The 5th Annual Law Firm CFO/CIO/COO Forum
As law firms continue to appreciate the significance of creating an understanding surrounding security and risks, this starts with a sharp focus on talent and culture. The first component that the panel discussed during the Data Privacy, Security & the Globalized Law Firm CFO/CIO/COO Forum, surrounded protection and prevention methods.
Protection and Prevention
Barry Strauss, COO, Elegrity; Curt Cunningham, CIO, Fragomen; Michael Lewis, CIO, Hogan Lovells; Ramound Umerley, CDPO, Pitney Bowes had a very engaging discussion about how firms can best protect their data. In the beginning stages firms should prioritize their assets. What documents, emails, IP, databases, software, and services are most important? As new data arrives, the firm should exam the process. How is data stored, transmitted and deleted? The process for each aspect needs to be examined carefully. The firm has to be mindful of both structured and unstructured data and in addition, understand and follow the rules for national and international compliance of this information.
Several of the panelist suggested that every firm should conduct its own network penetration tests. Michael Lewis, of Hogan Lovells recommended firm’s design phishing emails to see which employees are actually clicking on those links. Another aspect he mentioned was to review data retention policies. Are these policies industry standard? Michael Lewis also advocated that firms take a baseline network traffic reports from all offices. Once established, that can be compared to any unusual traffic on your network setting off alerts to anomalies and a possible compromise.
Some other protection and prevention methods:
- Use encryption everywhere that you can; email, documents, databases, SAN
- Web Application Vulnerability Testing
- Mobile Device Management – separate data on their BYOB
- ISO certification and accreditations
Another critical aspect of firm culture is incident response. The panel discussed the need to have a cross functional team in place for when the cyber-attack occurs. This group should include many of the following groups; Communications, HR, BD, HR, Managing Partner, IT, Audit, and Info Security. A suggestion that hit a cord with the audience was accessibility to your vendors. That is the ability to contact a vendor no matter what time of day or night. Get the phone number to a real person who is accountable. They emphasized that this should be negotiated and arranged in the contract. Lastly, once an issue is complete conduct a retrospective of the attack and defined learnings for the next event.
In an age where law firms are clearly in the sights of cyber criminals there is a need to act. Law firms are aligning their understanding of security and risks directly with the need for a sharp focus on internal talent and culture. Protection, prevention, and incident response methods are a major component of safeguarding the firm’s assets. The panel closed with their three most important take-aways; prepare technologically, educate your staff, and create clear processes.