It’s all too common lately to read or hear about cybersecurity breaches in organizations. And the causes of most data breaches aren’t complicated. An employee opens an email that promises something desirable. Someone never turns off their workstation. Files are downloaded for non-business reasons from questionable sites. The list goes on.
Because firms are storing – and are asked to store – more sensitive data than ever before, your staff has to be the first line of defense in storing and protecting that data. This can be done through policies that encourage staff, employees, and subcontractors to be aware of how important security is in their firm:
1. Educate, educate, educate
When you have staff meetings, take some time to train your staff on simple procedures to keep data secure. It doesn’t have to be a long or complicated process. In fact, simple is best. Inform them of how to recognize threats. Provide examples of how viruses, malware and other threats can expose their personal information (social security numbers, HR information). In the case of law firms, remind staff that breaches in data security go right to the heart of two major rules in states’ Codes of Professional Conduct – rules that can cause attorneys to lose their right to practice law and shut down a firm.
2. There’s No Shame In It…
Everyone needs to be aware of best practices and firm policies regarding computers and data storage. They need to know what can be stored – and what shouldn’t be there. They need to understand why passwords are necessary for accounting, time & billing, CMS, practice management and other software programs. They need to know why passwords should be unique and why they shouldn’t be shared with others or be easy for others to figure out.However, even with the best plans in place, mistakes happen. In such instances, unless the consequences are malicious or egregious, it’s important to keep a positive atmosphere. Correct the problem, educate the staff member, and move forward. You’ll get more cooperation from staff if they feel free to ask questions without fear of shaming or retribution.
3. You have passwords. Use them.
It’s hard to understand the pushback we see when we set up passwords for time & billing, accounting, practice management, CRM and document management programs. They only contain your clients’ most sensitive data – What could possibly go wrong by not using passwords and leaving programs and data wide open and easy to access by someone who isn’t authorized to see that data?
Well, here’s the answer: In January, 2012, the FBI visited the offices of the top 200 law firms in New York City. Agents sat down with partners and said, We’re not telling you how we have all your files, but it was very easy to acquire that data from your systems. Now let’s talk…
It’s one thing to get the attention of your State Bar Association. It’s quite another to come to the attention of the FBI. We advise you to avoid this scenario.
4. Set Clear Boundaries on What May and May Not be Done With Firm Hardware
This is the toughest of all our suggestions to implement. The lines between business and personal use of desktops, laptops, tablets and smartphones that are firm property have become very blurred, particularly when a firm allows a BYOD policy. Establish a policy and enforce it. Make staff aware of firm policies during the hiring process and during their tenure. Work with your IT-Consultants to block access to personal social media, non-business file sharing sites (remember WikiLeaks?), and other non-business (and inappropriate) sites. Jailbreaking of devices should be forbidden. Instruct staff that hardware provided by the firm is not to be used by anyone other than themselves.
One of our partners let us know that another one of their clients got a Cryptolocker Virus last week. It locked up all their data. Paying “ransom” to get it back is no guarantee it will happen. If your firm invests in anti-virus software, firewalls and other security measures, it is as important to train your staff to recognize threats and prevent them from happening.
We at Eastern Legal Systems 877-ELS-0555 info@easternlegalsystems.com would be happy to work with you and your IT-Consultants to increase staff awareness of the importance of keeping confidential data safe and secure. Call or email us to schedule a Lunch’nLearn session or request in-depth training sessions on a specific program.
Dana Riel is President and Founder of Business Solutions, Inc., serving the Washington, D.C. metropolitan area since 1985. Her firm is the authorized training center for the region for Time Matters and PCLaw by PCLaw|Time Matters, PLLC; Timeslips and Sage 50 Accounting by Sage Software; and QuickBooks by Intuit Corporation. She also serves as a consultant for Caret Legal (formerly known as Zola Suite), CosmoLex, Soluno & TimeSolv. As a trainer, Dana has provided training services to organizations such as the DOD Defense Logistics Agency, Judge Advocate General’s Office (JAG)/Department of the Navy, University of the District of Columbia School of Law, U.S. Department of Commerce and the U.S. Department of Veterans Affairs, as well as with small‐ to mid‐size law firms in the Baltimore‐Washington D.C. area. In 2009, she participated in the series of day‐long seminars sponsored by the District of Columbia Bar Association Practice Management Section, titled “Basic Training: Learn About Running a Law Office”. Ms. Riel also served as an Adjunct Professor in Georgetown University’s Paralegal Studies Program, having taught the course, “Legal Ethics/Legal Technology” in 2009; and “Legal Technology” for the Spring and Summer Semesters of 2010. She presently serves on the Advisory Board for PCLaw|Time Matters, PLLC.