Category: Data Security

The Evolving Landscape of Data Privacy: A Mandate for All

Data Privacy used to be that “bolt-on” topic added to the far more enticing conversations around cyber and information security. Protecting information from the bad guys was far more interesting than protecting information because it was “required.” However, the topic of data privacy has now captivated discussions among leaders of organizations. It is a mandate that is now reaching everyone and demands our attention.

From the European Union’s GDPR mandate that had global reach to the growing list of states in the US that have enacted data privacy laws, it is a topic that must be a part of the education and direction given to all employees.

Current State of Data Privacy Laws

As of now, 20 states in the US have enacted comprehensive data privacy laws[1]. These state laws have set the precedent for others to follow. The momentum for comprehensive privacy bills is at an all-time high, with several more states expected to implement similar laws in the near future[2].

Foundational Principles of Data Privacy

Understanding data privacy begins with recognizing its core principles:

  1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully, fairly, and in a transparent manner.
  2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.
  3. Data Minimization: Only data that is necessary for the purposes should be collected.
  4. Accuracy: Data must be accurate and kept up to date.
  5. Storage Limitation: Data should be kept in a form that permits identification of data subjects for no longer than necessary.
  6. Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security.
  7. Accountability: Organizations must be able to demonstrate compliance with these principles[3].
What Everyone Should Know

Data privacy is not just a legal requirement but a fundamental right. Everyone should be aware of the following:

  • Consent: Individuals must give explicit consent for their data to be collected and used.
  • Transparency: Organizations must be transparent about how they collect, use, and share data.
  • Security: Protecting data from unauthorized access and breaches is crucial.
  • Rights: Individuals have the right to access, correct, and delete their data[4].
What Everyone Should Do

To ensure compliance and protect data privacy, organizations and individuals should:

  • Educate: Regularly train employees on data privacy principles and practices.
  • Implement Policies: Establish clear data privacy policies and procedures.
  • Use Technology: Employ data protection technologies and practices.
  • Monitor and Audit: Continuously monitor and audit data practices to ensure compliance[5].
Conclusion

Data privacy is no longer an afterthought but a critical component of organizational strategy. As laws evolve and the importance of data privacy grows, it is imperative for all employees to be educated and vigilant. By understanding and implementing the foundational principles of data privacy, organizations can protect themselves and their clients, ensuring trust and compliance in an increasingly data-driven world.

[1]: Bloomberg Law [2]: National Law Review [3]: IBM [4]: Harvard Business Review [5]: Pew Research Center

References
[1] US State Privacy Legislation Tracker – International Association of …
[2] Which States Have Consumer Data Privacy Laws? – Bloomberg Law
[3] What are the US States with Data Privacy Laws? | DataGrail
[4] The State of Consumer Data Privacy Laws in the US (And Why It Matters)
[5] Key findings about Americans and data privacy – Pew Research Center

About the Author
About the Author

Kenny Leckie

Senior Technology & Change
Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the legal community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of firms across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a law firm Chief Information Officer, Manager of Support & Training, and now consultant providing him with a unique point of view and understanding of the challenges of introducing change in law firms. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Keeping Security Awareness Relevant

There is a tried-and-true principle that helps guide a successful security awareness program – until something matters to someone personally, they will never change. This speaks to an important part of all security awareness efforts – answering the question: why should they care. That’s why there is an ongoing need to keep your security awareness program RELEVANT to the individuals in your firm.

Part 2 of this series: Keeping Security Awareness Relevant.

Practical Ways to Keep Your Program Relevant:

  • Make it personal. Tie all security awareness communiques to its personal application for the individuals in your firm.
    Give people what they need to be successful. Don’t just tell them scary stories or things not to do. Provide practical actionable guidance on what they can do in the face of ever-changing security threats.
  • Use current events – without driving fear. The news (industry-specific, regional, national, and international) is full of current events that can help drive awareness of the need for good security hygiene. The challenge is not to “scare people straight” with the information, but rather relate it to why security best practices should be on people’s mind as they do their job and live their lives.
  • Audience you message. Not everything matters to everyone the same way. Along these lines, consider who should send the message. Not everyone listens to the same people the same way.
    Get testimonials and stories from your firm. This brings the message of security awareness closer to home and closer to front of mind.
  • Use specific stories that are relevant to law firms and law firm personnel. While some generic security guidance is helpful, tailoring the messages and information to law firms and law firm personnel gets their attention more quickly.
  • Empower your people to respond. Remind them that EVERYONE is part of the security effort of the firm. Remind them regularly who to call, who to email, and what to do in the event of an incident or a security-related question.
  • Deal with resistance. Invariably, there will be pushback on participation in a security awareness program. This is most noticeable when you are asking people to DO something (like attend an event or consume learning content). Keep in mind that resistance is not bad. It is an indication of something. Listen to them and ask why.
  • FINALLY, the pièce de ré·sis·tance. Give them practical tips and useful information to help them in their personal lives. Give them advice for their home, travel, family, and finances. Give them best practices for protecting their identity and the things that matter in their lives. This will win the hearts of your people and not just the minds.

