Login | February 19, 2019

Still not implementing cybersecurity policies? Do it now

Technology for Lawyers

Published: July 6, 2018

A survey by eWranglers given to participants in a 2017 ABA GP Solos and Small Firm Summit came back with a very depressing stat—only a third of the firms reported that they had implemented data protection policies, with a similar number having implemented training for said policies.

The same survey showed that, while most firms have some kind of anti-virus installed, the level of security altogether on the participants’ computers was well below optimal. Fifty-eight percent reported having firewalls and email protection, 50 percent had disaster protection or other data backup, a third had email encryption, and just a few had device encryption. You know, most of this stuff is low-cost or even free, takes very little time to install and run, and is easily maintained. Come on.

But on to the main topic—data protection, and congrats to the third who at least have data protection policies, I guess. You’re dismissed. The rest of you stay for the lecture. Here are some tips to get started protecting your clients’ and you data and, therefore, your career.

Again—policy, procedure and training have to form the basis of any cybersecurity implementation.

These policies need to address four things: what data needs to be protected; how the data will be protected; who is in charge of developing, enforcing and training for these policies; and the people to whom these policies apply.

When putting the data protection plan together, first emphasize prevention. Kepp the data safe in the front of the house (firewalls), in the middle (encrypt everything already, OK?) and in recovery (you need a disaster recovery plan or at least back up all data offsite).

Next, create an incident response plan. Cause, you know, you’ll probably be attacked, so you should have a plan in place for when that happens.

An incident response plan team includes three primary roles: threat researchers, who collect the data about the breach; triage and forensic security analysts (probably third-party, unless you have a computer science degree); and an incident response manager who is particularly aware of the legal implications of data breaches and can respond appropriately.

So get started now.