The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
The quest for improvement has brought about a new ILTA initiative called "LegalSEC™," with which we can all get better by collaborating and leveraging our collective knowledge. Layers of Challenges While attending the ILTA conference planning meeting in the winter of 2011, I discussed with one of my peers the challenges that we were facing within our respective firms. We quickly identified the lack of security standards as a common concern. Both firms had strong security controls, but we struggled to help management understand the risks of not being better. This made us wonder about the technology departments in smaller firms and whether the struggle increased as the size of the firm decreased. Bigger law firms usually have dedicated information security professionals and more intricate risk management practices, but smaller firms have fewer resources to keep up with the evolving security landscape. This conversation was ingrained in my mind, and I started bringing it up whenever I talked to colleagues. It quickly became obvious that no matter the demographics of the firm, we were all facing the same problems, and we were all craving some guidance on how to deliver better, more efficient information security to our firms. The question was also raised why we, as the technologists, would need to drive information security efforts? We all read and hear that strong information security programs should be driven by executive management, but law firms have been the exception. Management usually relies on their technology department when it comes to security, disaster recovery and other processes that have nothing to do with the business of law. This is not because management doesn't care necessarily, but because it is part of a technologist's DNA to think about what could fail or go wrong, and to prepare for it. Where many fail is in the way we communicate the risks to the firm. It is not about locking the iPhone with a six-digit password after five minutes of idle time because we have a policy that says so; it's about the risk of not doing so. Yes, management should drive the initiatives, but technologists have a great opportunity to work with them and help them gain the knowledge they need in order to support the building of the security program that technologists have been craving. We also have our clients to think about. During the time I was having these conversations with peers and doing research, another obvious concern was the spike in client audits and RFPs that contained information security-related questions. Inside counsel read the same news that we do, and, heck, they are ILTA members with access to our discussions. What makes you think they don't worry about the state of information security within the legal profession? In fact, we are starting to see clients mandate that firms implement specific controls in order to keep their business, so don't be surprised if you see this at your firm in the near future. And then there are our people and processes. There are two problems here: insider trading and a fundamental lack of awareness and education. There have been many instances of the former reported in the last couple of years, such as an IT manager charged with using his access to the firm's electronic data to support almost two dozen trades and recently a reported case in which three people were indicted on cybercrime charges for working together to hack a law firm in Pittsburgh; one of them was a former employee and another was an associate of the hactivist group Anonymous. These situations could be tackled by the implementation of proper technologies, but technology is not enough when it comes to security. There must be a thorough understanding of the different business processes and operations of the firm so that proper security policies and procedures can be put in place to support them. We must also educate our users about the proper use of the firm's technologies. You can have strong, effective security controls in place, but if someone in the firm clicks on a phishing link, then your controls could prove useless. We can't just throw technology at security problems; we have to approach things holistically, and user education could go a long way in our efforts. As Stewart Baker, a partner at Steptoe & Johnson LLP, put it in a recent interview with The National Law Journal: "The weakest part of the security system is between the keyboard and the back of the chair." That gets my vote for best quote of the year! To top it all off, we are encountering advanced persistent threats (APTs) — a type of cyberattack targeted at specific organizations with a very specific goal. They are Advanced because they are very sophisticated and difficult to detect. They are Persistent because they can go undetected until they achieve their goal, and they are Threats seeking to exploit vulnerabilities and penetrate your systems by combining advanced techniques and (sometimes) human interaction. It's important to be aware of such threats because our line of business is based on critical information that we handle on behalf of our clients, making our firms "information goldmines." That makes us a very attractive target for 50 Peer to Peer