Published in the New Hampshire Bar News (5/15/2019)
Part 3 of a special three-part series on cybersecurity
Becoming information secure is an evolution. Law firms achieve success only over time, with concentrated effort and commitment, via the following process.
- Conduct a risk assessment.
- Remediate vulnerabilities.
- Implement a policy.
- Train the workforce.
- Engrain security in operations.
The prior article addressed the team needed for this process. With the leadership of an experienced information security lawyer and outside lT security consultant, that team will shepherd the firm through this evolution, and the firm's business and IT managers will become its long-term information security leaders.
The risk assessment involves employee interviews, a facilities inspection, technology diagnostics, and a privileged report.
The interviews and inspection are critical and illuminating parts of the assessment. The most important group to interview is the firm's in-house IT staff and (if appropriate) outside IT vendors. That meeting yields infromation vital to assess the security status and vulnerabilities of the firm's technology infrastructure, including its network, laptops and desktops, mobile devices used by employees, email, electronic record retention system, and cloud providers.
The next most important meeting is with the individuals responsible for the firm's business operations, revealing critical information about the electronic and hard copy systems for functions like time entry, billing, conflicts, client file management, financial accounting, and human resources. Interviews also are conducted with select lawyers, paralegals, and secretaries, to identify for each practice area the information created and collected, how it is accessed and used, applications and cloud providers involved, and unique activities of each practice.
Finally, a comprehensive facilities inspection identifies the risks inherent in external access to the building, internal physical controls within the office, and security related to hard copy files.
The interviews and inspection are enlightening for firm leaders to recognize and gain an appreciation for significant and systemic risks. While each firm is unique, some of the more common vulnerabilities are as follows:
- Lack of encryption and firm management of laptops and mobile devices.
- No dual authentication for access to firm networks and email.
- Permitting employees to access the firm's network from outside the firewall without using a secure virtual private network (VPN).
- Lack of email encryption and other means for secure information and file transfer.
- No dual authorization for certain financial transactions.
- Lack of advanced malware, crypto lock, and threat detection and prevention.
- Inadequate or no workforce training and technology safeguards against common cyber-threats, like phishing, spear phishing, and social engineering.
- Lack of an electronic client file retention application, and inadequate or no access controls and logging for activities within client files.
- Plethora of hard copy documents and files on desks and in offices, conference rooms, storage rooms, file cabinets, archives, and off-site storage that are not adequately secure. Inadequate or no monitored security for some points of entry (e.g., windows), internal spaces (e.g., motion detection), and areas with highly sensitive information and equipment (e.g., server and network rooms).
Technology diagnostics are used in conjunction with the interviews and facilities inspection to reveal additional, more hidden weaknesses. While diagnostics can be implemented to identify a wide variety of risks, some common uses are to find gaps and weaknesses in the firm's firewall and external-facing IT infrastructure, as well as vulnerabilities within the firm's network and computers, such as unsupported and unpatched applications and operating systems. Diagnostics also can identify specific passwords that are weak, or already compromised and available on the dark web. Results from the diagnostics are granular, providing the firm with a detailed, line-item accounting of certain issues to address during remediation.
The assessment concludes with a privileged report that compiles the identified risks. One benefit of working with experienced outside professionals is that they can consolidate the multitudes of risks into a manageable list categorized based on severity and difficulty of remediation, and they can suggest specific solutions using available and affordable applications suited to the firm's particular IT infrastructure, business operations, and culture. Another benefit is that the report should be understandable, without legalese or technobabble, so that it is a usable document.
Whereas the risk assessment can be concluded in a few weeks, remediation can take years, particularly for a firm just starting the process. Some measures are relatively easy and inexpensive, and can be accomplished quickly, such as laptop and email encryption, and certain dual authentication. Other measures take longer to implement, commonly because they involve costs that need to be budgeted, integration with network infrastructure, changes to established business processes, or cultural change.
Similarly, because managing information security with cloud providers and vendors requires due diligence and an information security agreement, and because third parties often resist those activities until it is time to sign a new services agreement, completing that process often takes years. Graduated progress is acceptable, as long as the firm remediates serious risks expeditiously, implements available safeguards promptly, and otheiwise pursues remediation with reasoned determination.
An information security policy is the memorialization of the firm's practices, for purposes of legal compliance and sound business operations. The policy both describes the measures the firm currently employs, as well as prescribes the techniques the firm expects to adopt or will investigate. Clients are increasingly asking about a law firm's information security, and this policy is a document the firm can provide to help answer those questions. Also, like other business policies, this one outlines the responsibilities that certain employees have and establishes the internal rules that all employees must follow with respect to information security, providing a basis for workforce training.
It is axiomatic that employees are any organization's biggest risk. Technology does not cause information to be lost or stolen, people do. However, employees also can become a firm's best security guards. Converting a workforce from a risk into an asset requires effective ongoing training to raise awareness about the sensitivity of the information handled by the firm and the techniques that the firm has to do so securely, as well as actively engaging employees to help design and implement measures that make the firm both more efficient and more secure.
While initial comprehensive general training typically occurs after the firm implements its information security policy, concise periodic training should occur three to four times per year, focusing on topics to educate employees about threats (e.g., phishing), interesting security topics (e.g., personal security for employees and their families), and new security techniques that the firm is implementing. One of the best measures of whether an organization is information secure is whether its workforce is a proactive agent for security.
A year or two after completing the first risk assessment, a firm should conduct an abbreviated re-assessment, evaluating the issues that remain outstanding from the initial report, identifying new risks that may have arisen from recent cyber-threats or changes to the technology infrastructure or business operations of the firm, and reviewing security measures that may have become available since the prior assessment.
As the firm continues over the years to address these issues, the process should evolve from an activity that occurs episodically into an activity that IT and business leaders manage routinely as a part of their jobs. This process has no finish line - it is an evolution through which a firm integrates sound information security practices into business operations.
Cameron G. Shilling is a director at McLane Middleton, where he founded and chairs the firm's information Privacy and Security Group. Find our more at www.mclane.com. Cam can be reached directly at 603-628-1351 or [email protected].