Applying some basic legal skills can be really helpful for law firms as they move forward with their cyber security priorities. Lawyers tackle new matters all the time and no two cases are alike. There are factual issues to master, legal research to conduct and a plan to prepare to guide the transaction of litigation. Making assumptions, even when based on past experience, can be a serious error for a lawyer. A fresh case requires a fresh mind.
That same attitude can successfully guide a law firm on the path to cyber security.
Start with being certain you understand the facts of your cybersecurity “case”. Cyber security is all about protecting the information that sits within your computer network, including the equipment in your office(s), cloud storage and portable devices. So, a law firm has to master the following sets of facts:
- How do you work? – Be sure you really understand how the firm functions as a business enterprise. What types of employees do you have? What do each of them do? How does information travel among them? This concerns all the nuts and bolts of business operations.
- What data do you have? – This is likely to be a longer list than you think. There is client data, case data, employee data, payroll data, draft documents, closed case files, etc. Make sure you identify every variety.
- Where is your data? – This is a tricky one. Data will migrate to every conceivable part of your network, as files get created and updated, and as email attachments. This is why understanding how you operate is so important. Unless you can answer that question, you will never answer this one.
- Who has access to your system and your data? – A basic premise of cyber security is the idea that no one should have access to files or software who does not need to have access to them in order to do his or her job. Identify all your users, determine what they must have access to and prepare to block their access to everything else.
- How do you access your system and your data? – The answer to this question includes your log-in procedures in the office and from remote locations. Does the firm provide smartphones or do employees provide their own? Can you insert a USB drive into a device connected to your network? Do employees use public wi-fi systems to connect while traveling? Can they log in from their home computers? Here again, the “how do you work” question looms large.
Achieving a deep understanding of the facts of your cyber security “case”, will naturally expose some of the vulnerabilities you face. They will mean even more to the “expert witness” you should retain to help you win this case. Just like in any case in which real expertise is needed to help present and interpret the facts, you need a cyber security consultant on your side. Ideally, retain the expert as early as you can while assembling the facts and allow him or her to guide and assist with the process.
Now that you know the facts, you can proceed on to the equivalent of your legal research, determining the best operational and technological steps to improve your cyber security.