The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
25 WWW.ILTANET.ORG percentage of security incidents can be prevented by patches that fix known vulnerabilities. Consider accelerating your patching schedule for servers and workstations from monthly to weekly. Consider investing in soware or a service to help you manage the patching process. WSUS is free, but it doesn't patch Acrobat, Chrome, Java, Flash, and other non- Microso soware. We have made this a priority aer last year's Petya and related ransomware aacks. Robust vulnerability scanning can also help drive the patching process and verify it is working. Security Awareness Training Like patching, security awareness mitigates another huge chunk of potential security incidents. If you are like many of us, for years you have put off security training for your users because you thought it was too expensive to contract out and too time consuming to do yourself. There are some decent recorded security awareness training tools available that aren't too expensive, but they are not customized for your firm or even for law firms generally. And I'll bet many people fall asleep to recorded training. Contracting out for customized live training can be pricy. Security awareness training is a great place to save some security dollars by developing and delivering the training yourself. If you have a relatively small user population and you are willing to set aside a few days to develop your training, this can be a win-win-win. You get effective, customized training delivered by someone your users know and love, you save money by not hiring a third party, and you get much needed face time with everyone else in your organization. My first step was to create a policy that was backed by our general counsel mandating that everyone must aend training. Then I created a training outline covering just the top five things my users needed to know (public Wi-Fi, phishing, social engineering, email and data transfer, and passwords). I give them actionable information – what to do, what not to do, and what to be aware or suspicious of – supported by real life stories and examples, not hypotheticals. I sprinkle in a few silly jokes, and people actually enjoy coming to the training! I'll share my outline and presentation with you upon request. Other Quick Hits Phishing tests can be done prey cheaply and easily these days and it is a great way to educate users. See if a tool you are already using has phishing tests built in. If not, KnowBe4 and PhishMe are great options. Vulnerability scanning is much easier and cheaper than in the past and it goes hand in hand with your patching process. There are even some free scanning tools for external facing sites, such as hps://www.ssllabs.com/ssltest. You may not have the most advanced firewalls in the world, but most modern firewalls have great out-of-the-box protections that you may not be using. Your firewall vendor may offer a free checkup call to identify areas to tighten your defenses. For example, we recently turned on a block of all traffic to and from a list of known problem countries, aer first checking with firm management to see if we were doing business there. Why leave ourselves open to North Korean ransom aacks? Third party audits can be expensive, but the cost can be reduced by working with your vendors. Identify a vendor who wants to get more security work and who might offer a reduced cost assessment to you as a way to build up their security references. Ask for a "light" assessment that covers only the areas where you decide you have the most risk. Last but certainly not least, Use ILTA as a resource. Post and ask questions of your peers. It's a gold mine of information. P2P FRANK SCHIPANI Frank Schipani is the Director of IT at Gilbert LLP in Washington, DC and a 20+ year veteran of the legal industry. He's been through the trenches of countless implementation and upgrade projects, from finance systems to colocation facilities and everything in between. He's an active member of the ALA Capital Chapter and helps advise fellow members on technology issues. Contact him at schipanif@gotofirm.com. Building an Effective Defense on a Limited Budget CASE STUDIES https://www.iltanet.org/viewdocument/building-an-effective-defense-with Download addtional resources and materials from this ILTACON 2017 session.