“Law firms represent easy targets because they typically have clients’ sensitive trade secrets and proprietary information, and that information is usually less protected at law firms. For example, law firms store client information on a single network that is often far less secure than those of the corporate clients they represent. Lawyers often use passwords that are easily cracked. Lawyers are more likely to click on malware-infected phishing email links. And lawyers review sensitive information at un-secure Wi-Fi hotspots…law firms are one-stop shops for hackers.”
Most law firms, unless they’re uniquely large, don’t have an internal IT department capable of monitoring all traffic, mitigating intrusions, implementing reverse engineering of malicious codes, and executing remediation processes to restore all data and regular operations. It’s for that reason, law firms, due to the sensitive nature of most of their data, are of great interest to a hacker. The most important thing for lawyers to understand is that when it comes to data security, attorneys are not the experts, and that’s perfectly okay!
The American Bar Association (ABA) conducted a survey of 90,000 attorneys in private practice, and found that “one in four law firms with at least 100 attorneys have experienced a breach do to a hacker, website attack, break-in, or lost or stolen computer or smartphone…and 15% of all firms, overall, have experienced a breach.
According to this survey, nearly half of all firms are not prepared for security breaches.
- Almost 47% said their firms had no response plan in place in case of a security breach.
- Approximately 25% said they didn’t know whether or not their firms had a response plan.
- Slightly over 25% said their firms had an incident response plan.
Yet, not surprisingly, for larger firms with 500 or more attorneys, the survey indicated statistics for having a plan for security breaches were much higher.
It’s unfortunate that legal technology developments are not on the top more legal professional priority lists, because unfortunately small to medium-firm lawyers in particular, were shown to undervalue technology in their practices.
What are some of the benefits of outsourcing IT consulting services?
There are a wide range of services and price points for IT services, and since every business has different needs and budgets, it’s important to choose a firm that can be flexible, and will tailor a unique framework based on the company’s goals.
Proactive monitoring with onsite and remote support
Proactive monitoring, particularly IT companies that provide 24/7/365 oversight, are especially beneficial to companies with sensitive data. Hackers aren’t necessarily going to attack during regular 9 to 5 hours, so access to onsite and remote support from experts who know what to do during an attack, could potentially save a business from losing a ton of important data.
Backup and disaster recovery
The redundant backup of your information (in local and offsite encrypted servers) is an extremely vital element to keeping your data safe. If a hacker manages to find a way to access your data, they can delete, steal, or encrypt your data for ransom, among other things. Without backups, in some cases, there is simply no way to recover those assets, which in turn can cost your organization a lot of money. In fact, most companies (93%) that experience breaches such as this, and don’t have redundant backups, ended up bankrupt within one year; and according to the National Archives & Records Administration in Washington, 50% of those businesses file for bankruptcy immediately.
Network, application, and systems optimization
Purchasing the right equipment is only part of the equation, Network design & integration is equally as important. The right IT company will architect an existing network in a way that can reduce cost and increase efficiency through best practice methodologies. When your network, systems, and machines are streamlined for maximized performance, your employees can better focus on making money, and spend less time troubleshooting your company technology.
If you haven’t noticed, this is like the golden age of malware. With our increasing reliance on the internet to run our daily activities, from work, shopping, traveling, dating, eating, working out, and everything in between, every mobile device, laptop, smart car, and wearable is susceptible to hackers. Whichever IT company you choose, it’s important to know the extent of their internal and external threat intelligence. Do they wait for a breach to happen for taking action? Or are they prepared to proactively fight off malware, rootkits, spam emails, viruses, and botnets? Do they review firewall and router logs, implement VPN technology for remote users, or architect a DMZ on the network? It’s important to be sure.
Your security policy should include plans for the following elements of IT security, in order to mitigate the likeliness of an attack:
Schedule a regular network scanning routine.
Simply put, regular scanning routines for the company’s network should be scheduled and implemented. This keeps your network one step ahead of the game. Scan critical assets, check for vulnerabilities, maintain regular reports, and plan for remediation processes where they’re needed. This is one of the most basic, yet important steps towards data security.
Plan how and when patch management will be handled.
A security patch is code which can help to fix known, existing vulnerabilities, usually shortly after software is initially released. It’s essentially a security update designed to fix security or functionality problems before the next upgrade is released. They can be seen as an inconvenience, because occasionally they can briefly disrupt workflow, however they’re essential and should be required. Patch management should be included in the corporate security policy, including how, when, and by whom it should be implemented.
Define and execute plans for network services governance.
Remote working is becoming more commonplace, but that doesn’t exclude these workers from the need to maintain company security. Every corporate data security policy should outline expectations and definitions involving routers, switches, IP addresses, and network intrusions. An “acceptable use policy” should be written under this section as well.
Assign, review, and update accounts regularly.
The configuration of servers, operating systems, accounts, passwords, firewalls, and antivirus policies should all be clearly defined to employees, at whatever level is appropriate to their workstation.
It’s important to keep track of who has access to what accounts and when. A common source of major security issues is when an employee quits or is laid off, but their access to accounts is never transferred or revoked. A disgruntled employee can do a lot of damage. Policies regarding all IT assets should be implemented and monitored, keeping in mind each individual’s role, their need to access which accounts, and who is responsible for revoking their access when it’s time.
These policies should also be reviewed and updated at least twice a year, particularly when there are major upgrades or changes to the network, which may affect the way policies are implemented.
Maintain accountability through disclosure and clearly defined expectations.
A security policy is only as good as the people involved. Handing a 100-page security policy to your employees tends to be an ineffective motivator. Exclaiming that “there needs to be accountability” doesn’t work either. Real training and disclosure of consequences will get results, respect, and more accountability from your employees.
Additionally, the consequences should reflect the crime. Not all employees are IT specialists, and shouldn’t be held accountable for that level of know-how. It’s important to spell out expectations in advance, beginning with constructive criticism, and following through on consequences, once expectations should be reasonably understood.
Strategize for security breaches.
Under the unfortunate circumstance in which there is a breach in security, there needs to be a plan. Evaluation, reporting, documentation, and future prevention should all be considered.