The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
• Don't try to cover everything at once. Very few people have the time or the attention span to sit through a day-long training session. Pick a few topics and cover those well as part of an ongoing training plan. • Use different approaches. In-person training, email reminders, posters in the office and on-demand webinars are all viable ways to deliver information. Mix and match them, and consider giving lawyers multiple options to learn the same content. • Provide a range of times and opportunities. Forcing a lawyer to choose between attending security training and meeting a client deadline will greatly reduce the chances of participation. Offer ongoing opportunities to learn, regardless of the schedule. • Use threat-based scenarios or real-world examples. It is often difficult to see how a potential problem could quickly become a disaster. Use meaningful examples to help lawyers and staff appreciate the relevance of security threats to law firms. • DO NOT EXAGGERATE. Overstating a risk can diminish the credibility of the training program. Lawyers may come armed with a healthy dose of skepticism and will often zero in on weak points in the narrative. This scrutiny should be welcomed as a way to foster engagement. However, if scrutiny reveals a misstatement or exaggeration, lawyers may regard the entire training session as a waste of time. In the long run, this will hamper attempts to build awareness and substantially erode support for the firm's security program. • Look for opportunities to "train the trainers." Staff can help ensure that lawyers remember and understand security policies and procedures. For example, secretaries field all kinds of questions from the attorneys they support and may be in the best position to deliver relevant security knowledge in the event of a threat. • Ask for feedback. Both during and after the training, seek feedback on how well the information was delivered and understood. What works well for one group may not work as well for others, and lawyers' time is much too valuable to waste on ineffective training. Trained Individuals Create a Stronger Defense Technical controls effectively address some threats but do little to protect law firms from sophisticated attacks aimed at individuals. Untrained employees may inadvertently transfer confidential data 58 Peer to Peer outside the purview of the firm and its IT staff, sometimes onto insecure technologies or services. Between the increasing threat of economic espionage and heightened client demands for security controls, the need for effective security training has never been more pressing. IT cannot provide all of the necessary protections in isolation. Kevin Mitnick's statement that "the human factor is truly security's weakest link" should be taken as a challenge, and it's one that law firms must face head-on. Awareness Training Delivers Value Information security awareness training provides value to a firm as it: • Builds awareness of the firm's policies and procedures • Demonstrates a commitment to protecting client data • Fosters communication between IT and lawyers/staff • Promotes buy-in for security procedures and initiatives • Reduces costs through prevention • Meets required qualifications for cyber insurance • Strengthens the "weakest link" in security Adam Carlson, CISM is a co-founder of Carlson & Wolf LLC. Adam helps law firms achieve effective security programs and tailors security training for attorneys and staff. He has over 10 years of experience in IT and security management. Prior to his consulting role, Adam worked as an external security auditor and later served as a chief security officer responsible for securing a diverse technology portfolio. He can be reached at adam@carlsonwolf.com. Matt Wolf, JD, is a co-founder of Carlson & Wolf LLC, where he serves as a principal consultant. Matt is an attorney and information security professional with 15 years of experience. He advises law firm clients on a variety of information security and privacy matters and routinely teaches seminars on information security for lawyers. Matt can be reached at matt@carlsonwolf.com.