The significance of data security
Information management and security should be hugely important to your organisation, and it is worth remembering that well-maintained IT systems can have other benefits too.
There are many reasons to keep your systems up to date and information security probably sits at the top of the list. Good procedures, therefore, are vital.
What needs keeping safe?
The first thing to do is to think about what information you need to safeguard. The most obvious is client data, eg files and any documents belonging to clients. This includes paper documents as well as electronic files: leaving a client’s file on the bus remains a potential breach of confidentiality as well as a data protection breach.
You also need to protect personnel data. This comprises everything kept on individual files for members of staff, but it could also include, for example, information on external consultants. Finally, it’s important to keep data about the practice safe too, eg business plans, policies and procedures such as your office manual. Take regular back-ups of the information on your IT system and keep them in a separate place, so that if anything happens to your computers, you can still access it.
Update software …
It can be helpful to compile a register of all the software your firm uses (and you need to do this if you are Lexcel-accredited: see Lexcel v6 para 3.1), eg Office-type applications (word processing, spreadsheets, email), specialist accounting/case management software, databases, websites, firewall, anti-malware software, etc. It is useful to include things like the purchase date, version number and licence(s) held (it’s very reassuring to know all your software is properly licensed). A register can also help to plan when software will need to be replaced.
If you don’t keep your software updated, it may not have the latest patches to keep it secure. For example, using an out-of-date browser may make you vulnerable to being hacked. However, it can also mean you aren’t using the best available version of the Legal Aid Agency’s client and cost management system (CCMS) for civil certificate work. Recent LAA data shows that only half of users are accessing the upgraded CCMS system; the other half are on the old system, which does not include any of the recent enhancements. You could be struggling on with a system that might be easier to use if you upgrade. This issue may be because the CCMS administrator in each firm has to activate the upgrade for each user. Individual users may not be aware of which version they are using, so check with your administrator.
… and hardware
On the subject of updating, don’t forget the hardware. Practices can struggle on with old hardware (which can have a negative effect on efficiency) while not realising that prices have come down. One managing partner told me her firm has started replacing single-screen monitors with double-screen ones for people who need to compare documents on a regular basis. She says it wasn’t as expensive as she’d expected and has improved staff morale and efficiency. If you do replace computers, however, don’t forget to remove all personal information before disposing of them.
Many people fail to change software default settings; hackers know what they are, so leaving them can compromise your security. Weak passwords are easy for hackers to crack (the most commonly used password is ‘password’). Strong passwords include letters, numbers and symbols. The Information Commissioner’s Office has a list of straightforward top tips to improve security.1www.ico.org.uk/for-organisations/guide-to-data-protection/it-security-top-tips
It’s a shame to have great security for people working in the office, only for that to be compromised when they work remotely. You need to provide security training designed for mobile workers.
Use of public Wi-Fi is an obvious issue: you don’t know how secure it is. Sending unencrypted sensitive documents by email to work on at home is another; some organisations use a portal such as Egress to make their emails secure. Allowing people to use their own phones/devices to access the practice’s systems remotely is also a risk because you don’t know what they are using and have no way of disabling them if you need to.