Maybe. It’s not cheap and if you are doing it just to get a “one-time” certificate for your marketing materials don’t waste your time. You need to believe that your firm is at risk – and all firms are to some degree – and that good security is important for your business. For a large firm the cost can be near $100,000, but it can be a key to improving your security posture and can clearly demonstrate to clients and prospective clients that you care about your responsibility to them.
Can we do this ourselves without spending a fortune? Yes you can, but unless you have someone on your team who has done this before it will be difficult and take a lot of unfocused time. You need not certify the entire firm or IT organization. In fact, most organizations limit certification to those areas of the organization with the most risk impact. For law firms, this includes areas and systems that contain client information, such as the document management system.
Can I use the ISO guidelines and process to improve without getting the certification? Sure, and for some firms this works well. It comes back to the risk analysis, and impact on reputation.
If we get certified what does ISO 27001 require? It requires that senior management:
Systematically examine the firm’s information security risks, accounting for threats, vulnerabilities, and impacts
Design and implement a coherent and comprehensive suite of information security controls and / or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
Adopt an overarching management process to ensure that the information security controls continue to meet the firm’s information security needs on an ongoing basis
What if hackers get past our cyber security door?
“Easy” fixes include the encryption of laptop computers, and also the encryption of data located in your data center. Encrypting data anywhere it resides, such as mobile thumb drives is also an excellent idea, but I will focus our attention on laptops and data center storage.
If you are not encrypting the disk drives in all of your laptop computers you are behind the curve – not by a little, but by a lot. Since Microsoft included BitLocker with Windows 7 there is no reason not to protect your most vulnerable data –that which is mobile and easily misplaced. If you don’t use Windows, alternative encryption software is readily available. Why should I do this? Because you don’t want to be in a situation that one large firm almost found itself in back in 2005. The firm had a dozen laptop computers stolen from one if its offices (It was discovered within days that the cleaning crew were the thieves. Not sure why they thought that the police wouldn’t look at them?).
The morning after the theft one of the major local TV stations found out and contacted the firm for comment. The station was looking forward to an evening headline, “National law firm loses laptops with sensitive client data!” That morning there occurred a lot of high-level discussion at the firm on how to respond to the reporters questions. However, once the reporter was informed that all of the laptops had full disk encryption the station dropped the story and it was never aired.
Encrypting your data is easy to do and you have a lot to lose – literally and figuratively. This also applies to data stored on servers and storage drives in your data center as well. While not as easy and inexpensive to encrypt, the security benefits are the same. We said above that everyone gets hacked as some point. But if all they can see is gibberish then you are in a much better position to meet you fiduciary and ethical responsibilities.
The Need to Know
Another change underway is looking at document security from a need-to-know basis. I know that this sounds like a line from a spy novel, but it’s real and taking place now. Since document management systems came to be, most law firms configured them to allow everyone in the firm to have access to all documents. This was done to foster an atmosphere of collegiality, along with the idea that having access to all documents would create a firm with shared knowledge, or built-in KM – which never happened.
While trust within a firm is usually taken for granted, there have been instances where firm personnel have accessed client or internal firm information for unsavory purposes. The bigger issue is what happens when a hacker gains access to an attorney’s or staff member’s account. All of a sudden your internal and client data is exposed. Some firms have limited access to documents to only those working on a specific matter, those with a “need-to-know,” and more and more firms are now changing to that information security model.
Allen & Overy was the first large global firm to improve their document security, making the change in the mid-2000’s. The last two years have seen an increasing number of law firms make this change. Why? In part because some clients are now requiring that only those with a need-to-know have access to their data.
After doing all we can to protect ourselves, what happens if we do discover a breech in our security controls. The main thing is to be prepared, don’t wait until it happens to ask yourself this question. Part of preparing is understanding the laws in the jurisdictions in which you operate. Federal and State laws vary and are ever-changing. Those laws are the drivers of actions that you should be prepared to take – including required disclosure.
Also contact law enforcement, including the FBI. Depending upon the situation they may be able to provide valuable assistance. What happens in the case of a breech should be part of the early discussion with your risk management team. Cyber security is not just an IT problem, it’s a strategic risk management responsibility.