The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
WWW.ILTANET.ORG 85 What is your organization currently focusing on in regards to security? Sherri: This past year we focused a lot on low-hanging fruit. We implemented two-factor authentication, which allows our remote users to access our network environment more securely. We also implemented mandatory smuggle device management so if any of our attorneys have problems with or lose their cellphones, we can easily secure firm and client information. Jamie: Right now we're focused on the successful implementation of our ISMS and certification against the ISO 27001:2013 standards. We plan to be completed by the end of this year. We're also working with several emerging security vendors to see if we can leverage their products to continue to improve our ability to detect threats and data loss, and leverage intelligence within our environment. Paul: We recently launched a new service called Advanced Endpoint Threat Detection or AETD, a managed service that continuously scans all computers connected to the network to determine if a threat has evaded antivirus software or network security and has loaded onto a computer. AETD detects when a computer has been compromised by a threat. Rather than having to reimage too many or too few systems, AETD focuses on the affected computers to minimize downtime while maximizing security. Why should security be "everyone's business" within a law firm or legal department? Jamie Herman: Whether information is your holy grail and business driver, or whether it's a product or Web resource like one of the major online retailers, protecting information is critical to prolonging the lifeline of your business in the digital age. Wherever your information assets reside, your data must be treated like Fort Knox-type material and protected with appropriate controls. Years ago, security was primarily the domain of security folks and technologists, but now it has infiltrated board rooms and senior leadership meetings across large organizations and law firms. Paul Orth: That's right, because in the legal space, law firms are a rich repository of corporate secrets, business strategies and intellectual property for both clients and the firm itself. Threat actors need a foothold into the target organization to conduct their malicious activity below the radar and to steal whatever they are after. It doesn't matter if you are the CEO, a secretary, an attorney or a systems administrator, you could be targeted as the initial foothold. That's why it's everyone's business. Sherri Vollick: Security should be everyone's business because it affects every individual in the organization. In your lifetime, you will most likely experience a security breach — probably a credit card breach, the most common occurrence. Security should be on everyone's mind, not just in a law firm or legal department, but in every business and in everyday life. Jamie Herman Jamie Herman, C|CISO, CISM, CISSP is the Manager of Information Security at Ropes & Gray. He is also a member of the firm's Information Steering Committee. He has more than 15 years of experience in information security, risk management and information technology. Jamie sits on ILTA's LegalSEC steering committee and has presented and written for ARMA, ILTA and CISO events and publications. Contact him at jamie.herman@ropesgray.com. As long as a malicious actor is attempting to exploit a vulnerability or an unsuspecting employee's trust in order to obtain something of value, everyone must be vigilant.