In a GDPR-soaked, post-Cambridge Analytica scandal world, personal data is a hot topic. But for lawyers, it’s been on the radar since before Facebook was a twinkle in Zuckerberg’s eye. So, what can internal comms teams learn from their experienced approach?
To mark Cyber Security Month in October, I caught up with Langleys Solicitors to chat about risk in the legal sector, and how culture, comms and collaboration play a part in mitigating it.
Langleys IT Director Ian Fowles' role covers IT strategy, transformations change, service delivery and information security. He's a big champion of 'keeping it simple'.
Risk and Compliance Partner Tamsin Cooper is Langleys' data protection lead and designated information security officer. She works closely with IT to make sure they have a joined-up approach to data protection and cyber security.
Here at scarlettabbott, we work with internal comms teams on all sorts of projects, including promoting behaviour change around data privacy. We usually kick off with a discovery workshop, to work out exactly what a client’s employees think and feel about security – and whether they even think it’s their responsibility. But for lawyers, client data security has always been part and parcel of the job. So, what’s different about the modern workplace?
Tamsin: Protecting client data is part of our DNA. However, as tech evolves it’s definitely becoming much more complex – both in terms of the systems we need to put in place and the training and awareness of our people.
Ian: Thirty years ago, it was comparatively small fry. I was in the industry then, managing the intrusions and security of the business and although still a massively important task, it was just nowhere near what it is today.
Matt: Risk, compliance and security are big responsibilities for IT and compliance departments to manage for the whole organisation. How can IC play a part in encouraging people to recognise their own personal responsibility?
Tamsin: There’s definitely a cultural element. We need to constantly reinforce the message across the business. IT can introduce sophisticated controls and systems to keep data safe, but ultimately, it’s up to every single person, whatever their role, to understand their responsibility when it comes to data security, on and offline.
It’s fundamental to work collaboratively across the organisation to ensure communication is clear, consistent and reinforced at every opportunity, not just at induction.
Ian: Definitely. Induction is a great start. It’s the first opportunity for an employee to see how the firm operates, so they know from day one what the expectations are. But it doesn’t end there. We host roadshows and events within the business, waving the banner for security. The take-up for these sessions is always good. It’s something people across the firm really invest time in.
Matt: I think that’s one of the biggest risks a business can make; assuming ticking a box at induction is enough to cover off security. When we work with clients on data privacy, we make sure the solutions aren’t a one-hit wonder. Yes, we talk to colleagues about staying logged into computers or leaving laptops on the train but we do it through exciting campaigns that identify the themes and communicate via all the relevant channels – even including big, smack-em-between-the-eyes installations.
Ian: Absolutely. We have to keep the conversation going. We send email awareness programmes out on live issues, framed around what it means for our people, as well as the firm. We look at both angles, but we know the message resonates better when you can relate personally.
We also try to make it fun! I think that’s key. Talking about technology and cyber security doesn’t have to be dull.
Matt: These days, lots of people have been personally affected by cybercrime. Coming to work and seeing the same message in terms of client data must resonate when you can say ‘I know how that feels’?
Tamsin: Yes, cyber security is very much on the agenda and our people are alive to the conversation. We’ll always keep looking at innovative and creative ways to push the message forward.
MC: What are some of the emerging cyber risks you’re keeping an eye on?
Ian: Social media is an amazing tool and, in many ways, it’s changed things for the better. But there are causes for concern and we have to be careful to use it in the right way.
There’s lots of emerging tech: cryptocurrency, blockchain, artificial intelligence, internet of things – but all these tools mean we have to manage the information. It’s up there in the ether and security needs to be tied around that.
Matt: What sorts of changes have you seen recently in the way risks are mitigated?
Ian: We’ve all seen so many examples of people not protecting data as well as they could and obviously there are financial impacts of that. But there are also brand and reputation impacts. It’s not just fines that hit a business, it’s the longer-term problems.
The difference for me in an IT role over the years is the investment that people are putting into managing risk now. We’ve all always done it but you can now see a sizable part of an annual budget allocated to ensuring that a firm’s data and assets are protected.
For us – and this goes for any business – the most important thing is to think hard before you jump into new tech.
Want to hear the full conversation? Check out the Langleys episode of The IC Beat podcast.