Training your staff to spot looming cyber-threats before they strike is a key to data security at your firm.
And when it comes to safeguarding digital communications, nothing beats good, old-fashioned encryption.
Those are two suggestions from a panel of cybersecurity experts convened by Digital Guardian.
And while the panelists – ranging from the Chief Legal Officer at a fast food chain to an international weapons expert – have different points of emphasis, they all agree the starting point is education.
“[T]he biggest security hole in every organization is its people,” says Jeff Stollman, a specialist in sensors, robotics and information security. “It is important to provide end-user training. Classes don’t work. They are costly and the information is not retained for very long. A better program is the irregular use of internal phishing emails (sent from outside addresses designed to catch users off guard). These are then followed up with emails that then teach users how to avoid falling victim to such attacks. Multiple services are available to provide this.”
Here are eight tips from the cybersecurity hotshots:
- Create a culture of cybersecurity. “[D]emonstrate that the firm has an institutional commitment to protect client data that is reflected by involvement and engagement by senior firm leaders – not just IT. Also show that the firm has a strong and customized security awareness training program for all staff with access to client data.” (Jonathan Dambrot, CEO of Prevalent)
- Make cyber-training fun. “[T]here are now some good services that license short (less than three minutes), humorous videos to train users. These are available on a subscription basis. They can be sent out at somewhat regular intervals to both entertain and teach users.” (Jeff Stollman)
- Manage third-party risk. “When you have a cybersecurity plan that only focuses on internal security, you risk missing 50 percent of the problem. Numerous studies have shown that third parties represent between 40 to 80 percent of the risks associated with data breaches.” (Jason Straight, Senior Vice-President at UnitedLex)
- Outsource data protection with care. “Any firm I look to hire for data protection must have a clear crisis management protocol in place. If a data breach occurs, we need them to respond appropriately and urgently to protect our data. In short, we’re looking for a partner who can help us navigate through an incident that could easily cripple our brand.” (Sloane Perras, Chief Legal Officer for The Krystal Company)
- Use vulnerability tests. “I would suggest regularly scheduled third party penetration tests and vulnerability assessments performed to understand gaps or potential threat areas. Some firms may even require ethical hacking to test end user behavior and your potential exposure.” (Marco Maggio, Director of U.S. Legal Practice at All Covered, a Konica-Minolta Company)
- Secure your perimeter. “Perimeter security is the place most firms will start. Selecting a quality next generation firewall is a must. Traffic coming into a firewall using http is not always standard web traffic. A quality firewall ensures the traffic is what is indicated. A solid subscription service looking at malware, virus and URL filters is commonplace. A service that dovetails with other security devices/software reduces management overhead and condenses support contracts.” (Kevin Kay, Chief Innovation Officer at Red Sky Solutions)
- Limit access to confidential information. “[O]nly users needing access to confidential files should have access to these files. These files should not be stored on the open network for everyone to access. Limiting the areas on the network where these files can be stored (e.g. document repository system or Sharepoint) and implementing user access control is a good first step. Unless someone has a business need for it, users should not be able to access the USB ports on their PCs. This is to prevent the unauthorized copying of confidential files onto external media such as thumb drives, hard drives or burning data onto a DVD. Online storage sites such as Dropbox and personal email sites such as Yahoo email, GMail, and LinkedIn email should be disabled to prevent users from saving and transferring data outside of the controlled environment.” (Eric Au, Director at Tower Consulting Services)
- It’s all about encryption. “It doesn’t matter if it’s email, instant messages, case files, discovery or third party expert communications, the principle of encryption is the only way you can really satisfy due diligence requirements. “ (Steve Santorelli, Director of Intelligence and Outreach at Team Cymru).
What safety tips would you add to this list?
- Digital Guardian https://digitalguardian.com/
- Digital Guardian https://digitalguardian.com/blog/law-firm-data-security-experts-how-protect-legal-clients-confidential-data