X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Lawyers understand the need to protect the integrity and sanctity of client data. They know a single breach of confidentiality or theft of proprietary data can irrevocably damage a firm’s reputation. Until recently, most practices protected their business assets by dividing protection into two separate “spheres:” physical and computer technology. But Sept. 11, 2001, changed that approach forever. Law firms and companies alike quickly realized the fragility of their operations — damage to the computer system damaged their business. A unified approach to security is now mandatory. At many firms, a review of internal processes revealed a significant lack of integration among their physical security, data security and disaster recovery teams. This lack of coordination led to a disjointed, inefficient approach, which, in turn heightened a company’s risks. For instance, collecting information from several separate sources within a firm made it easier for critical data to fall through the cracks. Obtaining an accurate reading of a company’s security posture required an executive to pore over mountains of discrete security data, which took far too much time and money. It quickly became painfully obvious that an integrated approach to business protection was needed. SHIFT IN ATTITUDE This new approach requires a shift in attitude. Firms now realize they can no longer have a “set-it-and-forget-it” mentality. Security needs cannot be resolved in a single implementation of a firewall or intrusion detection system. Rather, it must be a continuous process, complete with ongoing assessments, reviews and upgrades. This means that regardless of whether firms have the resources to build a program in-house, or outsource to a qualified managed security provider, legal enterprises must be prepared to spend money on protecting the sanctity of their assets. According to the Yankee Group, first-year startup costs of building an in-house information security program can run $750,000, including technology, staffing and 24/7 monitoring. For many businesses, outsourcing may be a viable option. Even if the budget is available, many firms are not sure what they need to protect or how to protect it. Guidelines have emerged; one example that has evolved is the international standard, (first published in the U.K.), Code of Practice for Information Security Management (ISO17799). The ISO guidelines define 10 areas that should be included in a comprehensive information security program, and include immediate and long-term actions companies can take to protect their business processes. REDUCE YOUR EXPOSURE The following actions can help reduce your overall exposure. Do them now: • Review your security policies, both physical and computer-based; ensure they are current and being enforced. • Reduce external exposure by minimizing Internet access and connectivity. • Don’t use instant messaging; it’s an open invitation to hackers. • Stay current with security advisories. • Remove all “guest” accounts. • Encrypt sensitive information; on the servers, on desktops and laptops, and in transit. • Minimize the number of access points to your networks. • Identify single points of failure. • Ensure critical systems are redundant; hardware, connectivity and power. • Check for ‘Zombie’ agent software. • Ensure all current service-level and security patches have been installed. • Revisit your firewall policy, rules and configurations. • Revalidate and consider curtailing your need for remote access. • Consider changing passwords for all “super-users” or “power” IDs. • Revisit and revalidate access control lists. • Ensure the daily monitoring and review of all critical system logs for suspect or unusual activities. • Ensure all critical systems are backed up regularly. • Develop an “Incident Response Team/Plan.” • Contact your Internet service provider (ISP) and understand what they are doing to protect your operations. • Implement PC security and virus protection programs. • Ensure you are using an appropriate log-in banner. MANAGEABLE SECURITY These actions will help you provide a sustainable, manageable security program: • Create specific policies, standards and procedures. • Consider centralized security management. • Be sure your security staff is well-trained. • Provide security tools necessary to protect your operating environment. • Develop administration procedures, e.g., security administration coordination with human resources. • Implement robust identification and authentication (tokens, biometrics, etc.). • Use early warning capabilities through systems and network monitoring. • Foster security awareness at all levels. • Use a employee-screening program. • Employ “Tiger Teams” (folks who try to discover vulnerabilities) to help you identify vulnerable systems. • Facilitate and support an active and ongoing audit program. It’s wise to integrate your specialized activities that previously operated independently of one another. The result is a blended, multidiscipline business protection program that combines physical protection with computer and network protection and contingency planning. This can address the specific needs of your various operational units without necessarily affecting headcount or operating budget. Rather, it integrates these experts under a central authority, creating a flexible, highly responsive business process protection program. The program is driven by legitimate business requirements of the firm, not by technology. Simply stated, businesses must break the model of always reacting to incidents from disparate approaches within the organization. Pro-active measures, implemented in a unified manner, will protect their vital interests. If you haven’t started to think and act in this manner, it’s not too late. If you wait, it may be. Dain Gary is chief security officer of RedSiren Technologies, based in Pittsburgh. E-mail: [email protected]. Web: www.redsiren.com.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.