Let’s face it, law firms are one of the most targeted businesses for cybercriminals, since lawyers handle extremely sensitive data every single day. So what’s the best way to go about securing your law firm’s technology? What is the most important out of the three: IT security assessments, penetration testing, or employee training? These are questions that we hear a lot when it comes to helping law firms secure their work data.
Let’s start with security penetration testing. It might be unnecessary. For most solo or pretty small law firms of only a few lawyers, this is probably overkill unless you have major league clients or extremely high value data. In penetration security testing, you are asking an IT company to pretend they are the “bad guys” and attack you – it is scary stuff, and tends to be expensive. The company will generally require a “get out of jail” free agreement, saying that they are not liable for any damages resulting from successful compromises of your network.
An IT security assessment (also called an IT security audit) is far less expensive. The assessment is usually done using software tools and involves a thorough review and scan of your network. The result is generally a well-formatted, easy-to-read report identifying your most critical vulnerabilities, medium-level vulnerabilities and low-level vulnerabilities. As a rule, it tends to come with a proposal for (at least) remediating the critical vulnerabilities along with the estimated cost. It’s a great way for law firms to get a sense of where they are at with their cybersecurity, as well as make choices for how to button down the vulnerabilities. We believe it is wise for lawyers to do these assessments bi-annually, using a certified third-party cybersecurity company. Many law firm clients and cyber insurance companies are beginning to require these assessments as well.
There is no getting around the absolute need for annual employee cybersecurity training. It is generally fairly inexpensive and covers the basics of current threats. Topics usually include practical ways on how to avoid threats such as clicking on suspicious links/attachments, going to sketchy websites, giving information over the phone or by email (also known as being duped by “social engineering”), and many other easy-to-make mistakes. A solid hour of good training each year is a small price to pay for educating your employees and creating a culture of cybersecurity.
Encompass IT Solutions provides both IT Security Audits and Cybersecurity Employee Training courses and lectures, which are perfect for any law firm or business that is concerned about security of their technology. Give us a call at (860) 785-6233 or email us at info@encompassit.com to setup a free consultation.
Comentarios