Next will be the final in the 3-Part series – Part 3: Keeping Security Awareness Sustainable.

Reminder: If you need help getting your security awareness efforts off the ground or achieving all three goals with your security awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the legal community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of firms across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a law firm Chief Information Officer, Manager of Support & Training, and now consultant providing him a unique point of view and understanding of the challenges of introducing change in law firms. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Keeping Security Awareness Sustainable

A good and effective Security Awareness Program is not a ‘set it and forget it’ kind of thing. It takes constant care and feeding. If it is important to the firm (and it is), to our clients (and it is), and to our people (and it must), then planning for its sustainability is critical.

Part 3 of this series: Keeping Security Awareness Sustainable.

Practical Ways to Keep Your Program Sustainable:

  • Stay the course. Don’t stop just because something doesn’t work as you expected.
  • The security awareness program MUST be agreed to and modeled by LEADERSHIP. 
  • EQUIP Leadership (at all levels) to be successful in supporting Security Awareness.
  • Bake it into Onboarding. Start a new hire off with an understanding of the importance of security and security awareness at this firm.
  • Keep the tone POSITIVE. There’s only so much negative that people can take. Even negative stories/issues can reinforce the positive actions and awareness people need.
  • Deweaponize your Security Awareness Program. If your program just catches people doing the wrong thing or just emphasizes what not to do, it will sour quickly in the minds of your people. 
  • Be mindful of who sends the message. It can’t just be the IT Department. Here are some suggestions:
    • Use multiple voices to get the message out.
    • Leverage top executives for messages or information that is firm-wide or strategic in nature.
    • Leverage direct supervisors to get more specific information to individuals on how this impacts them in their day-to-day work.
    • Use peer-to-peer messaging. It’s always good to hear from the “normal people” in the firm. People will often listen to their peers before they listen to IT or to leadership.
    • Use outside experts to assist in your efforts. Sometimes, it takes an outside voice to get someone’s attention.
  • CLEARLY and REGULARLY state: Who to call/email; What to do if you have questions; What to do in the face of…
  • Use your metrics wisely.
    • What you do with metrics matters. Measure security awareness related activities that show or measure changes in behavior (statistical and anecdotal). 
    • Continue to gather them. Metrics give you opportunities to tie changes in the program to trends in behaviors of your people.
  • Cadence is important. Security Awareness information can’t be a “once a year” thing. A sustainable program creates an environment that expects a steady flow of useful security information, education, and guidance. 
  • Leverage multiple learning opportunities or avenues:
    • On-demand content
    • Monthly topical emphases
    • Live Events
    • CLE options
    • Be prepared to distribute “In the moment” communications and educational opportunities in the face of an incident that occurred, a new “Threat in the wild” for people to be aware of, or a testimonial of a firm or client event.
  • Invest in the program. It can’t be fully automated and requires time, attention, and resources.
    • Ask how big of a team the firm can afford, or not afford?  
    • Know that you can’t do it all yourself.
    • Provide around-the-clock response.
    • Outsource elements of the program if needed.

Let’s remind ourselves of the big picture of the Security Awareness Program journey.

Security Awareness is essential in today’s world. People are the target and the primary starting point for security incidents. Invest in a program that is Engaging, Relevant, and Sustainable.

Reminder – If you need help getting your security awareness efforts off the ground or achieving all three goals with your security awareness program mentioned in this series, we’re here to help.

About the Author

Kenny Leckie

Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the legal community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of firms across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a law firm Chief Information Officer, Manager of Support & Training, and now consultant providing him a unique point of view and understanding of the challenges of introducing change in law firms. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Keeping Security Awareness Engaging

There is no ‘one size fits all’ approach to Security Awareness. Since people are involved, it remains an ongoing challenge, but a worthy one. Not everyone is alike or cares about the same things, so it takes a multi-pronged, concerted effort, and a commitment to the journey to keep the program Engaging, Relevant, and Sustainable.

Part 1 of this series: Keeping Security Awareness Engaging.

Let’s start with a big picture reminder of the Security Awareness Program journey.

Notice that I’m calling this a PROGRAM… not a project. There is a difference. This journey has no foreseeable end but has a meaningful impact on the firm. It takes effort, considered thought, and a willingness to adjust as things change to keep the PROGRAM vibrant and meaningful.

Now let’s get into some practical ways to keep your PROGRAM Engaging.

