How to avoid security risks without going broke
David Ries and Sherri Davidoff at the “Security Practices That Won’t Bust Your Budget” panel at ABA Techshow 2019 in Chicago. Photo by Amanda Robert.
During a panel at ABA Techshow 2019 on Thursday, Sherri Davidoff told the audience: “The most effective things in cybersecurity are free.”
Davidoff, the CEO of BrightWise and the founder of LMG Security, and David Ries, of counsel at Clark Hill who practices in data protection law and litigation, outlined five data breach risk factors at the Chicago panel, “Security Practices That Won’t Bust Your Budget,” that attorneys should keep in mind: retention, proliferation, access, liquidity and value.
Davidoff pointed out that the risk of a data breach increases with the length of time that data exists, while Ries said the risk increases if copies are stored in several different locations. Ries said the risk also increases with the number of people who have access to the data. As for liquidity, Davidoff defined it as how easily data can flow from one place to another, explaining that the more liquid the data, the more likely hackers can siphon it off and sell it online. In addressing the fifth factor, she said the risk of a data breach increases with the value of the data.
“That’s an important takeaway; it’s not people playing around or going after you necessarily,” she said. “We’re talking about organized crime groups that are going after anyone they can and reselling data on the dark web.”
Ries added that small law firms are typically targeted for money or for information that can be converted to money if they represent celebrities or high-profile criminal defendants.
Davidoff and Ries told the audience that the cheapest and most effective way to minimize their risk is to minimize their data. They offered several ideas for how this could be accomplished.
Davidoff suggested that attorneys store less data and delete data that they don’t need, while Ries recommended that attorneys classify their data, based on its level of risk, and take inventory of where and how long they store it.
“The concept is pretty simple, and in a small firm, it takes time rather than expenditure,” Ries said.
“Then you can tell your clients: ‘We keep your data for five years or seven years,’ and that is your policy across the board,” Davidoff added. “Then they won’t be surprised when you don’t have it 10 years later.”
Davidoff suggested that attorneys create a data map and retention policy, so they can decide upfront which data they store and where it is allowed to go. She said they should also keep a record of when they delete information in case of a data breach or in case a client asks about it.
Ries said attorneys also should implement a comprehensive cybersecurity program that is appropriately scaled to the size of their firm and the sensitivity of their information. It should include an incident response plan that outlines steps that have to be taken if a data breach happens.
He explained that attorneys can base these programs on two sets of standards commonly used by law firms: the National Institute of Standards and Technology’s Cybersecurity Framework or the International Organization for Standardization 27000 series standards. Smaller firms may prefer less complex guidance from the Federal Trade Commission, he said.
Davidoff highlighted the importance of centralizing data, especially now that so many attorneys work remotely. If attorneys handle business from their personal computer or mobile phone, she said, they have to be wary of the potential threat of viruses and fully wipe those devices when they dispose them. They also should utilize password managers, such as LastPass; as well as multi-factor authentication; encryption on mobile devices; and business versions of cloud services, which typically are more secure than consumer versions. https://www.lastpass.com/business-password-manager
“There are cost-effective ways to deal with most things in security,” Ries said. “Dealing with policies and procedures and training can be done with little to no cost, but you have to spend the time and effort to do it.”
Follow along with our full coverage of ABA Techshow 2019.
