IT and cybersecurity policies should be law firm-wide priorities and not relegated to the IT department. Attorneys and law firm staff are often the cause of breaches and private data leaks, which makes comprehensive policies and training imperative. One of the best ways to prevent cyberattacks, protect client data, and ensure firms can withstand disruptions is to develop and carefully follow standards for firm technologies and their uses.
Law firms need formally documented policies that outline proper procedures for every aspect of their IT environment. Comprehensive IT and cybersecurity policies include an acceptable use policy, business continuity policy, incident response policy, data loss prevention policy, records management policy, mobile device policy, and password policy.
Many mid-sized law firms commonly implement data loss prevention and password policies. However, LOGICFORCE’s 2021 Law Firm IT Scorecard, a study that surveyed IT decision makers across the country, found that only about half of firms have implemented other critical policies such as incident response, security exception, business continuity, and acceptable use.
Neglecting integral IT and cybersecurity policies can put data at risk. Here’s a look at the four most commonly overlooked policies and areas they should cover:
Incident response is the methodology firms use to respond to and recover from breaches. Developing an incident response plan helps law firms recover as quickly as possible and reduces the amount of damage from cyberattacks.
Good incident response plans should include a review of current cybersecurity policies and risk assessments to determine vulnerabilities that need to be addressed. It should also include the tools and procedures used to identify threats. Once a threat is identified, the incident response plan should have information on how to contain it. Finally, the plan should include instructions on how to eliminate threats and actions the firm must take to recover, including steps on restoring systems and communicating incidents to the appropriate stakeholders.
In certain situations, exceptions to security policies may be requested by someone at the firm. Exception requests are typically driven by client requests or requirements, personnel needs or technology restrictions. Security exception policies should include how to request an exception, what kinds of exceptions can be granted and for how long, and how the exception will be tracked.
Many law firms were forced to put their business continuity plans to the test in 2020. According to the 2021 Law Firm IT Scorecard, only 52% of mid-sized law firms have a business continuity plan, which means almost half of firms developed plans as the pandemic unfolded.
Continuity plans should include a clear roadmap of how to handle events such as fires, natural disasters, team member deaths or global pandemics. The plan should cover as many potential contingencies as possible. What will you do if the office’s IT system is destroyed by tornado damage? Or, as many of us experienced, how will firm members secure client data and communicate effectively during an abrupt transition to remote work? Creating specific plans for disruptions will help staff continue serving clients with little down time if incidents occur.
Acceptable use policies outline restrictions and practices that users must agree to in order to access corporate networks or the internet. Having acceptable use policies ensures employees understand rules and responsibilities regarding the use of company hardware and software. It should outline unacceptable uses of all technologies, access guidelines for members and staff, personal device use and telecommuting procedures.
It’s also recommended that firms require staff to report cyberattack attempts or suspicious activity to the appropriate contact(s).
Empower your workforce through ongoing training programs
Once robust IT and cybersecurity policies are in place, it’s imperative to train. Comprehensive training programs ensure a firm’s documented IT and cybersecurity polices are understood by all employees, detail the tools the firm has in place, and explain the many ways staff can be exploited. This training should be part of employee onboarding to ensure new employees have awareness and understanding of these policies. The program should also include monthly refreshers in the form of newsletters or videos and quarterly follow-ups that detail the most recent methods used by cybercriminals.
In addition to reducing risks and potential costs associated with cyberattacks, policies are critical to firms’ public image and credibility. Clients, partners, shareholders, and staff expect that their firm can protect its sensitive data. Establish, document and train staff on policies to keep your firm – and your reputation – secure.
Gulam Zade is the CEO of LOGICFORCE, a legal technology consultancy that serves law firms across the country.
Reprinted with permission from the 3/29/21 issue of Mid-Market Report. © 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
Read the original article here: https://www.law.com/mid-market-report/2021/03/29/does-your-law-firms-it-strategy-include-these-commonly-overlooked-policies/