Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Lawyers can’t pretend that their data isn’t being targeted by hackers and other threats anymore. There are just too many high-profile horror stories, from the leak of the Panama Papers to the ransomware attack on DLA Piper. The threat is real, and clients know it.
Naturally, your law firm has a security system in place to protect from these kinds of threats. However, are you sure it is the right kind of system? Does it protect all the firm’s data across every device that attorneys and staff use? When you weigh the balance of convenience and compliance, are you making the right calculations?
To keep your firm and client data as safe as possible, you need to make sure that you have the right type of security. Many law firms may think that consumer-grade security systems such as the ones made for individuals or families are sufficient. The types of systems that are robust enough to protect your home computer from viruses, however, almost certainly won’t be enough to safeguard your law firm, all your attorneys, and all their devices against targeted attacks by sophisticated bad actors. To provide the highest levels of protection, you need an enterprise-level security system.
There are several key differences between these two types of security.
Consumer-level systems are off-the-shelf solutions primarily used by individuals or small businesses. They are created to be easy to use and offer few options for customization.
Enterprise-level systems represent a more sophisticated approach. They are designed to protect larger organizations with more critical security needs. What they offer includes a vastly expanded toolkit, additional features and the support of experienced professionals.
To understand why consumer-level systems are probably inadequate for your law firm and enterprise-level ones are better options, you need to know what each type of system was designed for, what features each includes and how they can help accomplish your goals.
Reactive vs. Proactive
Among the critical differences between the two systems are the way they identify and react to threats. Consumer-level systems use a reactive approach. They generally do a decent job of covering workstations from being infected with viruses or other malware that attack through websites. It’s a defensive force that guards against attacks that are already working against your firm. Imagine a castle under siege. If the occupants only rely on the castle walls to protect them, they will most likely lose the battle.
If your firm is using a consumer solution, it will ward off some kinds of threats, but it could miss others. These types of systems might also not be updated frequently, which leaves your attorneys and staff vulnerable to new and emerging viruses.
On the other hand, enterprise-level security works proactively. It can protect firms from website attacks just like consumer-level security systems do, but instead of simply guarding the door, enterprise-level security actively patrols the entire perimeter, exterminating threats and nullifying opportunities for potential threats before they can strike. To return to the siege example, this time the occupants combine the power of the walls with arrow volleys, tar, scouts and more. The idea is to have multiple ways to nullify the danger before it reaches your walls.
Enterprise-level security protects your firm through the types of systems and services they utilize. For example, consumer security offers one brand of solution for antivirus protection, while security that operates on an enterprise level uses multiple solutions to identify and combat threats. Enterprise security will also be updated more frequently and employ multiple solutions to scan for and prevent threats.
Maintenance
The two types of systems also require different levels of maintenance and different levels of expertise to manage. Since cybersecurity threats are constantly evolving, solutions must always update to thoroughly protect the firm.
Consumer-grade security doesn’t come with cybersecurity professionals dedicated to the firm’s specific account who actively manage current and potential threats. If your firm is handling security in-house and on a consumer level, an attorney or staff member must always pay attention to the latest threats, as well as ensure that hardware and solutions remain updated. This takes professionals away from practicing law and supporting the law firm’s profitability.
On the other hand, enterprise-level security systems come with cybersecurity professionals who will constantly monitor and evaluate the performance of the solution. These professionals spend every day fine-tuning systems and continually testing, remediating and adapting to protect users from the latest threats.
The two systems also differ in their reporting capabilities. While consumer-grade security provides regular reports on suspicious activity, enterprise security professionals regularly review security logs and file and folder access to spot threats. This type of monitoring can identify a spike in the firm’s bandwidth and determine if any malicious activity is causing it. Without dedicated cybersecurity professionals, your attorneys may only notice slower internet connections or other seemingly minor hiccups while malware proliferates behind the scenes. By the time a consumer-level security system identifies the threat, it may be too late to prevent serious damage.
Performance
The different types of security systems also offer different performance functions. With enterprise security, your firm will receive additional features and capabilities that include multiple levels of security.
Consumer security is a slimmed-down version of this approach, and it is tailored for those who might not have any type of security background. Since many consumer-grade security systems are designed with simplicity as a consideration, they may offer fewer features for protection. This could include some options such as multifactor authentication, but not others like intrusion detection systems.
As an example, consider firewalls. Consumer-grade and small business-oriented firewall systems don’t require a great deal of management since they are designed to be easy to use. So, their firewalls may be rudimentary. Since enterprise security systems run more sophisticated versions of firewalls managed by cybersecurity professionals, they can provide more benefits.
Enterprise-level security can also be more aggressive with systems configurations, meaning they are more fool-proof when it comes to blocking suspicious emails, websites and more.
Compliance
The two types of systems also affect compliance considerations in divergent ways. This is important, because clients are increasingly demanding insights into how their law firms safeguard critical, confidential information. Much of this pushback has been driven by compliance concerns. When it comes to security, law firms used to be able to weigh convenience against compliance. Yet the drive for convenience can no longer take precedence over compliance. If your law firm hasn’t already, it will need to increase its focus on security measures to meet your clients’ needs.
While clients across industries are focused on compliance, the consequences for failing to comply with regulations and industry standards can be much more serious for some types of businesses. For example, any organization that handles medical information must conform to HIPAA and its stringent focus on protected health information (PHI). HIPAA’s associated regulations strictly define how PHI is stored, transferred and managed. Law firms must also comply with strict guidelines around this type of client information.
Guidelines are also in effect for many financial services companies, and these clients are increasingly requesting that their legal providers outline their security measures. This means that your law firm must be prepared to respond to security and IT questionnaires that cover areas such as the physical security of your servers, processes, security protection and more.
Making the shift from convenience to compliance often requires a change in behaviors and attitudes. For example, your attorneys and staff must resist the urge to quickly log in to email through an unsecured internet connection at a local coffee shop, instead of taking the time to go through the proper systems.
The shift may require new software and processes as well. With an enterprise-level security system, particularly one from a provider that hosts your environment, it’s much easier for providers to demonstrate compliance with these heightened measures. With consumer-grade security, it would be difficult to replicate the same level of compliance.
Conclusion
Your firm is run like a professional organization, and your attorneys are top-notch. A consumer-grade security system won’t necessarily do an optimal job keeping your data safe, your systems running smoothly, and your lawyers focused on their jobs and not threats. With an enterprise-level system, you can do all that, while demonstrating your commitment to clients and doing everything possible to ensure that the firm won’t be making the news as the victim of the next law firm data breach.
