Take a practical approach to securing your firm’s data by assessing how and where your data is stored, then implementing policies to protect it. Here is a cautionary tale from real life:
Federal prosecutors in Manhattan have charged three Chinese citizens with making more than $4 million by trading on information they got by hacking into some of the top merger-advising law firms in New York. The three men targeted at least seven New York law firms, stealing emails of partners who work on mergers. We can expect that these firms have made New Year’s resolutions to improve their data security.
Hackers’ ability to breach the defenses of big law firms in search of confidential information has long been a concern of federal authorities. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” Preet Bharara, the United States attorney in Manhattan, said in a statement. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.”
Even if your practice is not in mergers and acquisitions, your firm’s cache of Social Security numbers, negotiation details, IP and trademarks, HIPAA sensitive data, confidential financial information, and bank account numbers are of the highest interest to hackers, who can sell this data in the digital underworld or use it for their own benefit.
Here are timely suggestions from Rebecca Sattin, CIO of World Software Corporation, the makers of Worldox. An expert in law firm technology, in her prior position she was Director of IT for Mitchell Silberberg & Knupp LLP, a full service firm for entertainment clients (IP, Litigation, Labor, T&E, Immigration, etc.).
First, have policies surrounding the classification of data as a necessary step towards securing that data.
Start by understanding where your data is stored and who has access to it:
- Is it on premises or in the Cloud?
- Is it on Mobile Devices?
- Is it on Laptops?
- Is it on File Sharing products like Dropbox?
- Is there control over who sees sensitive data?
Then implement policies to control and protect that data:
- Does your firm have standards by which documents are saved and organized?
- Do you have a Document Management System that controls where documents are stored and who has access to them?
- What about paper? Are loose papers sitting in conference rooms?
- Does your firm have retention policies for your paper files?
- Do these same policies apply to your electronic files?
- What about email retention?
- Are your laptops encrypted?
- Do you have the ability to only wipe firm content?
- Do you have the ability to remotely wipe the device if it is lost or stolen?
- Do you allow mobile devices to be backed up to an IT provider’s Cloud? (Apple, Google, Microsoft, Verizon, T-Mobile, etc.) This carries an additional risk.
- Are all mobile devices encrypted? Android requires extra steps.
- If you use laptops, does the firm own the laptop?
– Is the laptop encrypted?
– Does the firm have the ability to remotely wipe a laptop if it has been lost or stolen?
- Do you have a file sharing product that you use for business?
- Have you read the license agreement to ensure that you are not compromising the data of your firm or your clients?
Document Management Systems such as Worldox, NetDocuments (and others) let you set retention policies and to force documents and emails to be saved into a protected document store.
We suggest you start the New Year with a Resolution to Secure your firm’s data. To help you assess the firm’s risks and recommend solutions, contact Crosspointe Consulting at 877-357-0555 or email us at firstname.lastname@example.org.