Form a phalanx: Law firm lessons on managing cyber security through talent and culture
As law firms continue to appreciate the significance of creating an understanding surrounding security and risks, this starts with a sharp focus on talent and culture. The first component that the panel discussed during the 5th Annual Law Firm CFO/CIO/COO Forum: Data Privacy, Security & the Globalized Law Firm, surrounded protection and prevention methods.
Protection and Prevention
Barry Strauss, COO, Elegrity; Curt Cunningham, CIO, Fragomen; Michael Lewis, CIO, Hogan Lovells; and Ramound Umerley, CDPO, Pitney Bowes, had a very engaging discussion about how firms can best protect their data. In the beginning stages, firms should prioritize their assets. What documents, emails, IP, databases, software, and services are most important? As new data arrives, the firm should examine the process. How is data stored, transmitted and deleted? The process for each aspect needs to be examined carefully. The firm has to be mindful of both structured and unstructured data and in addition, understand and follow the rules for national and international compliance of this information.
Several of the panelists suggested that every firm should conduct its own network penetration tests. Lewis recommended his firm’s design phishing emails to see which employees are actually clicking on those links. Another aspect he mentioned was to review data retention policies. Are these policies industry standard? He also advocated that firms take a baseline network traffic report from all offices. Once established, that can be compared to any unusual traffic on your network, setting off alerts to anomalies and a possible compromise.
Some other protection and prevention methods:
- Use encryption everywhere that you can; email, documents, databases, SAN
- Web Application Vulnerability Testing
- Mobile Device Management – separate data on their BYOB
- ISO certification and accreditation
Incident Response
Another critical aspect of firm culture is incident response. The panel discussed the need to have a cross-functional team in place for when the cyber-attack occurs. This group should include many of the following groups: Communications, Human Resources, Business Development, Managing Partners, IT, Audit, and Information Security. A suggestion that hit a chord with the audience was accessibility to your vendors. That is, the ability to contact a vendor no matter what time of day or night. Get the phone number to a real person who is accountable. They emphasized that this should be negotiated and arranged in the contract. Lastly, once an issue is complete, conduct a retrospective of the attack and defined learnings for the next event.
In an age where law firms are clearly in the sights of cyber criminals, there is a need to act. Law firms are aligning their understanding of security and risks directly with the need for a sharp focus on internal talent and culture. Protection, prevention, and incident response methods are a major component of safeguarding the firm’s assets. The panel closed with their three most important takeaways: prepare technologically, educate your staff, and create clear processes.