Posted Jul 01, 2012 06:25 am CDT
Computer security can often feel overwhelming and scary; writers and speakers emphasize what seems to be an endless list of risks and dangers. It’s hard to know where to begin.
Well, a good starting point is simply to find out where you stand. If you can assess what your security issues really are, you can reasonably take steps to address the specific risks you have rather than worry about myriad dangers, many of which might not apply to your situation. With a good baseline assessment, you can set priorities, address your biggest concerns and sleep a little better.
While there are some do-it-yourself tools available to get you started with an individual PC (such as ShieldsUp), in a law firm setting it makes good sense to consider getting professional help. The terms of art in this area are “vulnerability assessment,” “vulnerability testing” or, sometimes, “white-hat hacking.” The term white hat is used because you hire the good guys to try to break into your systems in the same way the bad guys might.
Vulnerability assessment can take a number of forms, but you essentially hire an outside firm to run through a series of security tests and give you a report on the vulnerabilities their technicians find. They will follow their standard template or customize to your specific concerns. In a sense, they are testing the same attack vectors a black-hat hacker would use.
Many lawyers think vulnerability testing is something only a large firm might do. But there are serious concerns about system break-ins at firms of all sizes. Besides common examples like family law firms with clients in bitter divorce battles, there are indications law firms are targeted as more easily hacked for sensitive information than well-secured corporate systems.
Data breaches can be time-consuming, publicly embarrassing and costly to deal with, and they might require notifications and even law enforcement involvement.
Sharon Nelson, president of Sensei Enterprises in Fairfax, Va., which performs vulnerability assessments for law firms, says pricing can vary for assessments. Her company uses a flat-fee approach based on the number of computers being assessed. A small firm could get a standard assessment and report for a few thousand dollars.
A final vulnerability assessment report should outline areas of concern and steps for remediation. With the report, you can set priorities, handle the areas of highest risk and come up with a reasonable strategy to become more secure, especially if you handle sensitive client information. You might use the assessment firm for remediation or use a different company.
And since security is a process rather than a destination, vulnerability assessments should be performed from time to time on a schedule that makes sense for your practice.