In last week’s blog post kicking off this series, we discussed the role technology plays in keeping your firm safe. While technology solutions provide vital layers of protection, they’re not enough to cover the scope of vulnerability faced by law firms. Policies are also an important part of your overall security posture.
I know, I know. Policies are not an exciting topic. We are a “skip to the end and click Accept” generation. However, policies play an important role in risk management, liability, information governance, and defining the areas of vulnerability that need to be constantly monitored and addressed in your firm.
SECURITY POLICY TIPS
- Security Policies should be reviewed at least annually. Outdated policies do not address the way people currently work.
- Security Policies should have executive sponsorship.
- Security Policies specifically need to be Enterprise wide. Security is the great equalizer. It is everyone’s responsibility to align to the same standards.
- Security Policies should clearly state who owns it, who it’s for, and how they are to be informed.
- Security Policies should align with a standard (NIST, ISO, GLBA, HIPAA, etc.).
- Security Policies should address internal threats along with external threats.
POLICIES TO CONSIDER (if you haven’t already)
- Multi factor authentication- Passwords are not enough and haven’t been for some time. Adding another factor to authenticate a person’s identity will exponentially increase your security posture.
- Mobility- According to the FBI, “The more mobile, the more vulnerable.” Everyday our culture is becoming more and more mobile and, while this is convenient and expected, it also adds layers of risk that need to be addressed.
- USB drives- This is a serious and increasingly used vector of attack. Think about how easily an office visitor could plug a USB into a device, leave it and then begin mining your data.
- Content Filtering- Web traffic is inevitable but can be filtered to trap or block sites and web traffic activity.
OTHER POLICIES AND PLANS THAT SHOULD BE IN PLACE
- Define your Business Continuity and Disaster Recovery plans. These need to be in place and rehearsed/reviewed at least annually. Don’t wait for a disaster to make sure you are ready.
- Address Incident Response. Assume that at some point things will happen. Plan for this and map out the appropriate steps to take following a breech.
- Address Vendor Management. Vendors that have access to firm and client data present as big a risk as internal personnel.
The responsibility of firms today to address the ever changing threats and vulnerabilities faced by our industry requires a holistic look at all elements of security. In doing so, don’t forget the importance of properly written, sponsored, and communicated security policies.
Stay tuned for more on “How to Hack a Law Firm.” Next week: PEOPLE.
HOW CAN WE HELP YOU?
If you would like more information about OnGuard, our Information Security Awareness Program or any of the Information Security Services we provide, we would love to hear from you.
WANT TO HEAR MORE?
Please feel free to listen to the “How to Hack a Law Firm” session recorded at ILTACON 2017, courtesy of the International Legal Technology Association.