The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
Ask The Expert: Information Security: A Universal Concern create appropriate strategies and controls for stewardship of information assets. This process should be carried out whenever there are changes to the system, including changes to technology, business operations or workflow, to account for new threats and vulnerabilities that these changes bring. Matt: Yes — you need to have a serious talk with people at the top of your organization regarding possible threats at least once a year. I recommend having outside security experts conduct risk assessments of your business operations. That helps you understand what threats exist, how serious they are and how often you may have faced them without knowing it. Tom: Risk assessments are a baseline entry point for information security programs, and everyone should be doing them. As Jeff mentioned, assessments should be done at least as often as you have major systems changes in your environment. If you have a dedicated department to address those kinds of things, they should continually be on the alert for any policies or procedures that need to be modified to address security threats. Brian: There is only one thing I know of that changes more than technology, and that's securing it. You are only as secure as the last time you locked the door. I don't believe that risk assessments have to occur more than once or twice a year, but I firmly support there being systems and processes in place to consistently monitor and manage the environment. Annette: Absolutely — it's essential to conduct risk assessments on a regular basis to be sure your firm's processes and technology are still viable. Conditions will change over time, and you'll get new assets that need to be protected. New threats will arise, and you'll need to be aware of them. Taking the time to do a regular risk assessment forces the firm to focus on these issues and take appropriate measures to minimize threats. Most global firms do it annually, which is what the U.K. Law Society recommends. _________________________________________________________ What's the best way to ensure education about the security risks of lawyer and staff behavior? Brian: Risks arise from users not understanding the increasing risk of exposure. It is my job to secure the environment and still allow attorneys to deliver optimal services to our clients. If I lock everything down, I'll lose their confidence, and they'll find ways to break through any fence we put in place. I pick my battles, conduct open dialogue and casually discuss security concerns. I also try to prevent firm users from answering vendor questions and giving credentials to outsiders. We also promote ongoing education through communication. _________________________________________________________ What kind of pressure is your firm getting from clients to improve security standards? Matt: A lot! New regulatory environments in the U.S., the EU and in places like Singapore are making clients much more attuned to IT and security issues — the pressures on them are clearly filtering to their law firms. We're getting questions about how we secure and segregate things, what password requirements we impose and how we restrict access to certain systems. Whether it's pressure or just the way our technology-laden world has changed, it's the environment we live in. And we're only going to see more of it, not less. Tom: You have to create a policy that establishes expectations. On top of that, you have to require education and continual learning so lawyers and staff can be better prepared for the changing threat landscape. We generally need to look for nontraditional ways to educate them. Lunch-and-learns help us get the attendance and attention of lawyers. Matt: It's tough because it's tempting for lawyers and staff to use the latest and greatest consumer technologies. If you make people aware of the possible implications of extending IT into their homes and mobile lives, you can help them understand how they can be more secure by changing their behavior a little bit. To do that, we need to use the tools we see in advertising and in games; try to engage people with humor and fun. Start when people are new employees, conduct refreshers, and use email messages to communicate threats that arise. But the most powerful way to ensure education is still one-on-one, especially when someone has come close to making serious security mistakes. Annette: Lawyers are concerned with getting their daily jobs done and providing the best service they can to their clients. They're not really conscious of the security issues that might arise because of their working practices (e.g., working offline, using smartphones, etc.) and they don't want to have to deal with processes or procedures that are going to add time to administrative tasks. So I think it's just a matter of educating them on why we have processes in place and why it's important for them to comply with those. At our firm, we have initial training, annual updates, ongoing awareness via email messages and regularly scheduled refresher training on a broad range of security issues. Jeff: Users who are not educated on information security threats and countermeasures are much more prone to fall prey to social engineering attacks, such as phishing. With so many lawyers and staff carrying their own devices that are not managed by the firm, a formal awareness program can go a long way in making everyone more cognizant of how they handle sensitive data. Peer to Peer 111