Given the sensitivity and importance of the data that flows through a law firm’s IT infrastructure, it’s no wonder that IT Security is a hot topic. Threats to the security of your firm’s data come from a myriad of vectors, both from outside your network and from within.
The stakes are high
If your firm’s data is compromised by a cyber-attack, the effects it can have on the business may be devastating. First of all, your firm’s operations may be virtually shut down as you scramble to contain and mitigate the attack. Every minute your firm’s administrators and attorneys can’t do their normal work costs hundreds, if not thousands of dollars.
Your firm could be held liable if sensitive information is found to have been stolen or even accessed. Litigation is supposed to make money for your firm, not cost you money!
Perhaps the most insidious way that a security breach can affect your firm is damage to your firm’s reputation. Law firms depend upon hard-won reputation to attract and keep clients, and if your firm is perceived to be anything less than completely in control of its information and processes, you will find that a tarnished reputation is difficult to remedy.
A process, not a project
It is important to understand that IT Security is a process that must become a part of your firm’s corporate culture to be successful. Some of the steps are pretty well known (a firewall, or anti-virus software, for example), but these steps will not effective over time if they are not part of an overall security policy.
It is simply not possible to guarantee your network will never be compromised by an attack from outside or inside the network. The attack vectors are too numerous, and the security measures are always barely a step ahead of those who seek to defeat them. But if you cannot eliminate risk, you can mitigate it, and a well designed Security Policy will help to ensure that you are doing all you can, on a continuous basis, to protect your network.
The security policy will establish guidelines for various security settings that the network administrator will control, but it also defines certain behaviors for users on the network. No security policy will work unless every user on the network follows it, and it is perceived to have the blessing of the firm’s top management. If the rank and file employees see that the attorneys ignore the security policy, they will consider it unimportant and ignore it, too.
How to get started
Before you can design or implement a security policy, you will need to establish a baseline, determining the level of security that is reasonable for your organization, and then determine what would have to be done to achieve (and keep) that level of security. Given the importance of network security, and the time, effort and expertise it takes to evaluate your network’s security status, and then design and implement an appropriate security policy, it is wise to outsource some or all of this process. There are IT service firms that do this type of thing routinely and you will benefit from their experience.
Whether you handle this in-house, or outsource part or all of the process of implementing the security policy, keep these guidelines in mind:
- Make sure you have good documentation of your network infrastructure (up-to-date network diagrams) and logs of what maintenance work and improvements you do to it. You cannot hope to control network security if you don’t have a handle on your network to begin with!
- Make sure your security policy is well documented, too, for several reasons:
- You will want to be able to have proof the policy was implemented
- You will want to able to quickly inform new employees of your firm’s policies
- The documentation will make re-assessment of the policy easier – see the next item
- Make sure that a periodic re-assessment of the policy is part of the security policy. Things change so fast in the IT world – and in the legal profession as well – it is wise to rethink your strategy on a quarterly, or semi-annual basis.
It would be nice if you could just buy a magic cure for network security, but it is just not possible. Networks have become too complex, and there are too many exploitable points of entry. Dealing with network security is just the trade-off for the convenience of being able to access so much data from so many places. There is no turning back now – the digital information age is here to stay, so you owe it to your clients and your practice to ensure you are doing the right things to protect your data and be able to document what you’re doing.
Finding the right help
If your firm already outsources some or part of the support of your technology infrastructure, and you are happy with their services, ask them about designing, implementing and maintaining a security policy for your firm.
If you want to shop around, a web search for IT Security Consulting will yield plenty of results. Browse the results and create a list of IT Security firms that appeal to you and contact them.
Consider these criteria as you evaluate them:
- How fast did they respond to your inquiry? Response time is very important, and any company that does not respond very quickly to an opportunity to do business should be crossed off your list
- Are they well established? You do not want to enter into a relationship with a provider that is not going to last. Ask how long they have been in business and learn what you can about their management structure.
- Do they seem organized and professional?
- Are they the right size for you? IT Support companies vary wildly in size, from one-person operations to nationwide services. Select a company that you think will have the resources to meet your needs, but also be able to give you the attention you will need.
- Do they have an existing security practice? Ask for references and make sure to call them. Ideally, the company you select should already supporting law firms similar to yours.
- Ask peers in other law firms who they use for IT Support or IT Security, or check with people in your office who have worked for other law firms to see who they used, and how they liked them.
A little time spent choosing the right provider is a great investment – find a provider who will relieve you or your administrator of the burden of taking care of your IT Security.
The bottom line is, your firm’s success is built on serving your clients’ needs, because they rely on your expertise in matters of law. Your firm’s IT infrastructure, and its data, are tools to help you do just that. Have them cared for, protected, and maintained by experts.
Bruce Campbell is the Vice President of Marketing for Clare Computer Solutions, an IT Support and Consulting firm in Northern California.
Filed Under: Spotlight