Data security is challenging even for the largest firms with seven-figure IT budgets. For smaller firms, many of which do not have IT departments, let alone network and data security experts on hand, developing and maintaining appropriate security policies and procedures are that much more difficult. But no less important.
“Because a lot of our clients didn’t have in-house IT Departments, there is hardly any look-back at their state of security, so for our managed services clients, 35*45 Consulting performs regular security checks, a sort of ‘state of the union’” as Partner, Randall Williams refers to it.
For firms with between three to one-hundred staff, the security audit and initial discovery session is the best first step in understanding their security strengths and areas of vulnerability. Consultants will often begin with a network scan, and interview questions regarding what security measures are in place.
To safeguard privileged information, and personally identifiable information (“PII”), firms they will also “classify data” types that need to have special security provisions. For example, a tax practice will have client financial information and those with healthcare a practice will have protected HIPAA information. Payment Card Industry (“PCI”) Data Security Standards must also be met for firms that accept credit card payments from their clients unless transmitted solely through a third-party system such as LawPay.
Failure to appropriately address these issues can have real consequences. And not just in terms of security risk. Less than acceptable security can result in either very expensive cyber insurance riders, or outright denial. And of course, there is the duty of care and expectation of competency that is required of all legal practitioners and other professional services providers.
What Can Your Firm Do to Stay Secure?
The good news is, law firms are not expected to obtain ISO 27001:20013 certification for information security or be audited under SSAE 16 (SOC 1 – Type II) and AT 101 (SOC 2 – Type II) standards. (Yikes!) That said, you do have to demonstrate a reasonable and sound attempt to safeguard data under your control. Which is not as easy as ticking the boxes on a checklist, as many of the regulations concerning data security are vague. So how do you achieve a professional grade level of security? Firstly:
- Know your current state.
- Assess the areas of needed improvement.
- Put in place a process to get to an appropriate security posture, and
- Understand that the endzone is constantly moving away from you. Know it is a process that needs to be monitored and updated as the IT environment, and the firm, changes.
Awareness of the security environment, how to improve it, and implementing those changes is an invaluable service provided by 35*45. At a top level, 35*45 will help you understand:
- What you are doing now.
- What you are capable of with your current technology. (There is often a gap between what is being used and how the firm is actually using it).
- How to implement best practices
When transitioning to the cloud, a Software-as-a-Service (“SaaS”) environment may be the best next step. This not only transfers a lot of security management to the cloud provider, but provides great business and operational benefits, and improves business continuity and disaster recovery capabilities.)
Our security and engineering team at 35*45 Consulting will lay it out all, and their findings will guide recommendations that will put your firm on a proper security footing. Most importantly, we understand both the needs and budgets of firms of all sizes and know how to create a multi-year plan that can spread out the cost of implementation, while respecting work preference, and culture.
We deftly help our clients find, implement, and manage that middle ground between what technology can do, what the firm can do, and what people are willing to do: tempered by understanding the best practices associated with data and network security.