Practical Ways to Keep Your Program Engaging:

  • Engage THEM (the people in your firm). It seems like a simple start, but don’t assume you know what matters to them or what they are facing. In the words of Stephen Covey, ‘Seek first to understand, then to be understood.’ Here are some practical ways to engage the people in your firm:
    • Engage each group and role in the firm. 
    • LISTEN with the intent to understand the issues each group faces and what matters to them.
    • Meet them where they are by joining or being a part of existing groups and meetings. Don’t make them come to you. 
    • If you are not allowed to join some meetings, engage the leaders of each group to ASK them for information. Perhaps they may also be willing to convey questions or issues to the group and bring back feedback to you. 
    • Gather lessons learned, explanations, and opinions from people. Examples of feedback from Associates at a firm:
      • Keep it short (less than 15 minutes). 
      • We don’t read more than the first line or so of a paragraph (so adjust your communications accordingly).
    • Educate your team to also LISTEN differently to information from people in the firm.
      • Example: a Helpdesk staff made note and complained that someone asked them about a Gmail security question. When in fact, THIS IS GOOD. It means the caller was asking about Security hygiene issue and best practices. This was a teaching moment for the Helpdesk staff.
  • Start from a place of trust
    • The goal is NOT to catch people doing wrong. Don’t set traps and weaponize the results.
    • Always convey that the goal of the program is to raise people’s security awareness and acumen …not send them to detention. If people think you are out to catch them making mistakes …they will stop listening.
    • Your users want to do the right thing. Ask yourself, “how can you help?”
    • Learn how to tell a negative story about your firm in a positive way.
      • Things happen. Be open and transparent when addressing issues that the firm experiences.
      • How you respond to an incident carries a lot of weight both inside and outside the firm.
      • Reuse and leverage the story to promote good security best practices.
  • Delivery / Engagement Tips:
    • Keep regular messaging short, concise, and consistent.
    • Remember the “Rule of 5-7” – people need to hear something 5-7 times before they realize they should pay attention. There’s more than just one way of communicating. Email is not your only avenue.
    • Keep the messages immersive, but not disruptive – meaning get to the point and move on. People need to know three things: why they should care, what they need to know, and what they need to do. 
    • Think “Yes, AND …” there is no “one size fits all” approach. 
    • Equip Leadership – Help Leadership be successful in supporting Security Awareness by giving them talking points, notifying them of Security Awareness activities ahead of time, etc.
    • Always look for creative ideas. Don’t think it all rests on your creativity.
      • Crowd source from your firm.
      • Ask peers.
      • Leverage industry groups like ILTA.
      • Don’t be afraid to ask for help (Marketing Department, trusted business partners, etc.).
    • Some Additional Ideas to keep people engaged:
      • Drawings / raffles
      • Steady flow of practical tips for home and personal security
      • Make it a part of the firm’s HR review process
      • Tie it to the firm’s and individual’s ethical behavior

Next in the series will be Part 2: Keeping Security Awareness Relevant followed by Part 3: Keeping Security Awareness Sustainable. If you need help getting your security awareness efforts off the ground or achieving all three of the above-mentioned goals with your security awareness program, we’re here to help.

About the Author

Kenny Leckie

Senior Technology & Change Management Consultant

In his role as Senior Technology and Change Management Consultant, Kenny provides thought leadership and consulting to the legal community in areas of information security/cybersecurity awareness, change management, user adoption, adult learning, employee engagement, professional development, and business strategy. He also works with clients to develop and deploy customized programs with an emphasis on user adoption and increased return on investment. Kenny is a Prosci
Certified Change Practitioner, a Certified Technical Trainer and has earned the trust of firms across the US, Canada, The UK, Europe and Australia.

Kenny has more than thirty years of combined experience as a law firm Chief Information Officer, Manager of Support & Training, and now consultant providing him a unique point of view and understanding of the challenges of introducing change in law firms. He combines his years of experience with a strategic approach to help clients implement programs that allows focus on the business while minimizing risk to confidential, protected, and sensitive information. Kenny is an author and speaker and a winner of ILTA’s 2018 Innovative Consultant of the Year.

Boosting Legal Productivity with Microsoft Copilot

Why Law Firms Should Embrace Microsoft Copilot

In a world where time is of the essence, legal professionals are constantly seeking ways to enhance efficiency without compromising security. The recent surge in the adoption of ChatGPT showcased the demand for AI-powered solutions, but it comes with a significant drawback—security concerns. Enter Microsoft Copilot, an enterprise solution that not only provides the advantages of Generative AI but also addresses the risks associated with data security. In this article, we’ll explore what you should consider when embracing Microsoft Copilot and how it can transform legal workflows.

