Historically self-reliant in terms of their technology decisions, many law firms have been taken by surprise – their clients are suddenly auditing their security policies, protocols and questioning the tech tools that they use.
Though this interest comes as a shock to some, it shouldn’t. No law firm should think that their IT and infrastructure is insusceptible to scrutiny, but this is one of many ways that some firms have a problem fulfilling client’s expectations.
Security audits can range from a one-sheet to several pages in length, depending on the complexities of your infrastructure. The audit will take a detailed look at your configurations and architecture, running penetrative testing to discover any weaknesses, and it will also look at your on-boarding procedures, and much more.
Here is a roundup of areas that you should pay attention to now, before a client’s request lands the task on your desk:
If you are running an on-site server, it is common to set up your file systems and operating systems not to encrypt your data. Though most law firms use secure socket layer (SSL) encryption for data in transit, encrypting static data is a relatively new concept. The client’s concern is about the ability for unauthorized people to have access to their data, and they need to be assured that it is well encrypted on your network under any circumstances.
With the increasing prevalence of remote network access as well as the widespread use of mobile devices like smartphones and tablets, two-factor authentication (also known as 2FA) is now mandatory. Your clients may stipulate that any remote access should have adequate controls in place to make sure that two-factor authentication is applied.
The problem here is that most law firms, and especially lawyers, are resistant to anything that they perceive as limiting, complicated, or adding time to a process, but it’s time to let it go. With 2FA implemented, and restrictions applied to all active directory accounts, your firm instantly gains a huge upsurge in security.
Data Loss Prevention
Also known as DLP, data loss prevention is the process by which your data is protected from being disclosed, damaged or destroyed through email or removable drives or other media. Outgoing email must be monitored, and access to drive ports, USB keys, remote disks and other removable drives. These supplementary protections should serve to give your clients the reassurance that their data is protected on your local network, and that their confidential information is safe from any leakage, whether accidental or intentional.
Your technology is bound to change and evolve. You will no doubt need to add or remove computer hardware and software, and new employees and procedures will force you to be agile. Security threats will continue to evolve, necessitating an ongoing protocol that should include regular vulnerability checks. It is also a good idea to consider hiring a 3rd party consultant to perform an ethical hack every once in a while, just to determine if your network has any potential weak spots. Being able to anticipate these issues is critical, as once an issue becomes a problem, it’s hard to come back from it.
Disaster Recovery Plans and Backups
A Disaster Recovery Plan (DRP) and backup protocol is essential to protect your firm from any potential loss of data. If you don’t have one, you are leaving your firm susceptible to any number of threats, both natural, such as power failures, floods, fire or earthquakes, and man-made, such as deliberate, accidental or malicious destruction of systems or data. If any of these incidences were to happen, you could potentially lose all of your client files. Storing your data in the cloud prevents this type of loss, and facilitates your backup protocol. It can also help you recover more quickly from any type of loss, including security breaches, by giving you ready access to your data and applications.
Security Awareness Training
Even with the best possible policies and procedures in play, it’s always important to remember that we are human, and so are susceptible to human error, whether by mistake or through a deliberate disregard for the systems you have in place. Procedures can be bypassed or left by the wayside, directions can be misunderstood, or can slip through the cracks completely. These oversights have the potential to cause a breach in security. Your employees, including partners who may be resistant, need to be adequately trained, and these protocols regularly reinforced and upgraded to ensure your client’s security expectations are being met.
Your clients are becoming more and more selective. You could say, they have been ‘consumerized’. Not only do they demand the best legal advice, they require the firms they work with to have adequate security systems in place in order to protect their data. With every possible security tool available and within reach, there is absolutely no reason that your firm should not pass a security audit based on any one of these issues. Be proactive: put the proper controls and processes in place, educate, and reevaluate frequently. Consider what clients normally ask when they conduct their own IT and security audit, and you’ll be ready to answer the hard questions when they come.