Law firms are starting to see clients auditing their security practices, controls and technology. Many clients that are concerned about data security audit their law firm’s information technology services and infrastructure. Some firms struggle to comply with client expectations. Client audits vary from a couple of pages to detailed service contracts. Clients are starting to realize that their weakest security link just may be their law firm.
Here are the 6 items that Law Firms need to be concerned with:
1. Two Factor Authentication
As law firms utilize mobile devices and remote access with increasing frequency, Two Factor Authentication (2FA) has become mandatory. Some clients require mandatory controls to ensure that two factors of authentication are employed. With two factors of authentication in place and all Active Directory accounts are restricted; the law firm immediately experiences a dramatic increase in security.
2. Encryption
Common practice with on-premises servers is to default operating systems and file systems not to encrypt data. While best practices have recently employed the same in transit data encryption using Secure Socket Layer (SSL for encrypting data at rest.
3. Data Loss Prevention
Data Loss Prevention (DLP) controls eliminate risk associated with data being accidentally or deliberately disclosed, typically via email or removal media. With cell phones and USB thumb drives common systems must be employed to deliberately monitor outbound email activity and to lock down user access to USB ports/keys, remote or external hard disks and other removable media.
4. Vulnerability Scans
Technology environments are constantly changing. Processes associated with adding and removing hardware, applications require law firm networks to constantly adapt. New opportunities for security vulnerabilities continually arise. Ongoing, recurring vulnerability scans and even ethical hacks employed by third-party specialists to discover open ports, applications and potential threats before they become a problem are critical.
5. Backup & Disaster Recovery
Backup and disaster recovery processes are required to protect law firms from data loss. Without them, a natural or manmade disaster could cause a law firm to lose client information. Cloud data storage helps prevent the loss of data that could result from relying upon on-premises backups. It can speed recovery from security breaches by allowing instant remote access to replicated applications and data.
6. Security Awareness Training
With humans as your weakest link, key security procedures may be forgotten and bypassed, or change controls misunderstood. This has the potential to lead to a security breach. Law firm staff should be trained about the firm’s security practices and expectations in protecting firm and client data from unauthorized disclosure.
Clients that for example deal with medical information demand that law firms employ appropriate security practices to protect their HIPPA data, confidentiality and relationship. Without the appropriate controls these clients will just move on to another law firm that provides the data security they require.