In an age where data breach incidents have become a common occurrence, many corporations are beefing up security to protect themselves against data theft and the huge losses that accompany it — financial, IP and customer trust, among others. As a result, hackers have been increasingly turning their attention toward softer targets, including law firms and other service providers.
Here are five steps you can take to protect your practice from technology-based threats without restricting the use of technologies that help increase your practice’s efficiency.
1. Understand the risks of BYOD and cloud technologies before you implement. The cost savings and advancements in mobile device security have made it harder to maintain a compelling argument against employees using their own mobile devices to access the firm’s network. However, convenience comes at a price. There is no question that rolling out “bring your own device” (BYOD) will increase your risk of data loss — the key is to minimize that risk. Make sure your BYOD policies and computer security procedures are sufficient to protect against the most serious threats your firm faces, including implementing strong password policies, mandatory remote-wiping capabilities and other safeguards. Similarly, the convenience and cost-effectiveness of cloud-based technologies continues to appeal to organizations of all types and sizes. Contrary to popular belief, if implemented properly, cloud technologies can actually enhance a firm’s security posture. But you need to do your homework and ensure that you are considering all aspects of information risk before moving ahead with a cloud computing or storage program.
2. Restrict and monitor access to your firm’s most valuable data assets. Of course you want to have appropriate controls in place to keep unwanted intruders out of your network, but you must place equal focus on ensuring you are appropriately restricting and carefully monitoring access to your most sensitive data by insiders. Not only will this help identify unauthorized exposures quickly, but it will protect you against insider threats and accidental data loss.
3. Know your risk profile so you can invest security dollars where you need them most. Many companies prioritize security investments according to the results of the latest compliance audit, vulnerability scan results or, worse, today’s front-page news story on the latest breach. Instead, you should invest the time and effort required to clearly define and examine your true, unique, cybersecurity risk profile and then develop an information security program to address it.
4. Engage your firm’s most sophisticated security system — your people. With the right tools and training, most people can be transformed into living, breathing information security guardians. Educating lawyers and staff to recognize common attack vectors, such as spear phishing, and arming them with the tools they need, such as encryption and two-factor authentication, can dramatically improve your security posture — and at a relatively low cost. You should also explain the severe damage that results from data breach incidents — and how such events could affect each of your people personally, including loss of clients, jobs, bonuses or other perks. Chances are, once they fully understand the risks and the role they can play in protecting the firm’s assets, they will become a formidable first line of defense.
5. Plan for the best but prepare for the worst. How you respond to a breach can make the difference between a minor incident and a major catastrophe. Having a documented incident response plan (IRP) is an important step, but the plan must be practical to be effective. Those in your firm who are involved in incident response must be properly trained and prepared to carry out their roles should an incident occur. They must also understand how their role interacts with others involved. Also, often the most common impediment to conducting an effective incident response investigation is the lack of sufficient infrastructure logging and monitoring. Take a fresh look at the network traffic and other system information you are tracking and retaining to make sure it will help investigators reach a conclusion on the impact of a security incident.
Jason Straight is the Senior Vice President, Chief Privacy Officer with UnitedLex. He has more than a decade of experience assisting clients in managing information security risks, data breach incidents, data privacy obligations and complex electronic discovery challenges. Previously, Jason held numerous leadership positions at a leading global investigations and cybersecurity company, and began his career as an attorney at Fried, Frank, Harris, Shriver & Jacobsen. A recognized domain expert and Certified Information Privacy Professional, he is a frequent speaker and author on data privacy, cybersecurity, data breach response and computer forensics.
»What’s Next in Legal Marketing: Lawyernomics 2014, April 23-25, Las Vegas.
»Start Saving Time: Top cloud-based practice management software
»Manage my legal practice from anywhere on any device—HoudiniEsq.
»Learn more about the easiest way to get paid.
»Manage your practice with ease, for one small fee.
»Work from anywhere. Intuitive legal practice management software. Free trial.