The quarterly publication of the International Legal Technology Association
Issue link: https://read.uberflip.com/i/230349
The increasing mobility of lawyers has further complicated the information security problem. Smaller law firms might think they are not a target due to their size, but even they have clients with desirable data. In many cases, the law firm is a much easier target than the corporate entity. It's a problem law firms cannot ignore, no matter their size. Simply maintaining a current firewall is no longer enough protection. The firm must take a holistic approach to safeguarding data. CONTROL THE CHAOS Without mindful attention, the changes to security requirements could bring production at a law firm to a standstill. Care needs to be taken in order to implement the necessary changes in a way that does not impede attorneys' abilities to perform work for their clients. There is always a balance between protecting the data and allowing access to those who need it. Consider end-user password complexity. An eight-character password is simply not long enough; a password of that length can be cracked in a few hours. However, enforcing a change to a 12-character password overnight could cause several potential negative side effects: • Users could change their passwords and not remember them • The helpdesk might not be able to field the number of new calls generated from the change, and increased after-hours support could be required for attorneys who work remotely • The user might write the password on a sticky note or save it in a plain text file With planning, training, proper advance notification and staggering the change among users, the side effects can be minimized. PREPARE AND PLAN Disruptions in productivity can be avoided through careful technology selection, planning and preparation. Select the most appropriate security systems that provide the best mix of ease-ofuse and security. Plan ahead. Do not implement new systems and 84 Peer to Peer procedures before they are vetted and tested properly by a small group of users. Prepare the users by giving appropriate advance notice and creating a training plan that covers the topics in a language the users understand. Simply maintaining a current firewall is no longer enough protection. The firm must take a holistic approach to safeguarding data. A firm with the best laid security plans is still at risk if the employees unwittingly allow the safeguards to be bypassed. A holistic approach includes security awareness training. TRAIN THE WEAKEST LINK Even with the most secure systems, a firm is still vulnerable if its employees do not follow proper security protocols or are easily duped into granting access to otherwise suspicious individuals. We have seen hackers masquerade as vendors or employees in the IT department and ask for user passwords or other credentials to help fix a system issue. If the hacker gains access into your system, untold hours will need to be spent on recovering from the event. Even after the recovery, there can remain a sense of insecurity and vulnerability over whether the security team really caught everything the hacker planted. Security awareness training is designed to increase end users' awareness of the firm's security policies and potential threats to the firm, and to increase end users' willingness to adhere to the firm's security requirements. It usually covers: • Electronic communications • Incident reporting • Internet access • Mobile device security • Password policies • Remote access • Social media use • The firm's Acceptable Use Policy • Visitor policies • Wireless access security As with any training at the firm, the session should include an appeal to end users to use good judgment, and it should help them understand how good security starts with them. The security training should include courses on protecting the firm's data when connected to home networks and the perils of connecting to unsecured or public wireless networks. Data can be captured easily in transmission; users need to be aware of the issues involved. TRUST BUT VERIFY Along the same lines, the firm's vendors must also follow proper security protocols. Vendors, especially those hosting your data in the cloud, need to pay particular attention to protecting your data.