Cybersecurity

A new year is upon us, and as the calendar flips over, many people take time to assess where they are and where they want to be in the coming year. The same exercise can be a useful one for law firms, particularly in the areas of technology and security.

As we head into 2019, law firm IT professionals should take the time to define the firm's goals in the next year and determine how the firm can set itself up for success and security in the IT realm. In order to best prepare for the new year, your focus should be on making sure that your systems are secure and up to date, your data is backed up, and your users know how to spot potential security threats.

|

Is Your Data Secure?

While that may sound like a simple enough question, there are many policies and procedures that go into securing data in a law firm IT environment. As the new year begins, it's time to make sure that all of your policies and systems are up to date. Now is the perfect time to review and update or add any necessary systems and policies to ensure your data is secure.

While IT environments vary from firm to firm, there are some things that all law firms should be reviewing now in order to set themselves up for success in the coming year.

Security Training: All employees should be required to complete annual user security awareness training. Even if such requirements are in place, it's important to make sure that they are actually met. Review your training records—whoever hasn't taken the training in the past year should be first in line to take it this year. All employees should be scheduled to retake the training at some point over the year. After all, your first line of defense against threats is your users, their ability to think critically and to spot phishing and malware threats before they become problems.

Network Policies: Your users may be your first line of defense, but they can also be a weakness if they're opening your system to threats, even unintentionally. To help curb that possibility, you should review your network policies, update them as necessary, and make sure that your users fully understand them.

Passwords: Passwords are the most direct means of accessing data, and therefore they should be changed regularly to ensure that only those who should have access actually do. Administrative, user, and services passwords should be changed system-wide for the new year. Going forward, they should be changed on a regular basis. If you don't already have a password-change policy, you should implement one in the new year, ideally requiring that passwords be changed every 90 days and are comprised of complex characters.

Wireless: The same notion goes for your wireless network. If your network has a shared password, consider changing it for the new year and resetting it on a regular basis going forward.

Administrative Accounts: In addition to changing passwords, you need to make sure that your administrative accounts are active and that only necessary accounts are enabled. On the flip side, be sure that only active users and employees have access to your systems. An HR review of user accounts can easily identify valid and active employees, which is useful, because IT departments are not always informed of personnel changes.

Upgrades: Software and systems need to be regularly upgraded in order to take remain protected from the latest security threats and take advantage of available functionalities. If your systems and software are not up to date, schedule an upgrade now. Going forward, you should consider implementing a schedule for software upgrades, ideally every month or as critical patches become available.

Equipment Review: Just like your software, you want your hardware to be up to date. As the new year begins, do a review of your physical equipment to create a current inventory of what you have. Once you have that, you can discard equipment that is old or unused, and make better decisions about your infrastructure needs going forward.

Backup Systems: Adequately backing up your data is crucial to security. You may have backup systems or disaster recovery plans in place, but when is the last time you checked to see if they actually work? The new year is the perfect opportunity to do an audit to ensure that your systems and critical data are, in fact, backed up and can be recovered if necessary. The best time to test a business continuity disaster recovery plan in place is before you actually need it and before your clients ask for it.

Anti-Virus Measures: Many firms rely on software to help keep out intruders and stop malicious attacks. Going into the new year, review the various anti-virus solutions, firewall systems, and host intrusion prevention systems that you have in place to make sure that they are not just up to date, but performing the tasks you need to meet your security objectives.

Mobile Devices: When it comes to law firm IT, few areas have changed as drastically in the last decade as the expanded use of mobile devices. Chances are, your users are using lots of them, and have probably changed the mobile devices they use in the past year. Run a review of the mobile devices that have connected to your system, and delete or purge those that have not connected in a while. Mobile device management starts with active monitoring of exactly which devices are being used to access your systems and data.

Physical Security: While law firm IT departments typically devote most of their time to security systems and the firm's virtual presence, it's important not to forget your physical environment. The new year is a good time to test things like your smoke alarms, UPS (uninterrupted power supply), and security cameras.

In an organization as complex and with as many moving parts as a law firm, there are countless factors that go into securing data. By starting with the measures outlined above, law firm IT departments can ensure that they are in a good position going into 2019 to accomplish their security goals for the coming year.

If your firm's IT department institutes the right changes and upgrades now, you'll look back on 2019 as a success as it relates to data security.

 

Eli Nussbaum is a managing director at Keno Kozie Associates. He joined the firm in 1998 as part of its Y2K audit team. Eli then became a full-time engineer and has held every position within the department. During his tenure with Keno Kozie, he has focused on physical, virtual and cloud infrastructure design and implementation for both client and desktop environments.