the NALS docket July 2011 : Page 7Given the sensitivity and importance of the data that flows through a law firm’s IT infrastructure, it is no wonder that IT security is a hot topic. Threats to the security of your firm’s data come from myriad vectors, both from outside your network and from within. The Stakes Are High. If your firm’s data is compromised by a cyber attack, the effects it can have on the business may be devastating. First of all, your firm’s operations may be virtually shut down as you scramble to contain and mitigate the attack. Every minute your firm’s administrators and attorneys cannot do their normal work costs hundreds, if not thousands, of dollars. Your firm could be held liable if sensitive information is found to have been stolen or even accessed. Litigation is supposed to make money for your firm, not cost you money! Perhaps the most insidious way that a security breach can affect your firm is damage to your firm’s reputation. Law firms depend on their hard-won reputations to attract and keep clients. If your firm is perceived to be anything less than completely in control of its information and processes, you will find that a tarnished reputation is difficult to remedy. A Process, Not a Project. It is important to understand that IT security is a process that must become a part of your firm’s corporate culture to be successful. Some of the steps are pretty well known (a firewall or antivirus software, for example), but these steps will not be effective over time if they are not part of an overall Security Policy. It is simply impossible to guarantee your network will never be compromised by an attack from outside or inside the network. The attack vectors are too numerous and the security measures are always barely a step ahead of those who seek to defeat them. If you cannot eliminate risk, you can mitigate it. A well-designed Security Policy will help ensure that you are doing all you can, on a continuous basis, to protect your network. A Security Policy will establish guidelines for various security settings that the network administrator will control, but it also defines certain behaviors for users on the network. No Security Policy will work unless every user on the network follows it and it is perceived to have the blessing of the firm’s top management. If the rank-and-file employees see that the attorneys ignore the Security Policy, they will also consider it unimportant and ignore it. How to Get Started. Before you can design or implement a Security Policy, you will need to establish a baseline, determine the level of security that is reasonable for your organization, and then decide what needs to be done to achieve (and keep) that level of security. Given the importance of network security, the time, effort, and expertise it takes to evaluate your network’s security status, and then design and implement an appropriate Security Policy, it is wise to outsource some or all of this process. There are IT service firms that do this type of thing routinely and you will benefit from their experience. Whether you handle this in-house or outsource part or all of the process of implementing the Security Policy, keep these guidelines in mind: 1) Make sure you have good documentation of your network infrastructure (up-to-date network diagrams) and logs of what maintenance work and improvements you do to it. You cannot hope to control network security if you do not have a handle on your network to begin with! July 2011 7 Publication List Using a screen reader? Click Here |
