Top InfoSec Tips For Law Firms…
There’s a quiet revolution taking place in the legal industry and the pace at which this is happening is gathering serious momentum. Suddenly the legal sector is having to cope and operate as a fully-fledged commercial entity and as such, the technology, processes and regulatory requirements are increasing and Lawyers do not necessarily have the time or skills in house to harness the benefits and opportunities the new era present.
With the above in mind, as a forward thinking firm, here are some of the key areas to embrace as you scale your firm to capitalise on the benefits and opportunities the 21st Century presents.
Gone are the days when IT Managers and ‘techies’ keeps all their ‘cards’ close to their chest and treat the company’s IT infrastructure as if it’s theirs… and that they are powerful and always in control.
With the evolution of cloud services, virtual desktops, smart-devices, the changing needs of users; IT Managers are slowing watching their control and native powers diluted. However, all is not lost because the company will always need to have the knowledge on an internal expert at hand. But on a whole these roles are being transferred to Account Managers within hosting companies and whoever was the IT Manager in a company, are now seeing their roles as either a middle man, a Transition Manager, a Consultant or moving on to other things outside of the legal sector.
Within the infrastructure, the security for most “smart companies” are relatively good, but for the duration of which these IT Managers hold their post, things were relatively secure to a point and at that point, hacking, insider threat and data loss wasn’t a major challenge, maybe the biggest challenge at the time was the huge disconnect with IT and other parts of the business in terms of what can and cannot be bought (hardware, software, fancy gadgets) to propel the business.
Cloud security and the term cloud computing has become the buzz word/phrase in the industry nowadays but not many people really understand the concept and the implications to their business. While it is contoured as very economical financially, sometimes not enough planning and thought process goes into the transition and as such, the true opportunities are not met and in so doing, increases the risks on top of those that were not previous in known or identified whilst inhabiting the traditional computing model.
Three key areas for consideration for Law firms when thinking of transitioning from the traditional technology services model are:
- Knowing your current risk profile and measure that against the perceived unknown and fit for purpose solution
- Know who, what, where and how your data, systems are held – within the EU, Outside the EU…
- Know the laws and compliance requirements of the country
- Perform regular or on-going audits of your systems
Application Security – Case Management System
Application security is becoming more and more of a concern to organisations due to the capabilities and ‘unknown’ freemium culture; especially those that are uncontrolled and are not necessarily proprietary. Often times the security within applications are substandard and do don’t meet minimum security standard and if there are security, it is always a bolt on solution rather than security that is built into the SDLC.
Compliance – LEXCEL – ISO22301 – ISO27001 etc.
Never before has compliance, best practices and international standards played such a huge role in the way organisations and their data and IT management operate. Over the past 6-10 years the increase reliance and demonstrable accountability of companies to comply with standards (competent laws, bribery act, DPA, HIPPA, SOX, PCI-DSS, ISO27001 etc.) is more and more a big business as well as well as being a challenge – practically, financially and strategically.
With the globalisation and the ease at which a small company can compete with a huge multinational, the boundaries for compliance and transparency widens and as such, various accreditations, and compliance requirements comes into the fray where, privacy, security are concerned.
Many Law Firms operate globally and as they cross borders, the burden of compliance adds to the compliance stack they need to address if they plan on expanding and dealing with their ideal multinationals clients. Some of the international compliance requirements applicable in some of the top developed countries are as follows:
- UK – DPA, BRIBERY ACT, FOI, ISO27001, Acquisition Law, competition Law etc.
- Switzerland – ASIA – US
For any successful expansion in some of the above areas, your firm will need to address and ensure that you tick the box to demonstrate your compliance and that you are deserving of having a place at the international table.
Bring Your Own Device – The Smart-device Explosion
Statistics – ……..
‘Boyd oh boyd’, the headache and challenges that brought the phenomenon in the organisation under the guise of productivity, flexibility but not fit for purpose. When the smart-device hit the workplace, most CEOs and high flyers executives were the main adapters of this new phenomenon but never really understand the implication of security, compliance and whether or not it will actually be integrated into the existing IT infrastructure. These poses added challenges of entertaining a ‘bolt-on’ work-around approach to enable CEOs and those with influence to continue to enjoy the status quo of having these devices.
Secure File Sharing – Document Management Security
Time and time again, you see Lawyers with huge suitcases, huge lever arch folders making their way swiftly to court, struggling with highly confidential files and client details. Do you ever imagine for a moment if they were to get mugged by the accused/defendant’s ruthless accomplice, or left it on the train? The market for online sharing and collaboration is growing exponentially at a rate that the industry has never seen before and as this happens, there is great need for more security and protection of the many sensitive files that ‘floats’ across the wires every second as files sizes that are larger than ever before with the support of super fast broadband and connection speeds.
Everything is going online nowadays and only the firm that is forward thinking and serious about growth, profitability and client care will succeed and as such secure online collaboration and the use of these facilities will no doubt enhance the position and strategies of the forward thinking firms. Even, in some courts nowadays, some Solicitors just turn up and all their casework is at the court house even before they get there ready. These new approaches to files transfers and the use of technology is becoming more and more prevalent and the awareness of such services and the value it adds to the firm and the client on a whole is enormous but a strategic decision needs to be made not only for the secure file transfer approach but also the secure storage and indexing of scanned documents. These must be kept secure (encrypted) and with relevant fit for purpose security and compliance controls to mitigate risks via data leakage.
Big data has become a buzzword over the past 2+ years… but who generates more data than a law firm and by extension, HIGHLY confidential data?
One of the many points to consider for Law firms are:
- Secure data sharing facilities
- Data archiving and document management security solution
- Data retention policy and access control
- And finally, last but definitely not least, the security of the enormous amount of data generated and stored by Law firms.
It’s sad to say however, that some Law firms are still on the fence with their transition to move to a robust data and IT platform; which nowadays is a key strategic factor in supporting the growth, strategy and ROI for firms.
Removable Media Security
(Pen Drives/Memory sticks, ipods, CDs)
Proactively Challenge Your Security
Vulnerability scanning / Pen Testing
On-going training and awareness of employees
eLearning, workshops etc.