The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
An effective security training program requires ongoing education. Here are some key areas to consider: • Law firms are being targeted by hackers. Lawyers and staff should understand the severity of the threats targeting law firms and, more important, how a firm and its clients could be affected by a breach of client data. • Specific data are considered confidential by the firm. Lawyers and staff should be instructed on how to recognize sensitive data in need of protection. • The firm has policies and procedures. Many lawyers and staff may not recall or be aware of the firm's policies and procedures that outline the appropriate ways to handle client data and use technology safely. • Email messages might be phishing attempts. While this is an old topic, it is still a relevant one, as phishing attacks have become much more sophisticated and targeted. Lawyers should consult IT if they have any reason to suspect an email message is not legitimate. In addition, lawyers and staff should clearly understand what information should or should not be sent via email. • There is a safe way to surf the Web. To reduce the risk of stolen usernames and passwords, everyone should understand how to identify fake login pages or those that do not transmit login credentials securely (via https). • Social networks can be inaccurate. Most social networks do little to no validation of a person's identity. As a result, attorneys and staff should not trust a social network profile to be true or accurate. • Social engineering comes in many forms. While phishing is the most common form of social engineering, motivated attackers will still use phone calls or even physical mail when trying to extract information. • Passwords need to stay secure. The dangers of password reuse, password sharing, insecure storage/transmission of passwords and using a weak password are all important topics to cover, especially when providing remote access to client data. • Personal devices require security measures. If lawyers and staff are using personal devices for business purposes, train them on good system administration practices (patching, anti- virus software, safe software installation etc.) • There are people available for support. Because there is no way to cover all possible topics, let lawyers and staff know where to turn when they have a question. Establishing an ongoing dialog will ensure unanswered questions do not turn into open problems. • Security needs to be a shared responsibility. It is important for everyone to understand that no technology can protect a user from poor or reckless behavior, and it is not IT's sole responsibility to keep the firm safe. And remember that your users might have questions. Ask lawyers, staff and IT if there are any common security problems or unclear policies on the use of technology. Addressing day-to-day concerns will maximize the relevancy and establish credibility. Training Tips The way in which a training session is delivered can have a major impact on how well the information is understood and internalized. Lawyers and staff need to understand the risks facing their firm, and an effective training program is the best way to instill that knowledge. Here are tips to help you design your training program: 56 Peer to Peer