Cybersecurity 101: Politicians Show Firms What Not to Do
Recent hacking incidents involving the phones and mobile devices of prominent UK politicians can serve as a valuable learning exercise for firms looking to shore up their data protection and cybersecurity practices.
November 29, 2022 at 09:50 AM
5 minute read
CybersecurityFalling foul of data protection and cybersecurity practices is a nightmare scenario for every diligent firm. For some of the UK's most high-profile politicians, this nightmare recently became reality.
Last month, reports revealed how former Prime Minister Liz Truss's phone had been hacked earlier this year, with attackers gaining access to sensitive information—including discussions about the Ukraine war with foreign officials. In tandem, home secretary Suella Braverman also demonstrated bad cybersecurity practices when it was revealed that she had been using her personal mobile device for work-related communications.
Instances like these should be a caution to everyone working in, or with, regulated industries. In the legal sector, not unlike in politics or national security, organisations and individuals are expected to adhere to the highest data protection standards. When a security breach happens, the consequences are severe.
What went wrong for Truss and Braverman, and what can firms take away from these mistakes to ensure their workforce is protected, secure, and taking cybersecurity seriously?
Strengthen Your BYOD Policies
Firms know that their lawyers use personal devices and communications tools—email, SMS, WhatsApp—to communicate with clients and conduct business.
These tools can be a net positive for firms, with quick response times improving client relations and building trust. But without a robust strategy in place for how personal devices and communications tools are used across a firm, compliance and regulatory issues could arise.
Take Braverman's security breach, which could have been easily prevented. It's straightforward, with the right technologies and tools in place, to limit sensitive emails or those being marked as confidential from being forwarded. Similarly, if a user tries to download or move a sensitive file to their personal phone, then this can be managed and constrained.
Critically, mobile devices can and should be protected in all circumstances. BYOD policies and the use of messaging or social apps don't need to be written off altogether. But a firm must always have a grasp of the devices used across its entire fleet—even personal mobiles or laptops used to access corporate data. Visibility is key and will ultimately help protect firms against potential breaches.
Introduce Mobile Threat Defence
To protect against potential attacks, and to ensure their data is protected, firms should implement mobile threat defence software on all devices as a minimum. Many businesses have policies that encourage users to install this kind of software. But for the most robust protection against phishing, malware and other forms of attack, encouragement is not enough. Instead, firms should require this software to be installed across any and all devices that are used to access corporate data and networks.
There are several benefits of mobile threat defence software for those within regulated industries.
Firms should look for a threat defence solution that continuously performs risk assessments across all endpoints in their fleet. By doing this, firms can gain complex and in-depth risk insight and behavioural analysis into how devices are used across the organisation and see where gaps, weaknesses, or vulnerabilities are. With this kind of information, firms can act to strengthen their defences before an attack has taken place.
Compliance is everything, and with the right mobile threat defence software in place, firms can integrate their specific access and compliance requirements. What this means in practice is that if, for example, a device is hacked, a firm's corporate data or documents can be protected from being accessed. These granular data access and control permissions can be set at the organisational level and monitored continually, to provide the highest level of security for a firm's devices.
Protect Against Human Error
Mobile devices are more vulnerable than ever to sophisticated security attacks and vulnerabilities, as users respond at speed, on-the-go, often without thinking about the implications of the files they're sending, who to, and even the networks they're connected to. Users are the biggest threat to any organisation's cybersecurity, and bad actors know this. Unfortunately, innocuous mistakes can cause severe operational and reputational damage, not to mention regulatory and compliance violations.
With this in mind, all firms should consider how to strengthen their human defences with ongoing security training that includes best practices specifically for securing devices and protecting corporate data.
Earlier this year, a social engineering test by Appurity showed that, on average, 25% of law firm employees will click on phishing links within email and SMS messages. With phishing attacks becoming more advanced, more frequent, and distributed through ever-increasing means (social media, messaging apps, email and SMS included), keeping users up-to-date on emerging threats and how to spot them is a crucial step in any organisation's cybersecurity strategy.
Security and data breaches can—and do—happen. And the recent cases of cybersecurity malpractice in the British government show that mistakes are made even by high-profile individuals working in industries that should take cybersecurity seriously.
This is why it's important for firms to strengthen their cybersecurity defences: make employees aware of the risks, have complete visibility and control over every device used for work, and leverage software and technologies to protect devices against malicious attackers, malware and spyware.
If implemented correctly, these suggestions will help firms protect their own, and their clients', critical data.
Steve Whiter is the Director of Appurity, a company providing cyber security solutions and services for mobile infrastructure and applications across all verticals.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All3 AI Bills in Congress for Employers to Track: Proposed Laws Target Automated Systems, Workplace Surveillance, and More
9 minute read9 Class Actions: Multiple Law Firms File Suits After Data Breach at Water Company
3 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4Meet the Lawyers on Kamala Harris' Transition Team
- 5Trump Files $10B Suit Against CBS in Amarillo Federal Court
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250