As we continue our discussion on what, specifically, law firms can do to create a security program, we recognize that a number of firms are still lagging when it comes to basic technical controls that play a major role in combating data theft. Having all the policies and maintaining a culture of security is all for nothing unless you have the physical technical controls in place to keep the hackers, employees and competitors from accessing your information.
While there are many steps your firm can, and should, take to improve your security posture, the following is a basic list of network controls you should have.
A firewall is the digital locked door to your information, if you do not have one of these, it is the same as leaving all your legal documents out on the front porch with a sign that says “take anything you like.” There are many brands and price points out there that provide different levels of protection. A network engineer will help you understand what your needs are and what level of protection you will need.
2) Content Filter
Content filtering prevents access to websites you deem too risky and unnecessary for company production. Some firms will block access to Gmail, Yahoo mail, Facebook, Twitter, and other sites that reduce production; some firewalls provide content filtering; however, while the protection they provide is considered ‘industry standard’, there are more advanced options available. There are devices you can purchase that will dynamically scan the sites, run risk analysis on them and look for keywords and block accordingly.
3) Spam Filter
A spam filter device is essential in today’s market. Spam filters will block thousands of emails a day from phishing attempts. The majority of viruses that get into networks are from phishing attempts, something a spam filter will prevent. The best solutions are filters that are maintained outside your network environment. This allows the software to filter potential viruses before they ever enter your environment.
4) Anti-Virus / Anti-Malware
There are more than 29 million known viruses and malware out there being blocked by anti-virus/anti-malware programs as of December 2014 (Symantec.com). Running a network without anti-virus/anti-malware is similar to drinking from a contaminated well.
Encryption is a fairly generic term that covers a multitude of software solutions that looks to ensure that information is only accessed by individuals or systems intended to view or access it. If you maintain any personal identifiable information (client or internal / personnel), encryption most certainly needs to be a part of your security plan. For example, if you regularly email sensitive information to clients, you will need to explore email encryption options. If you regularly take systems or network backups off site, those systems must be encrypted before they leave the building. If you maintain client information on laptops, encryption should most certainly be employed. Encryption also represents a Safe Harbor to client breach notifications. Should a breach occur, if the exposed data has been encrypted, client notifications are not required. Be sure to refer to your state’s specific guidelines for full notification guidelines.
Many different devices can keep you more secure and provide a better overview as to what is happening on your networks. Just remember, the above controls represent a bare-minimum defensive approach to cyber security. A more comprehensive approach should also involve persistent threat analysis, education, enforcement, and continual assessment.