - normally without any security encryption.

For documents that would benefit from a degree of encyption protection, the simplest solution is to 'zip' the document(s) prior to sending them.  Or you can password protect them - although this does not provide a high degree of protection.

Where greater protection is required, you should endeavour to fully encrypt the email or send the material by registered post.  Some email systems permit a fairly straightforward encryption system.  For further advice, security software company Sophos have an excellent blog  - including a post on the practicalities of email encryption which you my find a helpful.

We will be releasing more practical advice on cyber risk issues throughout the year.  Keep an eye out for more updates on www.locktonlaw.scot - or contact us for advice on any specific query or concern.