There has been a lot of press lately about hackers targeting the legal industry. We put together a list of the top seven security tips for law firms to help manage security risk.
- Develop Information Security Policies. You can’t enforce rules if there isn’t a rule book. Document the rules on how employees are expected to behave with their access and use of your data assets. Be sure that your policies address services and technology your attorneys are likely to use including mobile devices, cloud computing and social media. Be sure, however, that any policies implemented are actually being followed. Remember: A documented policy that goes un-followed is worse than not having one in the first place.
- Encrypt As Much As Possible. Keep confidential information private by encrypting data at rest, in transit and in use. Sensitive emails should always be encrypted as well as VPN connectivity from outside the office. If a laptop with confidential data is lost or stolen but has an encrypted hard drive, it may fall into “safe harbor”, meaning your firm may not have to go through the embarrassment and expense of breach notification.
- Manage Mobile Devices. iPhones, iPads and other PDAs are not going away. But, they can be secured. Implement a mobile device management (MDM) solution to enforce password policies (see #1) and perform a remote wipe on a lost or stolen device.
- Use Multi-Factor Authentication (MFA). MFA is a combination of something you know (password), something you have (token) or something you are (fingerprint). Single factor authentication can be easily breached with the right tools or tactics. Using MFA, the barrier gets much higher for hackers. The cost of implementation has declined significantly, and there are more options available for out-of-band authentication…and most of your attorneys will think it’s cool!
- Conduct Security Training. Most attorneys hate to be told what they can and cannot do. But, they tend to be very good at managing risk. Conduct security training that explains though example how security can be compromised and steps to take to protect themselves as well as the firm. If you have a particularly demanding audience, consider combining training with social engineering (e.g. phishing campaign). It’s amazing the attention you get when you can show how many people in the firm clicked on a bogus email.
- Perform a Security Assessment. If this hasn’t been done within the past 12 months, get someone in to discover vulnerabilities including missing patches/updates. Be sure to look at the perimeter devices (firewall, VPN, website) as well as the assets on your internal network, including virtualized servers. Be sure that in addition to basic security scans, you have a review of your configuration settings included in the assessment.
- Prepare to Respond to Client Requests. Your clients’ expectations of your security program are high; especially in regulated industries (financial, healthcare, government), and with the HIPAA Omnibus Rule business associates of covered entities (including law firms) are directly liable for compliance with certain HIPAA Privacy and Security Rule requirements. Firms should be proactive in responding to client requests by documenting security controls, policies and 3rdparty security audit results. This will provide your prospects and clients confidence and will help your firm win (and retain) more business.
We have found that every firm is at a different level of preparedness. Hopefully, this list of security tips for law firms gives ideas to prioritize initiatives. If you have already addressed all seven, you are ahead of the majority of your peers. Keep up the momentum through the continuous evolution of your security program.