Evolve Into an Information Secure Law Firm

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
May 15, 2019

Part 3 of a special three-part series on cybersecurity

(Part 1, Part 2)

Becoming information secure is an evo­lution. Law firms achieve success only over time, with concentrated effort and commit­ment, via the following process.

  1. Conduct a risk assessment.
  2. Remediate vulnerabilities. 
  3. Implement a policy. 
  4. Train the workforce. 
  5. Engrain security in operations.

The prior article addressed the team needed for this process. With the leadership of an experienced information security law­yer and outside lT security consultant, that team will shepherd the firm through this evolution, and the firm’s business and IT managers will become its long-term information security leaders.

Risk Assessment
The risk assessment involves employee interviews, a facilities inspection, technology diagnostics, and a privileged report.

The interviews and inspection are criti­cal and illuminating parts of the assessment. The most important group to interview is the firm’s in-house IT staff and (if appropriate) outside IT vendors. That meeting yields infromation vital to assess the security status and vulnerabilities of the firm’s technology infrastructure, including its network, laptops and desktops, mobile devices used by em­ployees, email, electronic record retention system, and cloud providers.

The next most important meeting is with the individuals responsible for the firm’s business operations, revealing critical infor­mation about the electronic and hard copy systems for functions like time entry, billing, conflicts, client file management, financial accounting, and human resources. Interviews also are conducted with select lawyers, para­legals, and secretaries, to identify for each practice area the information created and collected, how it is accessed and used, ap­plications and cloud providers involved, and unique activities of each practice.

Finally, a comprehensive facilities in­spection identifies the risks inherent in exter­nal access to the building, internal physical controls within the office, and security related to hard copy files.

The interviews and inspection are enlightening for firm leaders to recognize and gain an appreciation for significant and systemic risks. While each firm is unique, some of the more common vulner­abilities are as follows:

  • Lack of encryption and firm management of laptops and mobile devices.
  • No dual authentication for access to firm networks and email.
  • Permitting employees to access the firm’s network from outside the firewall with­out using a secure virtual private network (VPN).
  • Lack of email encryption and other means for secure information and file transfer.
  • No dual authorization for certain financial transactions.
  • Lack of advanced malware, crypto lock, and threat detection and prevention.
  • Inadequate or no workforce training and technology safeguards against common cyber-threats, like phishing, spear phish­ing, and social engineering.
  • Lack of an electronic client file retention application, and inadequate or no access controls and logging for activities within client files.
  • Plethora of hard copy documents and files on desks and in offices, conference rooms, storage rooms, file cabinets, archives, and off-site storage that are not adequately se­cure. Inadequate or no monitored security for some points of entry (e.g., windows), in­ternal spaces (e.g., motion detection), and areas with highly sensitive information and equipment (e.g., server and network rooms).

Technology diagnostics are used in conjunction with the interviews and facili­ties inspection to reveal additional, more hidden weaknesses. While diagnostics can be implemented to identify a wide variety of risks, some common uses are to find gaps and weaknesses in the firm’s firewall and external-facing IT infrastructure, as well as vulnerabilities within the firm’s network and computers, such as unsupported and unpatched applications and operating sys­tems. Diagnostics also can identify specific passwords that are weak, or already compro­mised and available on the dark web. Results from the diagnostics are granular, providing the firm with a detailed, line-item accounting of certain issues to address during remedia­tion.

The assessment concludes with a privi­leged report that compiles the identified risks. One benefit of working with experienced out­side professionals is that they can consolidate the multitudes of risks into a manageable list categorized based on severity and difficulty of remediation, and they can suggest specific solutions using available and affordable ap­plications suited to the firm’s particular IT in­frastructure, business operations, and culture. Another benefit is that the report should be understandable, without legalese or techno­babble, so that it is a usable document.

Whereas the risk assessment can be con­cluded in a few weeks, remediation can take years, particularly for a firm just starting the process. Some measures are relatively easy and inexpensive, and can be accomplished quickly, such as laptop and email encryp­tion, and certain dual authentication. Other measures take longer to implement, com­monly because they involve costs that need to be budgeted, integration with network in­frastructure, changes to established business processes, or cultural change.
Similarly, because managing informa­tion security with cloud providers and ven­dors requires due diligence and an information security agreement, and because third parties often resist those activities until it is time to sign a new services agreement, completing that process often takes years. Gradu­ated progress is acceptable, as long as the firm remediates serious risks expeditiously, implements available safeguards promptly, and otheiwise pursues remediation with rea­soned determination.

An information security policy is the memorialization of the firm’s practices, for purposes of legal compliance and sound busi­ness operations. The policy both describes the measures the firm currently employs, as well as prescribes the techniques the firm expects to adopt or will investigate. Clients are increasingly asking about a law firm’s information security, and this policy is a document the firm can provide to help answer those questions. Also, like other business policies, this one outlines the responsibilities that cer­tain employees have and establishes the in­ternal rules that all employees must follow with respect to information security, provid­ing a basis for workforce training.

It is axiomatic that employees are any organization’s biggest risk. Technology does not cause information to be lost or stolen, people do. However, employees also can become a firm’s best security guards. Con­verting a workforce from a risk into an as­set requires effective ongoing training to raise awareness about the sensitivity of the information handled by the firm and the tech­niques that the firm has to do so securely, as well as actively engaging employees to help design and implement measures that make the firm both more efficient and more secure.

While initial comprehensive general training typically occurs after the firm imple­ments its information security policy, concise periodic training should occur three to four times per year, focusing on topics to educate employees about threats (e.g., phishing), interesting security topics (e.g., personal security for employees and their families), and new security techniques that the firm is implementing. One of the best measures of whether an organization is information se­cure is whether its workforce is a proactive agent for security.

Engrain Security
A year or two after completing the first risk assessment, a firm should conduct an abbreviated re-assessment, evaluating the is­sues that remain outstanding from the initial report, identifying new risks that may have arisen from recent cyber-threats or changes to the technology infrastructure or business operations of the firm, and reviewing security measures that may have become available since the prior assessment.

As the firm continues over the years to address these issues, the process should evolve from an activity that occurs episodi­cally into an activity that IT and business leaders manage routinely as a part of their jobs. This process has no finish line – it is an evolution through which a firm integrates sound information security practices into business operations.