publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/192213
SECURITY AWARENESS TRAINING: IT'S NOT XXXX JUST A GOOD IDEA, IT'S A MANDATE "What are you doing about security?" was to point to the latest and greatest appliance installed on your network, or perhaps to a massive binder filled with detailed policies, all oriented toward protecting information. By now, we all know that technical safeguards and policies aren't enough. The best defense against internal and external threats is to create a culture of security that focuses on the human element and changes behavior to help safeguard information. To build an effective security culture in your firm, it's necessary to move beyond technical safeguards and policies, focusing on the firm's employees — attorneys and staff. Security awareness is an equal opportunity program — protected information is accessible to employees in all job roles across the firm and is as easily disclosed by an attorney as a staff member. The mandate behind security audits and questions isn't as simple as checking a box to say we've "done" security awareness. The real goal goes well beyond that to changing behaviors so people work in ways that protect information. It's this difference — real change as opposed to mere compliance — that sets a security awareness program apart from many other training initiatives at your firm. A PATH TOWARD REAL CHANGE Research demonstrates that having strong policies in place, or conducting one-time training events, isn't enough to bring about behavioral changes. Changing employee behavior is more likely to be successful within the context of a long-term program that makes it second nature for them to think about security risks, and work in ways that safeguard systems and information. They will report possible security threats and vulnerabilities even before incidents occur. They will be more willing to follow security policies and procedures because they understand their purpose. This type of culture can likely reduce the number and/or severity of security incidents, becoming something users always think about, consider and discuss. While risk analysis is nothing new for law firms, having granular conversations at all levels of the firm is likely a different approach than what most firms have previously experienced. Creating such a significant change in a firm's culture might seem daunting. By leveraging proven change management methodologies, firms can turn to a blueprint that has helped numerous organizations bring about successful change on an enterprise scale, including changes in security awareness. This methodology is based on years of research conducted by Prosci, a leader in the change management field for many years. Their fivephase model uses a stair-step approach, requiring employees to engage with each sequential phase to be successful in bringing about long-term change. BUILDING AWARENESS Your efforts begin with the "awareness" phase. In this phase, you'll share case studies, news stories and other relevant examples that help build an understanding of the very real security issues and threats facing law firms. While it might seem obvious that security is a real concern, your goal is to help employees make a connection between the stories permeating the news and their day-to-day work.