Good data protection practices in the legal industry should be one of the cornerstones of any law firm. Why? Because if you haven’t already experienced a cybersecurity breach of some sort (which is common— 80 of the 100 biggest law firms have been hacked since 2011 and counting), you’re probably thinking about the potential of a hack 24/7. Questions you should ask yourself:
- Is my firm prepared for a cyber-attack?
- Has my firm already experienced a cyber-attack?
- If yes, how did my existing data protection practices recover after the attack?
- What are my current data protection practices?
- Is my current protection effective?
- Does my firm have a comprehensive cybersecurity strategy in place?
If you answered no, maybe, or something unclear and vague, your law firm could probably stand to evaluate data protection practices already in place. In fact, even if you answered yes to those questions, you should still evaluate data protection practices currently active at your law firm, because your firm’s security is only as good as its defense. And in the fast-changing world of technology, you always need to re-strategize your method of defense.
There’s a lot of things a law firm can do to ensure their existing protection is working for them, but here are a few simple steps to start anyone out looking to increase quality control:
Identify & Evaluate Your Basic Security Practices
What are your basic security practices already in place? Do you have some form of malware protection installed? Explore your company’s processes for how it blocks potential security threats and how it tackles information security such as patch management, virus protection, firewall configuration, and web and email gateway monitoring for starters. Ensure everything is up-to-date and current for the highest level of protection, and go over what is working, what isn’t working, and what should be improved, removed, or left alone.
Identify & Review Your Information Security Policy
Every self-respecting law firm should have an information security policy that lists current practices, protocols, and employee guidelines for handling sensitive company information. (If you don’t, you should make one ASAP). An information security policy should typically cover all channels through which data travels, such as email, voicemail, text messages, Internet, PCs, workstations, laptops, mobile phones/devices, software, passwords, remote access, and cloud computing, among many other things. How a firm collects, transmits, maintains, and stores data should be covered in the information security policy in both an electronic and hard format. Reviewing your firm’s policies on data and how it’s sent and received is a must for any law firm.
Review Where the Most Important Data is Being Stored
While an information security policy is great for covering large ground and general data information, you should always assess how the major and most important data, like a firm’s client data, is being handled. Who is currently handling that data? Where is it being stored? Some firms prefer to keep their client data on premises and in their own personal systems, but unless you moonlight as an IT professional, it’s almost always smarter to leave data protection in the hands of professionals.
If your firm is not doing that already, review where the important data is being stored, and figure out if using IT professionals to protect your data is right for you. Offsite servers are typically encrypted, protected, and have a team of people behind them working specifically to protect your most sensitive information. Under professional care, onsite servers can also have the same benefits.
Determine the Type of Email Service Your Firm Uses
A secure email account is practically the foundation of any good existing data protection practice. When evaluating your current practices, make sure you are using an email account that’s safe and secure. So many law firms can overlook this because of how pervasive and accessible email has become, but it is precisely for those reasons that it should be one of the most monitored forms of communication.
Avoid free services like Gmail and Yahoo (who willingly admit to mining personal information from email content) and instead make sure that the email service you are using encrypts client correspondence. If it doesn’t, be prepared to switch email accounts and start looking into services that provide layers of protection.
Other Things to Look Out For
Other things you should always be on the lookout for when assessing your current data protection practices are who has access to what data, how you assess vendor security, how strong your incident response plan is, and whether or not you implement two-factor authentication. And while none of these tips could possibly cover the entire range of things to review, it’s a great starting point.
ZBRELLA Technology Consulting specializes in security for the legal industry. We know your software and case management systems and are trained to protect your most sensitive company data. Please call 800.750.4296 for your security assessment today.
Leave a Reply