the NALS docket July 2011 : Page 6By Bruce Campbell, Clare Computer Solutions the NALS docket 6 IT Security For Law FirmsBruce CampbellGiven the sensitivity and importance of the data that flows through a law firm’s IT infrastructure, it is no wonder that IT security is a hot topic. Threats to the security of your firm’s data come from myriad vectors, both from outside your network and from within.<br /> <br /> The Stakes Are High.<br /> <br /> If your firm’s data is compromised by a cyber attack, the effects it can have on the business may be devastating. First of all, your firm’s operations may be virtually shut down as you scramble to contain and mitigate the attack. Every minute your firm’s administrators and attorneys cannot do their normal work costs hundreds, if not thousands, of dollars.<br /> <br /> Your firm could be held liable if sensitive information is found to have been stolen or even accessed. Litigation is supposed to make money for your firm, not cost you money!<br /> <br /> Perhaps the most insidious way that a security breach can affect your firm is damage to your firm’s reputation. Law firms depend on their hard-won reputations to attract and keep clients. If your firm is perceived to be anything less than completely in control of its information and processes, you will find that a tarnished reputation is difficult to remedy.<br /> <br /> <br /> A Process, Not a Project.<br /> <br /> It is important to understand that IT security is a process that must become a part of your firm’s corporate culture to be successful. Some of the steps are pretty well known (a firewall or antivirus software, for example), but these steps will not be effective over time if they are not part of an overall Security Policy.<br /> <br /> It is simply impossible to guarantee your network will never be compromised by an attack from outside or inside the network. The attack vectors are too numerous and the security measures are always barely a step ahead of those who seek To defeat them. If you cannot eliminate risk, you can mitigate it. A well-designed Security Policy will help ensure that you are doing all you can, on a continuous basis, to protect your network.<br /> <br /> A Security Policy will establish guidelines for various security settings that the network administrator will control, but it also defines certain behaviors for users on the network. No Security Policy will work unless every user on the network follows it and it is perceived to have the blessing of the firm’s top management. If the rank-and-file employees see that the attorneys ignore the Security Policy, they will also consider it unimportant and ignore it.<br /> <br /> How to Get Started.<br /> <br /> Before you can design or implement a Security Policy, you will need to establish a baseline, determine the level of security that is reasonable for your organization, and then decide what needs to be done to achieve (and keep) that level of security.<br /> <br /> Given the importance of network security, the time, effort, and expertise it takes to evaluate your network’s security status, and then design and implement an appropriate Security Policy, it is wise to outsource some or all of this process. There are IT service firms that do this type of thing routinely and you will benefit from their experience.<br /> <br /> Whether you handle this in-house or outsource part or all of the process of implementing the Security Policy, keep these guidelines in mind:<br /> <br /> 1) Make sure you have good documentation of your network infrastructure (up-todate network diagrams) and logs of what maintenance work and improvements you do to it. You cannot hope to control network security if you do not have a handle on your network to begin with!<br /> <br /> 2) Make sure your Security Policy is well documented for several reasons:<br /> <br /> a. You will want to be able to have proof the Security Policy was implemented;<br /> <br /> b. You will want to be able to quickly inform new employees of your firm’s Security Policy; and<br /> <br /> c. The documentation will make reassessment of the policy easier (see the next item).<br /> <br /> 3) Make sure that a periodic reassessment of the policy is part of the Security Policy. Things change so fast in the IT world—and in the legal profession as well. It is wise to rethink your strategy on a quarterly or semiannual basis.<br /> <br /> It would be nice if you could just buy a magic cure for network security, but it is just not possible. Networks have become too complex and there are too many exploitable points of entry. Dealing with network security is just the trade-off for the convenience of being able to access so much data from so many places. There is no turning back now—the digital information age is here to stay. You owe it to your clients and your practice to ensure you are doing the right things to protect your and their data and to be able to document what you are doing to secure their confidential information.<br /> <br /> Finding the Right Help.<br /> <br /> If your firm already outsources some or part of the support of your technology infrastructure and you are happy with their services, ask them about designing, implementing, and maintaining a Security Policy for your firm.<br /> <br /> If you want to shop around, a web search for IT security consulting will yield plenty of results. Browse the results and create a list of IT security firms that appeal to you and contact them. Consider these criteria as you evaluate them:<br /> <br /> • How fast did they respond to your inquiry? Response time is very important, and any Company that does not respond very quickly to an opportunity to do business should be crossed off your list.<br /> <br /> • Are they well established? You do not want to enter into a relationship with a provider that is not going to last. Ask how long they have been in business and learn what you can about their management structure. Do they seem organized and professional?<br /> <br /> • Are they the right size for you? IT support companies vary wildly in size, from oneman operations to companies that offer nationwide or worldwide services. Select a company that you think will have the resources to meet your needs but will also be able to give you the attention you want.<br /> <br /> • Do they have an existing security practice? Ask for references and make sure to call those references. Ideally, the company you select should already be supporting law firms similar to yours.<br /> <br /> • Ask peers in other law firms who they use for IT support or IT security, or check with people in your office who have worked for other law firms to see who they used and how they liked them.<br /> <br /> A little time spent choosing the right provider is a great investment. Find a provider who will relieve you or your administrator of the burden of taking care of your IT security.<br /> <br /> The bottom line is your firm’s success is built on serving your clients’ needs because they rely on your expertise in matters of law. Your firm’s IT infrastructure and data are tools to help you do just that. Have them cared for, protected, and maintained by experts. Publication List Using a screen reader? Click Here |
