Peer to Peer Magazine

Spring 2018

The quarterly publication of the International Legal Technology Association

Issue link:

Contents of this Issue


Page 51 of 55

53 WWW.ILTANET.ORG Protecting Your Law Firm: Two Experts Discuss Website and Data Security ASK THE EXPERT What drives law firms' motivation to keep their sites secure? Zachary: Data breaches make headlines and destroy companies' reputations. The Panama Papers' leak of 11 million documents – including confidential financials – led many law firms' clients to reconsider how effectively firms are protecting their sensitive data. Many corporations now require service providers to ensure their service providers are also secure. For example, banks routinely give their law firms a security questionnaire and require that the firms certify the security of their vendors. Additionally, law firms can seek further security certification. ISO 27001 is a global certification from the International Organization for Standardization that covers information security management. While earning this accreditation cannot guarantee a breach will never occur, it provides clients assurance that their vendor is up-to-date on security measures. Michael: A website is oen the first place an aacker begins looking for information to exploit, so it is important to keep it secure. When Dickinson Wright began to receive security questionnaire requests from clients, we decided to pursue ISO 27001 certification to assure our clients that we protect their data. Clients expect a certain level of security and if a law firm cannot deliver, it may lose trust, then business. What digital security issues remain top-of-mind for law firms, and how do you address them? Zachary: Many companies wonder how to instill a culture of security into the business. Security should be a shared responsibility at law firms, not just the focus of IT. Companies should continuously train employees to identify and report suspicious activity. Dickinson Wright, for example, executes its own creative phishing scams, which challenge employees to detect a "malicious" email. Besides working to block inbound trouble, firms should review their content management systems (CMS) and restrict access to only those who must have it. For example, companies can implement a process to recognize any departing employees and quickly remove them from the CMS. Michael: Data protection is the most important aspect of security, but not all data are created equal. Data should be sorted into four tiers: confidential data, internal firm data, user data and public data. Information security management systems classify the data. Depending on the classification, law firms can apply different levels of security to the dataset. For example, everyone can access public data, but only a certain level of employees can access other data. Additionally, many threats originate from socially engineered phishing scams. While implementing technology is important, employee training is essential to block many cyberaacks. Aer the Equifax breach, for example, I sent a phishing email that requested employees enter their credentials to ensure they were unaffected. This test helped them understand the need to exhibit caution when they were asked for their information. What advice do you provide your employees on digital security? Michael: All law firms should train employees on how to keep data secure and never take any knowledge for granted. At Dickinson Wright, we provide seminars for new and veteran employees. As part of our ISO certification, we conduct annual security meetings and quarterly phishing tests. Zachary: Beyond phishing scams, law firms should provide advice on creating secure passwords: » Include multiple, unrelated words (e.g., BlueCatRollerCoaster!). » Avoid reusing the same password for various accounts. » Consider a password manager app. How will law firms' investment in digital security change? Michael: Investment in digital security will keep increasing. As long as law firms hold important client data, bad guys will keep trying to steal it. Zachary: Target's 2013 data breach served as a wake-up call for many companies. Even though Target had many security measures in place, hackers were able to exploit a vulnerability that granted them access to the login credentials of its HVAC vendor. Aer breaching the network of this vendor, they were eventually able to make their way into Target's network, accessing millions of credit card transactions. When the breach made headlines, it became clear how imperative it is to ensure vendors are held to the same security standards as the company. MICHAEL KOLB Mike Kolb brings more than 26 years of information technology and management experience, and has served as Chief Information & Security Officer at Dickinson Wright for nearly 20 years. Mike also serves as Chief Executive Officer of Information Navigators, a subsidiary of Dickinson Wright. He has provided executive leadership through a vast number of audits, especially in compliance and banking, and holds particular expertise in HIPAA, PCI and ISO 27001. Mike earned an MBA from Penn State University and a Bachelor of Science degree from Central Michigan University, as well as various security and compliance- related certifications. Contact Mike at ZACHARY PEER As Director of Technology, Zach Peer leads the managed hosting team at One North. He establishes and maintains the appropriate policies, procedures and controls for One North's hosted offerings and works to ensure the availability, security and performance of the hosting environment. Zach also provides technical leadership and support for internal systems and initiatives, ensuring the seamless introduction of new technologies. Prior to One North, Zach worked as a Senior Manager for Accenture. He holds a B.S. in Mechanical Engineering from the University of Illinois Urbana- Champaign. Contact Zach at

Articles in this issue

Links on this page

Archives of this issue

view archives of Peer to Peer Magazine - Spring 2018