In Part 1 of this blog series on law firm security, I discussed how security has traditionally been an uphill battle with lawyers. But with mounting client pressure and an increasing number of security breaches, the mindset and attitude around law firm security is starting to shift.
Law firms, with the deserved reputation as corporations “weakest link,” certainly have a lot of catching up to do, but I am happy to report that there are signs that the security winds continue to shift. More and more when I talk to CIOs, the topic of security is one that they bring up.
My friends at King & Spalding seem to be the latest to help bring about change, blocking the use of personal email accounts (Gmail, Yahoo, Hotmail and such) in the name of security. That is huge! Conveniences such as this, once thought of as untouchable, are now being looked at logically, with a business and security eye.
If personal email can be blocked, then the world of consumer file sharing, USB devices and other security hazards can be openly and logically explored. Kudos to King & Spalding for being the first to take that step.
Where Do You Start?
It’s fine to have initiatives on perimeter security, on mobile device management and so on. It’s great to toughen up your password complexity and other policies. They are absolutely needed. But if you’re just starting out and your management needs some convincing to invest in the tools, I still go back to my original recommendation – start with education.
Education is the Best Investment
Education, done properly, can be THE most important tool in your security arsenal. Dollar for dollar, it may very well be the best security investment you can make. Many vaulted and expensive security precautions can be instantly nullified by a careless or an uneducated user.
The educated user knows why they aren’t allowed to use DropBox for confidential client files and can figure out that they probably shouldn’t use SugarSync or anyone of a hundred other, similar consumer file sharing tools.
The educated user knows that the firm’s IT department would never ask for their logon credentials and is not likely to fall victim to that Bank of America phishing scam.
And yes, the educated user knows that there is no Mr. Adir Marajo of the Federal Republic of Nigeria who needs their help with transferring a large sum of money. User awareness, an alertness to something that just doesn’t sound right, can be all the break you need.
The LTN/American Lawyer Law Firm Chief Information & Technology Officers Forum earlier this year put it well, “Security needs to stop being considered a business impediment and start being viewed as a sound business decision.”
Good security is a sound business decision. Partner convenience should not always trump security. The winds of change are here. Will you join the movement or just end up as one of the statistics?