The quarterly publication of the International Legal Technology Association
Issue link: https://read.uberflip.com/i/230349
Review each vendor's commitment to protecting your data, as well as their security certifications and policies. an easy-to-use system with as few additional steps as possible is critical to ensuring a workable system. User training is also paramount to the successful adoption of this critical technology. Review each vendor's commitment to protecting your data, as well as their security certifications and policies. LOCK YOUR DOORS MONITOR YOUR SYSTEMS It should go without saying that you should employ top-notch systems in the areas of antivirus, antispam, malware and intrusion detection. These systems are critical and need to be deployed and managed well. A system needs to be in place to ensure this protection is active (i.e., not disabled by the end users) and up to date. An outdated antivirus system can be next to worthless. Routinely check firewall logs. These will highlight the extent to which your users are under attack and make you aware of administrative access and changes to your firewall. Periodically check the firewall configuration for unwanted changes. User accounts should also be managed and monitored. A systematic approach should be used to scan for user accounts that have not been accessed for a period of time, stale passwords and membership in administrative groups. Every IT administrator has seen unauthorized users put in high-level security groups (like domain administrators) in order to test and troubleshoot issues, only to accidentally leave them in groups where they do not belong. MAKE ENTRY TOUGHER Two-factor authentication is recommended highly for law firms of all sizes. Two-factor authentication requires two things from a user before they are allowed to access a system — something the user has and something the user knows. The item the user has is a token, either a physical authentication token or an application on a smartphone, that generates a passcode. The thing the user knows is his password or PIN. These items together provide a significant increase in the security of systems accessed remotely. Two-factor authentication, however, is yet another area that could bring production at the firm to a halt if not implemented correctly. If it's too complicated, users will not be able or willing to use the systems, and they will create workarounds or fall back to systems formerly used to perform work for clients. Designing Physical security is also important. When you lose physical control of your data, hackers have all the time in the world to bypass your security protocols. Basic security includes ensuring server room doors, server cabinets, enclosures, etc. are locked when possible. Affordable security camera systems that include options for recording physical access are available. Whenever possible, stored data should be encrypted. This reduces the ability of an attacker to gain access to your data in the event of physical loss of servers, USB keys, laptops, tablets and other devices. Windows operating systems, for example, can include Microsoft's BitLocker functionality. Data encryption is available for mobile devices, including smartphones, tablets and portable drives. Some systems, like Windows, have built-in encryption; others need an add-on product. Most products include a console to ease the administrative overhead of the added encryption layer. PROTECT YOUR DATA AT THE DESK A clean-and-clear desk policy transcends the electronic world into the physical office space of the end user. This usually involves the requirement to log off computers when not in use and to lock computers when unattended for a period of time. Laptops and other data storage devices should be locked when the employee is not present. No data, either printed or on any sort of electronic media, should be left unattended. PERFORM THIRD-PARTY SECURITY AUDITS After all the policies have been determined, new systems and protections put in place and the end users trained, a third party — someone not regularly involved with the firm's day-to-day IT needs — should be brought in to perform a security analysis. Participating in a security audit might not be the IT director's favorite activity, but even the most security-conscious IT director can benefit from the assistance and experience of a security expert. The process should include a top-down evaluation of the systems in use at the firm, its security policies and practices, and a review of physical access to the systems. Automated assessments can assist in the review, but there is no substitute for an expert's manual review. CONDUCT PEN TESTS A penetration test ("pen test" in the security vernacular) is the process of trying to break into a system in order to verify Peer to Peer 85