Tony Rushin returns for another guest post. Tony has spent his career in technology: this is his third of five posts on reducing cyber security risks. You can find his first post here and second post here.
Once your law firm has achieved strong support from leaders, you can devise a comprehensive data security policy that will guide the behavior of all team members. Policy is one of the four keys to reducing your firm’s cyber security risks. The following list shows some common best practices to include in your policy:
- Employee handbook that emphasizes security issues of all types
- Ongoing training for current employees to reinforce old policies and implement new ones
- Appropriate background checks and screening of potential new hires
- Regular training sessions and firm-wide communications to review security policy and discuss questions (e.g. “How can I tell if it’s safe to click on a particular link?”)
- Enforced password policy across all devices: desktop, laptop, tablet and phone (note: a moderately complex password policy that is enforced is much better than a complex password policy that is not enforced)
- Rules for screen locks when team members leave their desks
- Complete prohibition on the use of public Wi-Fi spots. These tools are inherently unsafe and should never be accessed with a device that is used for work.
- Required enablement and use of security and encryption options built into devices. This includes fingerprint readers, idle and timeout features and other safety precautions.
- Perform regular risk analyses
- Create exit policies and procedures governing employee termination or resignation to ensure access to data is eliminated immediately
- Restrict access to data based on job description as well as security clearance
This is in no way meant to be a complete description of what your security policy should include. There are hundreds of different policy elements that might be necessary and appropriate at your firm, and every organization’s needs are different based on size, focus, work protocols and other factors.
In future articles, I will dig into the two other keys to reducing your firm’s cyber security risks: prevention and detection.
Tony Rushin, Vice President for Network 1 Consulting, has spent 30 years in high-technology sales & marketing, from IBM to start-ups. Network 1 is an IT support company in Atlanta that becomes – or augments – the IT department for law firms and medical practices. You can reach Tony at 404.997.7633 or firstname.lastname@example.org.