Getting to grips with information security – a quick start guide
3Kites’ Jon Howells offers practical steps for law firms to tackle an issue that can seem overwhelming
When thinking about information security it is easy to become quickly overwhelmed. With the vast array of threats that exist and a large number of different ways to protect your data and IT systems, it is easy to understand why you could consider finding some sand to bury your head in. Obviously, this is not recommended, and approaching information security in bite-size chunks is probably a better way to go.
We recommend beginning by identifying the information you hold, where it resides, who has access to it, how it is secured and what retention policies are in place. This should be followed up by the creation of a risk log to help you identify the risks your data and systems face. While some of these will be standard to most firms (e.g. loss of a mobile device), there may be specific risks for your firm’s work types that should be considered.
Unfortunately, it is not just your own information security you need to be aware of, there are increasing examples of supplier firms being targeted: this may provide easier access to any data being stored by suppliers on your behalf and for legitimate purposes. A good example of this is the recent attacks on barristers’ chambers putting at risk data they hold for law firms and others.
But who should be responsible for managing this? While an IT person/team may find themselves being tasked with responsibility for information security activities, consideration needs to be given to whether the skills of your IT team fit the role and if they have the relevant status within the firm to encourage/enforce any required changes in working practices. It must be remembered that this is not just an IT issue but also a business issue and the firm’s management team should take an active role in what is being done to secure the firm’s systems.
•Recognise that information security is not just for the IT team to consider. It is a firm-wide issue that should be considered at the management level.
•Add security as an agenda item to the firm’s board meetings.
•Allocate a senior member of the firm to lead information security within the business.
•Document the data stores and systems you have and where these are located, e.g. on premise or with a cloud/service provider.
•Ensure policies and procedures are in place for managing the lifecycle of your data, from inception to destruction.
•Create a risk log, detailing how these risks are managed-this should be regularly reviewed.
•Document your suppliers and other third parties who have access to your firm’s systems and data. Ask how they secure your information.
•Put in place regular staff training on information security issues. This is arguably one of the most important and effective steps you can take.
•Implement Multi Factor Authentication (MFA) to access your systems.
•Consider accreditation such as Cyber Essentials.(If formal accreditation is not for you another option is to review the ISO27001 requirements and try to align your processes to those you think relevant to your business.)
•Find a good information security partner to help you stay abreast of the ever-changing IT security landscape.
3Kites is hosting a seminar on fractional IT management for small and medium-sized law firms on 28 April. Please contact the author using the email email@example.com to request a place.
Jon Howells is a consultant at 3Kites. This is the third article in the series Navigating Legaltech.
3Kites is an independent consultancy, which is to say that we have no ties or arrangements with any suppliers so that we can provide our clients with unfettered advice. We have been operating since 2006 and our consultants include former law firm partners (one a managing partner), a GC, two law firm IT directors and an owner of a practice management company. This blend of skills and experience puts us in a unique position when providing advice on IT strategy, fractional IT management, knowledge management, product selections, process review (including the legal process) and more besides.