If you read my last post here on Law Technology Today, you know that I caution against an antivirus-only security strategy to combat today’s growing information risks. But for many lawyers, the biggest challenge is not knowing whether they should do more, but rather what they should do to protect themselves and their practice from modern cyber threats. The myriad of possibilities for security investment and the lack of clear security guidance for legal professionals (something the ABA and ILTA actively work to address) only add to the confusion.
Given the many options available, as well as the need to get the best return on investment, it becomes all too easy to fall victim to “paralysis-through-analysis.” Conducting an exhaustive evaluation before making any investment may sound like a reasonable approach, but generally, lawyers have little time and and energy to spare. It’s simply not practical for an attorney to perform a comprehensive review of all the possible security investment strategies.
Instead, lawyers must decide on a starting point that doesn’t waste effort and that results in substantive protections. Kicking off a thoughtful security program by focusing on a few feasible, meaningful projects can prove key to both short-term and long-term success. Since this kick-off is often the hardest part, here are some of my tips for launching a successful security program:
Take An Iterative Approach
Don’t attempt to lay out the perfect security roadmap from the start. Recognize that many areas of risk may warrant attention and that you simply can’t pursue them all simultaneously. Instead, focus your energy around one or two security objectives or known issues and work to make improvements. A focused effort will more likely yield real progress that you can then build upon in the future. For example, you could establish a reliable means to securely share information with clients, review and test the back-up procedures for your critical data, or try to improve the records retention policies of your firm, but not necessarily all of those all at once. A successful project, even one modest in scope, will help develop momentum for future security projects.
Don’t Try To Transform The Organization Overnight
I worked at a major west coast university during a time of great fiscal and structural change. Drastic transformation was difficult for a 140-plus year old institution rich with culture and replete with respected and influential stakeholders. A common saying on campus at the time held that: “Culture eats strategy for breakfast,” and law firms can resemble universities in this regard. The best laid plans for the future may founder when failing to recognize and account for what people are accustomed to.
It is important to pick your battles when getting started with security, or better yet avoid them entirely. While projects like limiting administrator privileges for end users or implementing complex password policies offer very important protections, they may result in backlash if not carefully managed. Beginning with such highly contentious projects can derail a security program before it has the chance to gain traction. Eventually cultural roadblocks will have to be addressed (and the sooner you start those discussions the better), but it is often most feasible to find at least a few initial projects that will not provoke or unduly challenge major stakeholders and colleagues.
Take Advantage of Existing Prioritization Resources
Delineating those first few security projects may still prove a challenge without a strong security background. Fortunately, the need to prioritize security investments is common, and a number of efforts have been advanced to guide individuals designing an information security program. Probably the most recognized resource for such guidance is the SANS Top 20 Critical Security Controls list, compiled by a respected security education and research organization. While this list may appear a little overwhelming at first, they have tried to make it more accessible in recent years by adding “Quick Wins” and a list of the “First Five” protections that they think organizations should implement. The Australian government released a similar list in recent years, although their list contains 35 controls and is generally a little more technically-oriented.
Focus On Your Practice
The particular types of information security risks that lawyers face will vary considerably based on practice. Take a moment to inventory and evaluate the most pressing business risks to your individual practice based on contextual factors like practice area, client requirements or expectations, compliance obligations, and practice size. Taking a risk-based approach that is tailored to your practice will help you invest in protections that address actual, concrete business requirements.
Leverage Peer Resources
Those in the legal industry benefit from its strong, collaborative peer network. Lawyers often look to one another when evaluating new technologies, as evidenced by the continued success of the ABA TECHSHOW. Why not also ask about security initiatives or ways to secure those same technologies? With the understanding that some peers will have a radically different set of security requirements, other lawyers can nonetheless prove to be an excellent source of information and guidance.
Issues such as secure client communications, data backups, and remote server access remain common across practice areas and most peers can share anecdotal information. But keep in mind that sound advice you may have heard from your parents: “Just because other lawyers are doing it doesn’t make it a good idea.” Find out why they are doing it and make sure that security was in fact taken into consideration.
Talk With Your IT Resources
Your internal or external IT support resources will almost certainly play a pivotal role in whatever security projects you undertake. It is important to involve them as early as possible and get their suggestions when developing initial objectives or priorities. I have been repeatedly surprised when performing security assessments to discover that the internal IT staff were already well aware of many technical issues I was tasked to identify and document. They simply had not been engaged in the process.
However, while IT may provide some great insight, resist the impulse to make information security an IT Problem. In some cases your IT staff may not have had the time or opportunity to gain sufficient security expertise, and can’t be expected to take on the role of a security officer. IT professionals are not likely to be experts on risks related to your practice area, or in a position to evaluate all the business implications of a given issue or approach. It is not reasonable to ask IT to make prioritization and investment decisions without strong management or lawyer input. At its core, managing risk is a business problem, not just an IT problem, and should be approached that way.
Just Get Started
Managing the information security concerns associated with the practice of law should be viewed as a process involving multiple steps and stakeholders. Once the decision-making process has been defined for pilot security programs, it can be applied and amplified for future projects and issues. Answer questions like: “Who needs to be involved in the security discussions?”, “Where will the budget come from?”, and “What will be our greatest limitation (budget, knowledge, time, etc.) and how can we address those challenges?” Working through these fundamental questions will streamline future efforts and help establish a path forward. When it comes to security, doing something always beats doing nothing, so resolve to take those first steps and get the ball rolling.