Law firms have a wide range of IT challenges to manage, but the challenge now viewed as the number-one priority is data security.
The recently released 2015 ILTA InsideLegal Technology Purchasing Survey reported that, for the first time in eight years, email management was not named the biggest challenge facing legal IT departments – it was replaced this year by security management.
The survey also found that law firm spending reflects this emerging priority: 38 percent of firms spent more money on security or a security assessment in the past 12 months, up from 27 percent in 2014.
To help identify a few key best practices for law firms, the September 30th meeting of the NewLaw 2020 working group – an invitation-only peer group consisting of professionals in the legal and technology industries – tackled “Advanced and Emerging Technology in Legal Security.”
During the discussion, five key cybersecurity best practices emerged for law firms:
1. Build an internal Information Governance team
Participants agreed that this is a costly investment – “these people are very expensive and very hard to find,” commented one speaker – but will likely pay for itself many times over. For law firms that are large enough to allocate the budget, plan on spending $750,000 to $1 million in overhead to recruit and hire the right people.
2. Establish consistent data retention policy
One of the things your new Information Governance team should do right away – or your existing IT team, if appropriate – is to establish and enforce a data retention policy that does not waver. Participants noted that failure to have a steady data retention policy raises cost issues (e.g., unnecessary data storage) as well as spoliation issues (e.g., random timing for deletion of email messages).
3. Educate employees about common data security threats
Make sure your employees are aware why law firms are major targets for security breaches so they appreciate the seriousness of this issue. Our experts advised that it’s a good idea to teach employees about some of the most common data security threats you face – e.g., email phishing campaigns – so they can be on alert for attempted attacks.
4. Review contracts with third-party service providers
According to the panel, a 2015 Forrester Research survey of IT security and risk management professionals found that organizations are more concerned that third parties pose a risk of critical data loss (63%) and cyber-attacks (62%) than they are about their vendor’s ability to deliver quality and timely service as contracted (55%). One way to manage that risk is to review and – if necessary – revise your vendor contracts to best protect the law firm in the event of an incident.
5. Create a formal mobile device security policy
One speaker noted that lost laptops and mobile devices create some of the highest risks of a cyber-attack. Once a hacker has a lost or stolen device, the criminal can transmit viral emails throughout the law firm, access a secure network, and do other serious damage. Law firms need to have a formal mobile device security policy that requires all firm-issued devices to be secured by a password, enables firm IT professionals to wipe the device remotely and requires employees to report a missing device as soon as it is lost.
* * *
The NewLaw 2020 series consists of monthly virtual meetings in which participants are engaged and educated on evolving trends that impact legal business models. The initiative is managed by The Cowen Group and is underwritten by LexisNexis.
If you enjoyed this post, you might also like:
Unpacking the ABA Tech Survey on Law Firm Security