By now we all should have realized that cyber-related risks are not going to disappear. Technology is here to stay and so are risks associated with using technology. Data breaches, ransomware and phishing attacks are a daily occurrence and constitute some of the risks of using technology.
But don’t despair. We face and manage risks in our everyday activities such as riding in cars. Rather than avoid transportation, we wear our seatbelts and follow traffic laws to reduce the risks associated with riding in cars. Risks associated with technology can be reduced in the same manner; apply safety features and follow the rules.
A law firm’s exposure to risk depends on the type of data processed and stored by the firm. It also depends on the type of technology the firm uses.
Lawyers have obligations to maintain confidentiality, competence, and safe-keep information belonging to clients. Information subject to lawyers’ obligations should be protected. Depending on the lawyer’s practice area, the law firm may also handle medical records, financial information, and other personal information subject to regulation. Consider whether or not you handle information that falls into a regulated category, and learn the regulatory requirements for treatment of such information.
Essentially you can categorize information as follows:
- Client Property
Not all information is created equal. If the information does not fall into one of the above categories, it might not require as much security. For example, it is unlikely you need to stash your news subscription password in a secret vault.
Once you identify which information requires protection, you must apply the appropriate security measures. To do so, you need to understand the technology you are using and how to secure it.
For instance, the door to your office has a lock and maybe a security code as the chosen security measures. Tape would not work. It also unlikely that a “do not enter” sign would keep people out. Much like you understand the various methods of securing a door, you should understand the various methods of securing technology. How do you secure cloud access? How do you secure email? Think about where you store data that fits into one of the 4 categories mentioned above. After you identify the location of your data, consider each access point. Can you access your email from only one laptop? Or can you access email by logging in from a browser on any device? How do you access your data?
For each access point, research different security measures. Find the appropriate locks and know that there are people and resources out there who can help you properly protect your data.