1. Knowledge Base
  2. Cybersecurity
  3. Cybersecurity Guidelines & Organizations

IBA Presidential Task Force Guidelines on Cyber Security

This report forms part of the International Bar Association’s (IBA’s) ongoing work on cyber security. The IBA Presidential Task Force on Cyber Security (the ‘Task Force’) has the objective of:

  • producing a set of recommended best practices to help law firms to protect themselves from breaches of data security;
  • assisting their ability to keep operations running if a breach of data security or ransom attack does occur;
  • giving their clients the best possible assurances that their data is protected;
  • helping protect the reputation of the profession.

These guidelines are particularly relevant for:

  • Single practitioner
  • Small firms (20+ employees)
  • Medium-sized (21-40 employees)
  • Intermediate-sized to large firms (41+ employees)

These guidelines are separated into the following three broad areas:

Chapter 1:
Technology

Chapter 2:
Organisational processes

Chapter 3:
Staff training

Resources

Recommendations for law firms

Download the Cyber Security Guidelines (2018)

Task Force Chair

Simon Walker, Chair of IBA Online Services Committee, UK

Task Force Members

Anurag Bana, Legal Policy & Research Unit, UK

Sophia Adams Bhatti, Bar Issues Commission, UK

Nazar Chernyavsky, Technology Law Committee, Ukraine

Natasha Chiumya, Bar Issues Commission, Zambia

Luke Dembosky, Cyber Security Practice Lawyer, USA

Bruno Lobato, Law Firm Management Committee,

Brazil Monty Raphael, Criminal Law Committee, UK

Tshepo Shabangu, Bar Issues Commission, South Africa

Meg Strickler, Criminal Law Committee, USA

Graham Wladimiroff, Corporate Counsel Forum, The Netherlands

Valentina Zoghbi, Regulation of Lawyers Compliance Committee, UK

APPENDIX H: Cybersecurity staff training

Cybersecurity refers to the protection of electronic systems to maintain the confidentiality, integrity and availability of data. While it is common to consider an external attacker as the greatest threat, it is equally important to consider that internal staff, contractors and third-party suppliers can intentionally, accidentally or negligently cause data loss and damage to systems.

It is recommended that an organisation’s staff receive training in the following key areas as well as any organisation-specific training that may be required.

 

Password management

Training should be provided on the importance of good password management. This should be reinforced as applicable to both business accounts and personal accounts (to reduce social engineering attacks). The following general rules may assist:

·       Passwords should not be recorded on paper and attached to computer equipment.

·       Passwords should not be shared between users.

·       Strong passwords should be used. This should comprise numbers, upper and lower case letters, and special characters. Depending on the organisation’s network policy, Windows password rule complexity may be insufficient (eg, Sunday1 meets the complexity rules). Staff should be encouraged to use passphrases such as ‘50%like2sleepunder@*’ .

·       Personally identifiable information such as dates of birth, postcodes, children’s or pets’ names, should be avoided.

·       Password reuse, that is, using the same password across multiple systems, should be avoided. Ideally, a password manager should be used where one only needs to remember the master password and the application generates and inputs the rest.

·       When a password is required to enrol in a system or make a one-time or rare purchase, consider making up a random one-time series of characters and then using the password reset feature if subsequent access is required.

·       Strongly encourage users to have separate passwords for business and private accounts.

Multi-factor authentication

Multi-factor authentication should be activated on all business and personal accounts. Staff should be made aware that attackers target personal accounts to gather intelligence and to send phishing emails to colleagues for social engineering attacks.

Staff should be provided with how-to guides to implement multi-factor authentication on the most common applications, such as LinkedIn, Gmail, Yahoo!, Facebook, Instagram and Apple iCloud.

Social media

Staff should be aware of the dangers (both cyber and ethically) in the use of social media. Social media provides a valuable source of intelligence for potential attackers, including details of potential clients, colleagues and suppliers.

Staff should also be trained in the dangers of posting any material to social media accounts (eg, photographs) that could provide a would-be attacker with information about the physical layout of a building.

Physical access control

Training should be provided on the importance of only allowing authorised personnel to physically access a building. Within the building, access to server equipment should be limited to essential IT staff only.

An environment should be created whereby staff members are encouraged to challenge persons that they do not know.

Staff members must make sure that their access/security cards are kept safely so that no one can use them to access the building. They must also not exchange their security cards with other staff members.

Staff should bring old devices that may contain corporate data to IT to be forensically wiped or physically destroyed.

Logical access control

Computer systems should operate to a standard of least privilege. On this basis, staff should only request access to systems and data that they need access to. They should be warned of the dangers of accessing (browsing) systems and data that they do not need access to.

Where appropriate, all portable devices should be fully encrypted. This includes hard drives, USB flash drives, memory cards and optical media. If encryption is not available, then password protected ZIP/RAR files provide an alternative.

Suspicious activity

Staff should be encouraged to report suspicious activity on their computer, such as unexpected windows or applications launching, independent mouse movement and unsolicited emails.

Staff should not click on any links or open any attachments to an unsolicited email. However, rather than simply deleting the email, the organisation should have a mailbox to which suspicious emails can be forwarded (without being opened). This allows the organisation to develop email intelligence including analysis on why certain emails were not detected by preventative security software.

Staff should be made aware of when they will be legitimately prompted (after clicking a link) to enter their login credentials.

Active phishing campaigns should be conducted as a training and educational exercise.

Policy awareness

Staff should be aware of the following policies, if applicable, the reason for their implementation and the implications of not following them:

·       appropriate use of IT systems

·       BYOD device policy

·       document retention policy

·       working from home policy

·       MDM policy

·       privacy policy

·       social media policy

These policies should include protocols on the use of web-based email and storage systems (eg, Dropbox, OneDrive, Gmail and Yahoo! Mail).

 

31


Mobile phones

Mobile phones are a potential vulnerability for an organisation. As a guide, staff who use their personal mobile devices for business purposes should ensure the following:

·       a minimum passcode length should be six digits

·       remote wiping capabilities should be turned on

·       Apple iOS devices should be configured to wipe after ten unsuccessful login attempts

·       backups to computers should be encrypted

·       memory cards (if applicable) should be encrypted

·       application and operating system updates should applied as practicable.

Where possible, the organisation should develop and educate staff on a BYOD device policy. Subject to the size of the organisation, an MDM solution may also be appropriate.

Contractors and third-party suppliers

Staff should be made aware of the risk that poorly validated contractors and third-party suppliers can have to the organisation. Staff who engage contractors and third parties should be encouraged to thoroughly review the security credentials of all external parties before being allowed to access IT systems and before sending organisational data to them.

All contractors and third parties should be monitored if they are provided with access to the data holdings of the organisation.

Unless absolutely essential, contractors and third-party suppliers should not be given administrative-level access to the network.

Continued training

Security awareness training should be delivered on a regular basis. Continued training and the development of a ‘cyber aware’ culture is paramount to mitigating the ongoing cyberthreat.