A recent Legaltech News story titled “3 New Responsibilities Legal IT Departments Face Because of Cyber Threats,” shares the strategies that IT professionals should now incorporate into their overall technology management plan in order to keep sensitive data protected. Those strategies include:
Firms must integrate cybersecurity functions with IT disaster recovery functions: The article, written by Jeff Ton, argues that breaches by cybercriminals need to be elevated to the status of “disasters,” and handled with the same protocols that a firm might use, for example, during an extreme weather event that knocks out access to and security of firm documents. Firms are encouraged to partner with disaster recovery vendors that can manage threats instantaneously. And speaking of vendors…
Firms’ IT teams are now responsible for vendor management: Because any relationship that the firm maintains with an outside vendor also puts the firm’s data at risk, IT teams must be involved in assuring that all vendors also maintain state-of-the-art cybersecurity systems and protocols. (Keep this one in mind for later in the article when I’ll discuss why potential clients expect their law firms to be secure. What’s good for the gander…)
To truly secure technology, firms must address generational gaps: By this, the article means both generational gaps in technology as well as in the people who manage the tech. Old tech managed by IT professionals who aren’t interested in learning new systems every single day will quickly pose a security threat to the firm. Legacy in-house technologies definitely need to be upgraded to protect the firm. However, that doesn’t mean “old” IT professionals also need to clear their desks for the young whippersnappers. In fact, Ton writes that the seasoned professionals are probably the only people who can help new IT teammates understand the true impact of a breach on the firm. It’s got to be a team effort and everyone’s experience should be appreciated.
I agree with Ton’s perspective. But to those efforts, I would add a fourth role that IT professionals should embrace: partnering with training experts who can enhance security awareness firm-wide.
Training is Critical to Law Firm Security
Everything that Ton wrote is focused on keeping a firm’s technologies secure in order to protect firm and client information. But what about all the people in the firm who could easily open the front door, or maybe the side door, to cybercriminals while the IT pros’ backs are turned?
Phishing campaigns are increasingly a favorite technique employed by hackers who want to infiltrate a law firm’s system. Why? Because humans are gullible and trusting. One click on a malicious link and suddenly the entire firm goes dark. Last year, headlines about ransomware attacks on law firms abounded. Now, it appears that the criminals want more than a quick hit of cash from a ransom payout; they want passwords – employee passwords, vendor passwords, client passwords.
So, back to my original point (or #4 in our list):
4. IT professionals need to think of law firm trainers as a critical piece of their security efforts.
A robust security awareness training program turns your firm’s staff and attorneys into the first line of defense against cyber criminals. In fact, without their awareness and involvement, I’d argue that you’ve left a giant hole in your security perimeter.
Your Clients Expect and Deserve Security
Finally, I’d like to revisit #2 in Ton’s list: “Firm’s IT teams are now responsible for vendor management.” The implication here is that a firm should not partner with vendors who may put their clients’ sensitive data at risk. Therefore, any vendor that a firm partners with should be screened for its own IT security protocols. Why would a firm put so much effort into its own security systems and then partner with a vendor who may expose everything anyway?
This is exactly what your clients are going to expect of you! Increasingly, prospective clients are demanding – sometimes even as part of their RFP process – that firms give evidence of their security efforts, including awareness training programs to prevent email phishing hacks. Why would a client sign up with a firm that may have the brightest legal eagles in town but whose employees click on every “coupon” that hits their in-box? That firm is a sieve and no client wants that risk.
If you have any questions about this article or need help picking a security awareness training program, contact me today. Jay@SavvyTraining.com, 303-800-4568