The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1195860
24 encryption with a password for any data saved to a flash drive. This was accepted by the auditor as a solution and had little impact on the firm. The cost to us was $0 and the time to implement it was just a few hours. • Be proactive and utilize technolo integrators who have experience with law firms to audit the firm. They have highly skilled security experts and are used to helping address audits. It is best that an integrator identifies a critical security issue before the client does. A thorough audit should take weeks not days to complete. In addition, perform penetration testing bi-annually by a third party and address critical findings before the auditor requests it. • Identify the revenue from the client before jumping through hoops to complete their audit. I once handled a security audit requiring weeks of work to complete and at the end we found out that the client's annual billables the prior year were under $30K. • Review the findings of any network scans in detail. In one findings report by a third party vendor we showed 25,000 locally installed "risks". After careful review, we found that the number was 25 and the risks were mostly DLLs requiring patches. Because they scanned 1,000 PCs the report displayed it as 25 x 1,000 = 25,000 items, not 25 items. • Develop Security Awareness Training plans. Make it mandatory and include a sign off page because saying you have a Security Awareness Training Program in place is not enough for auditors. They want documented proof that employees must attend this training annually. • Backups are important but it is important to test the restore capability and time to restore each type of backup. You don't want to find out that you lack the bandwidth to restore large amounts of data after a disaster strikes. We once had to restore several large datasets and found out that the time to move the data across the WAN would be days so we requested the backup vendor ship us the data on a drive at the cost of several thousand dollars and delay of a few days. Of course, these days, a highly redundant cloud solution would alleviate backups in general. • For on-site audits do NOT allow the auditor access to an office without you being there. I once had an auditor arrive early. Reception left him in an open conference room. He walked throughout the hall and looked at documents on the printers and on desks. When I arrived he said "you need to implement better facility security measures at your offices". We did address this quickly at that office but this incident raised some concern. • Review NIST, ISACA and ISO security standards. Standardizing the firm on ISO 27002 would make clients happy but the cost to accomplish this is very expensive and requires training for all employees. In the end it may cost more to be ISO compliant than what the client is billed. • Create a Cybersecurity Committee and meet regularly to be sure they are aware of the current challenges and can advise on how to move forward with legal challenges and budgets. Final words regarding cybersecurity. It is here to stay and should be taken very seriously. A failure to comply to audits or not stay abreast of changes in the security landscape can end up in a loss of business. Be proactive and create a cybersecurity policy that covers all areas of the firm. Bring in a third party to audit the firm. And be sure that senior management is onboard to enforce the policies. ILTA Mike Gargiulo Mike Gargiulo is a law firm veteran with over 25 years of technology experience working in several AMLAW 100 law firms and in corporate legal departments. He has extensive experience in developing legal matter centric systems. He held various IT support and leadership roles at several NYC law firms including CIO and CISO roles. He has handled over 50 client security audits and wrote numerous security related policies including Business Continuity, Disaster Recovery and Security Awareness Training policies. He has been a member of ILTA since 1993. Mike holds a certification in document management systems and in agile project management.)