publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1031816
45 WWW.ILTANET.ORG | ILTA WHITE PAPER MARKETING TECHNOLOGY Security: A Shared Responsibility between Marketing, IT and Aorneys sites as "not secure," even if they were legitimate companies. Most firms understood the importance of purchasing an SSL certificate to reassure visitors, but many had not budgeted for this additional expense. Seing aside money for changes like this, or other security or privacy vulnerabilities that are uncovered (think soware bugs or new regulation like GDPR), will ensure your team can jump right into action to address them. 4. Educate your employees. You can't expect your people to join the effort to keep your firm and your clients secure if they don't know what to look out for. Typically, threats don't target those they think will be difficult to bypass. Instead, they try to gain entry through the everyday employee. A careless or negligent employee who exposes sensitive information or falls victim to phishing aacks are most oen the cause of a data breach. Educating your employees on the tactics hackers use to infiltrate your systems or data will help them keep their guard up (see sidebar). Hold quarterly drills or tests whereby you create a fake hacking scenario and see how your employees react. Do they take the bait? Do they flag the suspicious behavior to the appropriate team? Once you conclude the test, follow up with additional training for those who failed your drill, and use these as examples in your next firm-wide security training, which should be held annually. 5. Hold your third parties accountable. Think about it. Your clients and prospects hold you to a certain standard when it comes to security and privacy controls. Why should you not do the same for your vendors? In your quest to align yourself with partners that also foster a culture of security, it is important to review your contracts and conduct due diligence on your vendors. Consider also adding language to your RFPs to ensure you're only engaging with those who take security as seriously as you do. You should ask or consider: » What data is at issue? Does it include personal, confidential or sensitive information? » Are the data ownership rights spelled out and well understood? Who has access to the data and how can it be used? » Understand data flows, who will have access to it, and where it will be stored. » Consider whether they have adequate systems in place to limit unnecessary access or vulnerability. » Does the transfer of data comply with all applicable laws? Is the data stored beyond U.S. borders, or are there employees and subcontractors outside the U.S. who will have access to the data? » Use pre-qualification reviews, audits and certifications. » Are your vendors GDPR and SOX compliant? Certifications such as ISO 27001 are also good indicators of a potential partner's security capabilities. Typically, hackers are driven by one of the following motives: Defacing the Brand: Hackers sometimes carry out an attack in an attempt to harm or leverage your brand. Often predicated by political agenda, in this situation the goal is to paint your firm in a bad light, misrepresent what you stand for, publicly shame you for an action you have taken, or capitalize on the popularity of or traffic to your site. Vigilante hacking groups such as Anonymous are known for carrying out these kinds of attacks. If your attorneys are working on sensitive matters or representing controversial subjects, your firm has the potential to fall victim to this group's mission. Accessing Sensitive Data: A normal, clear-headed individual wouldn't part with his or her login credentials, financial information or social security number willingly. Hackers have grown more creative and sophisticated in their attempts to gain access to this information. Whether it's feeding their bank accounts, stealing C O N T I N U E S O N N E X T PA G E