Regardless if you call it a fire-drill or a test, periodic validation and verification of your post-breach plan is a critical management step not to be missed. Like all emergency planning, dusting off the planning document after the fire starts is a sure way to get burned.
What is our greatest security threat and what is easiest to fix?
To quote the parody in the Pogo comic, “We have met the enemy and he is us.”
It is well documented that a key risk within all organizations is our own people. I’m not talking about intentional theft or destruction, but unintentional actions that result in outside hackers gaining access. What can you do? One of the easiest and most effective security activities you can do is awareness training.
Nobody wants to be the one to create a bad situation, but most of us aren’t aware of what we should or shouldn’t do, and what to do if we see a problem. The worst thing to do is not report it to the IT team. There are companies who know and effectively deliver this training, including those who work specifically with law firms and lawyers. To be effective, security education should be reinforced yearly, and don’t forget new hires.
The above is only a primer on law firm cyber security and I hope that you will have more discussions with your CIO about improving your firm’s security posture. Please include your vocal and visual support of these organizational changes that create a culture of security and improve your firm’s security posture. Your active participation is vital.
Thanks for the two-part presentation.
If it helps (it does in an engineering context), cyber-security is strongly analogous to safety. You have to develop a safety culture, and that culture, it has been demonstrated over and over, requires structure, training, repetition, and clear commitment from Management. Sure, it is an overhead – but think of it as “wealth preservation.” In a partnership model that should focus some attention.