Putting a lock on it

Ahead of next week's launch of the Law Society's information security guidelines, communications expert James Whelan sets out what firms need to know about keeping their records secure



What is information security? Put simply, it is the protection of data against unauthorised access. In today's legal environment, information security is aimed mainly, though not exclusively, at data stored electronically in firms' applications, on computers, laptops, BlackBerrys... the list is endless.



It is a common misconception that information security is specifically for electronic information. This is not the case - it extends to any piece of information that you have created, from a Post-it note with a client's name and address to a client's file you have sent to storage.



What is 'unauthorised access'? There are two forms of this: internal - access by users who should not have any need to access the information; and external - people accessing the data who have nothing to do with your firm. We can break information security down to a list of 'what a lawyer should know'.



File storage firm

Are they a reputable firm? What physical security do they have in place to look after your files when they are being stored and transported?



Waste paper

Any piece of paper with a client's name and address is all someone needs to steal their identity. Invest in either a shredding machine or a secure shredding service.



Laptops

There should always be a password on a laptop - and the password should never be written on a Post-it note and then stuck to the side of the screen. A strong password is one that contains both upper and lower case letters and at least one number and/or one special character (£ or $ or %, or similar).

Passwords are not 100% secure - they only stop people for a short amount of time - but the more secure you make your password, the longer it will take to crack. Think about using some physical form of security. This can take the form of anything from a swipe card to a fingerprint recognition system. Laptops are starting to appear with fingerprint readers as standard. If your laptop has this feature, make sure you use it.

Make sure you do not leave your laptop on show in your car - always keep it close by. Basically, use your common sense and do everything you can to avoid it being stolen.


Corporate networks

All users should have their own individual password-protected account. Sharing accounts defeats the object of password protection. Microsoft Windows Active Directory allows the creation of a corporate password policy. Consider configuring this to stop people from using simple passwords.

You must make sure that your practice or case management system is configured to only allow users to see information they really need to see. Does a receptionist really need to see the financial side of a file, for example?

You should also ensure that your network employs firewalls and antivirus software. Virus writers can create programs called keyloggers that sit on your machine and log every key you press on your keyboard. They can access this information and use it to steal information about you and your clients. With effective firewalls, antivirus software and some common sense, users can stop these programs from getting through in the first place.


Whitelist

Have you ever considered setting up a corporate whitelist? This is a list of all Web sites staff are allowed access to. This gives you full control over what staff can do on your network. If you think this is taking it too far, and you do not mind staff having access to the Internet, why not set up a separate Internet café? This way you are reducing the chances of your business network being infected with dangerous computer programs that can steal information.



E-mails

Due to the transport layer used for e-mails, they are inherently insecure. When sending an e-mail, you should always ask yourself: 'Does it matter if this is read by anyone else?' If the answer is 'yes', you should look at using a secure signature. The alternative is to work in a similar way to many high street banks and have a secure message area on your Web site where clients can log on and send and receive messages in a totally secure environment.



Home working

Under no circumstances should you ever e-mail work home to your personal e-mail address. Instead, consider remote access software, such as Citrix or Tarantella. By using this software, you can ensure that information does not leave your network.

To sum up, lawyers have a duty of care to ensure that all information they hold on a client, regardless of what form in which this information is held, is secured. Now that more and more information is being stored electronically, lawyers need to look at ways not only to ensure their information is secure, but also to test that it is.

The best way to do this is to employ an 'ethical hacking' firm to perform a 'penetration test' on your network. The idea behind these tests is to find weaknesses in your defences before an unscrupulous hacker finds and exploits them. But before committing to this, make sure you do your homework on the firm.

Some of the weakest points in a network are the users who work on it - they are the ones who will download virus-infected e-mails and who can get tricked into divulging confidential information. You should make sure that everyone in your firm understands that it is their responsibility to ensure information is secure, and a documented and distributed 'information security policy' should address these issues. Information security is not just down to IT.




James Whelan is information and communications technology director at Barnetts Solicitors, a volume conveyancer based in Southport; www.barnetts.co.uk