Unveiling Microsoft Copilot

Microsoft Copilot, unlike its counterparts, is designed to be a secure, enterprise-level solution that seamlessly integrates into the Microsoft 365 (M365) ecosystem. This means it is embedded in all your M365 applications, ensuring that the power of Generative AI is at your fingertips whenever and wherever you need it. More than just a time-saving tool, Copilot acts as your personal assistant, assisting legal professionals in with various aspects of their work.

Security First

One of the primary concerns with ChatGPT and similar platforms is the potential risk of data leaks, especially when dealing with sensitive information common in legal practice. Microsoft Copilot prioritizes security, offering law firms the confidence to leverage AI without compromising the integrity of client or firm data. With Copilot, you can enjoy the benefits of Generative AI without the associated security headaches.

Boosting Productivity

Early benchmark data for Microsoft Copilot indicates a substantial time savings from minutes to hours each day depending on the tasks. Imagine what your legal team could achieve with that extra time; focused on higher-value tasks, ultimately improving overall productivity.

Seamless Integration with M365

Microsoft Copilot is not a standalone tool—it’s an integral part of the M365 suite. This seamless integration ensures that legal professionals can access Copilot within the familiar environment of their existing applications. Whether creating new business presentations, composing or catching up on emails in Outlook, or running efficient department meetings in Teams, Copilot is there to enhance the workflow without the need for additional installations or disruptions.

Your Personal Assistant

Microsoft Copilot is more than just a time-saving tool; it’s a personal assistant for legal professionals. Want to draft email responses based on your past emails? Need to catch up on your emails after being in trial all day or after a vacation? Would you like Copilot to recap a meeting and list the action items? Copilot has you covered. 

Copilot can handle many of the things you typically can’t bill for that suck time out of your day. Its adaptability and understanding of legal language make it an indispensable tool for a wide range of tasks, empowering legal professionals to work more efficiently and effectively.

As legal professionals seek ways to optimize their workflows, Microsoft Copilot emerges as a secure, powerful solution that not only saves time but also prioritizes data security. With its seamless integration into the M365 ecosystem, Copilot becomes an indispensable part of the legal toolkit, offering a new level of efficiency and productivity. 

At Traveling Coaches, we believe that empowered individuals improve organizations, and we’re ready to help your law firm unlock the full potential of Microsoft Copilot. Contact our team today to embark on a journey of innovation and efficiency in your legal practice.

Tips to Protect Data When You Travel

Tips for Traveling

At this time last year, many of us are thinking about taking a break. As you prepare your packing list, take a minute to add one more crucial item that you simply can’t leave home without: data security.

According to experts, holidays and long weekends are prime times for threat actors to execute all kinds of malware attacks—everything from ransomware to social engineering, phishing, and beyond. That’s because long weekends and holidays give hackers more time to corrupt files and devices before anyone can respond, or even notice.  Here are some tips to help keep your personal and professional data safe as you plan your next getaway.

1. “Password Protected”

Be sure your mobile devices are safe and secure. Disable lock screen notifications and enable multi-factor authentication so that you—and only you!—have access to your data. You can also apply these authentication measures to your more sensitive accounts, like banking and travel booking websites. If you must bring work on the road, consider asking your organization to provide a loaner device for travel, especially if you’re concerned about data security. Don’t leave home without outfitting your devices with remote-wipe features. That way, if you do bring your personal device, you’ll have a backup plan in case it’s stolen or compromised.

2. “You Are an Island”

It may take a few extra steps, but bringing backup power supplies for your batteries and devices means you can depend on yourself, not your surroundings, to keep your devices going. This also means your belongings are always close to you, instead of plugged into a wall at the airport or the quirky coffee shop you found. If you don’t have backup power supplies, research where you’re going and find secure spots along the way. Make sure all your devices are charged before you leave and only use them when necessary. Don’t connect your devices to other unknown devices, such as that free USB drive you picked up at the airport kiosk—this is an easy way for threat actors to send malware with you.

3. “The Public Eye”

While you’re traveling, you may be tempted to visit the business center of your hotel to check your emails or log in to the Wi-Fi connection at the bookstore you found. Most of these connections are generally secure but watch out for the word “public” when it comes to Wi-Fi channels. A public connection is always a security red flag, because everyone can access it, which means the wrong person in the business center at the right time could really sabotage your trip. Try to avoid these kinds of connections altogether or take the necessary steps and use extreme caution if you decide to use them.

4. “Home Sweet Home”

Traveling is great, but it also can be a rush to come home. You want to share your adventures and relive the journey you just experienced. Naturally, you want to get online and start posting pictures and seeing friends. But wait—now that you are home, take a few minutes to change those PINs and passwords. Even if you took good care of your data and devices while you were away, there’s a chance someone picked up your login information. It never hurts to give yourself that extra layer of protection.

Everyone deserves time away to relax and rejuvenate. Let’s use it as a launching pad for a day at the beach, not a data breach!