What large clients expect of a law firm’s security practices
Quick action guide:
- Ensure your firm has adequate information and security training and guidance documentation
- Encrypt all the firm’s IT assets (laptops, phones etc.)
- Implement a policy around USB sticks and unauthorised devices
- Book regular security meetings with senior partners and those with dedicated security responsibilities
- Have a contingency plan in the event of a breach
- Define the firm’s data retention strategy and create policies which encourage the correct behaviour
- Take technology seriously and avoid technology lock-in from suppliers
Gone are the days where a firm only needs to think about its own security practices. In the modern workplace with digitally transformed organisations, firms must ensure their suppliers and stakeholders with access to company data are equally secure. Legislative changes, as well as global trends towards digitisation, are causing a shift from an inward view on security best practices, to a firm’s entire supply chain and partners. As professional service providers with access to highly confidential client data, law firms are under scrutiny by clients to ensure their information is highly secure. It’s likely that the bigger the client, the more emphasis on best practice security is needed. However, the guidelines below offer salient and practical advice for firms with both big and small clients.
There are four guiding principles which law firms must adhere to, to ensure that they can offer their clients greater confidence with their information: reduce individual errors, ensure the firm takes security seriously, implement a framework for managing risk and deploy strict policies on data retention.
Implement measures, processes and procedures that stop humans from making errors
A combination of methods which reduce human error and individual responsibility is imperative. Trusting people not to make security mistakes is a mistake in itself. The 1% of the time an individual isn’t taking due care, perhaps after a tough client meeting or a late night in the office, is the time where concentration slips, and errors occur. Firstly, firms must implement the correct training and guidance. Data protection at work and online cybersecurity training amongst other initiatives, such as online phishing challenges, employee handbooks, compliance and risks manuals and client confidentiality training can reduce the likelihood of a security breach. Second, further processes and policies should be implemented to safeguard employees. Firms should ensure their devices are encrypted and possess remote wiping capabilities. The use of unauthorised storage facilities, such as USB sticks or DropBox should be banned and regarded as security risks. It’s believed that if privileged information is found a lost USB stick or accessed by a third-party via DropBox, then the data cannot be considered privileged but public information instead, due to the inadequate efforts around keeping the information secure. Data restriction policies, such as ensuring employees possess minimum access rights, tiering levels of security for information and limiting sharing capabilities are further policies firms should consider. Finally, firms must regulate what devices their employees are using to access company data, such as restricting access from public PC’s and enabling mobile device management on personal devices, such as smartphones.
Take security seriously at a senior level
Large clients will want reassurance that security is taken seriously across the entire firm, not just the IT department or practice manager, this means from a temporary worker to the chairman and managing partner. A simple way for senior figures to demonstrate interest is to have scheduled meetings in the diary to discuss security. It is likely actions will occur from these meetings which engage senior partners and create an organisational culture with protecting client information at the heart of it. Personnel with accountability and dedicated security roles and should attend these meetings. The firm must also demonstrate that it is up to date with patch compliance while reporting on, monitoring and measuring actions plans around compliance. Senior partners must have the ability to prove to their clients how serious the firm’s commitment to security is.
Create a framework for managing risk
A client will want to see how the firm is managing risk. What happens if there’s a breach? Does the firm have security incident management procedures in place? It is the firm’s job to demonstrate to its clients what happens in the case of a data leak, contingency plans and how it is preventing incidents. Does the firm know where its data is, such as rogue USB sticks and printer hard drives?
Define data retention policies
The final, and perhaps most pertinent point is the firm’s data retention policies. Typically, law firms may wish to hold client data between seven to fifteen years. However, this may make large clients feel uneasy. For a good reason too, if a firm is holding data on its client, then there’s a possibility it can be compromised. A firm must justify why it needs to keep data. Otherwise, it should delete it and not hold information any longer that is necessary. It must also demonstrate that it practices good housekeeping policies too. If employees of the firm are emailing documents, which are backed up, and forwarded again, how does the firm maintain control over this continuous cycle of replicating documents? One way is to implement modern working methods and provide access to an original document, rather than creating copies via forwarding on emails. The original author can then revoke access and maintain control over the document. Again, unencrypted laptops and USB sticks do not offer the firm control over its retained data and increase the risk of a breach. Instead, working practices should be cloud-based which provides higher security and control than traditional servers, which no longer offer adequate levels of protection (or even productivity or efficient use of capital).
Putting it all together
Satisfying the security demands of a large client is also a good practice which every firm should follow. Short-term logic is often the driver for not considering data and security as an important strategic decision and, in more cases than not, can result in false economies. Technology is moving at a rapid rate, and law firms must ensure they are agile enough to embrace this change. Servers and long-term 3-5-year IT contracts pose difficult situations for a firm’s leadership team, as they are unnecessarily locking-in the firm to dormant technology, which fails to satisfy the above points adequately. Instead, partners must show their clients (and teams) that the firm has the strength to embrace change and innovation and establish itself as a leader in its field.