Is Your Data Secure?
While that may sound like a simple enough question, it isn’t! There are many facets to securing data in a legal IT environment and it is important to regularly review that your policies, procedures and systems are up to date, including:
- Security Training. All employees should complete annual user security awareness training. Even if such requirements are in place, it’s important to make sure that they are actually met. Review your training records – whoever hasn’t taken the training within the past 12 months should be first in line to take it this year. All employees should be scheduled to retake the training at some point over the year. As your first line of defense against threats, educating your users to think critically and to spot phishing/malware threats before they become problems is critical.
- Network Policies. Your users may be your first line of defense, but they can also be a weakness if they’re free to open your system to threats, even unintentionally. To help curb that possibility, you should review your network policies and update them to account for the changing IT security landscape.
- Passwords. Passwords are the most direct means of accessing data, and therefore they should be changed regularly. Administrative, user, and services passwords should be changed system-wide for the new year. Going forward, they should be changed on a regular basis. If you don’t already have a password-change policy, you should implement one in the new year, ideally requiring that passwords be changed every 90 days and force complex passwords upon change.
- Wireless. The same notion goes for your wireless network. If your network has a shared password, consider changing it for the new year and resetting it on a regular basis going forward.
- Administrative Accounts. You need to make sure that only active and necessary administrative accounts are enabled. Similarly, be sure that only active users and employees have access to your systems. An HR review of user accounts can easily identify valid and active employees; the IT department may not have been informed of all personnel changes.
- Upgrades. Schedule an upgrade not to ensure that your network is protected from the latest security threats and take advantage of available functionalities. Going forward, consider implementing a schedule for software upgrades, ideally every month and/or as critical patches become available.
- Equipment Review. Just like your software, you want your hardware should be up to date. Review your physical equipment and software, create a current inventory and add replacement dates to ensure you are planning for their eventual end of life. Discard equipment that is old or unused and make better decisions about your infrastructure needs going forward.
- Backup Systems. Backing up data and systems is crucial to security. Confirm the last restoration and BCDR test – when is the last time you checked to see if they actually work? Audit to ensure that your systems and critical data are, in fact, backed up and can be recovered if necessary. The best time to test is before you actually need it, or before your clients ask to see a record of successful testing.
- Anti-Virus Measures. Many firms rely on software to help keep out intruders and stop malicious attacks. Review the various anti-virus solutions, firewall systems, and host intrusion prevention systems that you have in place to make sure that they are not just up to date, but performing the tasks you need to meet your security objectives.
- Mobile Devices. Few areas have changed as drastically in the last decade as the expanded use of mobile devices. Chances are, your users are using multiple devices and have cycled through more over the years. Run a review of the mobile devices that have connected to your system, and delete or purge those that have not connected in a while. Mobile device management starts with active monitoring of exactly which devices are being used to access your systems and data.
- Physical Security. It’s important not to forget your physical environment. Take the time to cycle your locks, check you smoke, humidity and water alarms, test your UPS environment and ensure that your security cameras are covering all critical areas.
In an organization as complex and with as many moving parts as a law firm, there are countless factors that go into securing data. By starting with the measures outlined above, legal administrators can ensure that they are leading with their best foot forward.