By Leticia Mooney, Director, Brutal Pixie
The legal profession is one in which information security ought to be front-of-mind. The truth is that information security management feels difficult, gigantic, and not yet necessary.
As a content strategist, my daily trade is in information. I create it for readers, yes, but I also work in risk management, information governance, and digital projects like website rebuilds. In my long experience, it's extremely rare to work with a client who is serious about information security.
Information security management is a critical challenge
There are a lot of challenges facing the legal profession, but the most critical challenge is one that most don't want to face. Data security is about more than having the right cyber insurance in case of hacking or penetration attack. It's about prioritising its importance inside your firm, so that all of your projects have an information security layer to them.
Information Security Management is the unsexy brother of cybersecurity. It's less attractive because it asks you to really think about how you manage insecurity. It's the kind of thinking that gives you headaches before you even start, just like doing the hard thinking about strategic action and strategic growth.
Real-life example from a small firm
You might even think that this kind of thinking is unnecessary. Well, let me give you a real-life example. This firm I will give a fictional name: Let's call it Rosie's Family Lawyers. Rosie's had been working with a range of vendors to help her represent the firm accurately online. She had Search Engine Optimisation vendors, digital marketing vendors, a content strategy company. She also had other vendors: Business coaches, management advisors, and a range of others who have access to her online systems.
One day, Rosie got an email from someone in another country advising her that her website access details were available because a digital marketer saved them in his LastPass account. She did the right thing and sent it to me asking whether or not it was legitimate - because she didn't know the online space, nor the language to use. After being questioned, the person who sent the email advised that a group of digital marketers who buy SEMRush (which is search engine marketing software) purchased it on a cheap option. Access to SEMRush is provided in a LastPass account. And one of Rosie's vendors had accidentally saved her website details in that LastPass account. This meant that everyone around the world who had bought in on this 'group buy' option now had full administrator access, and it had to be removed.
With this information, we were able to track down the vendor and resolve the situation. Since then, Rosie's Family Lawyers are taking their information security much more seriously.
When she stopped to think about it, Rosie's firm had, in its rush to speed up its efficiency, neglected to think properly or clearly about its information security management. In the post-mortem of this event, in which we were involved, we realised that:
- The back-end of her website held sensitive information about clients
- That sensitive information was transferred to another database, which is cloud-based
- The known people with administrator access to the website included at least five people who were not her employees, and with whom she had no formal confidentiality or information handling agreements
- There are unknown people who might also have access (who include team members who work with her vendors).
What the firm learned from this experience
Rosie has since realised where the gaps are in her information security handling. Because she runs a small firm, she didn't think having policies was even necessary: It seemed a waste of time.
Without having done the thinking ahead of time, Rosie had no idea how to respond. If she didn’t have a trusted advisor like me, she would have tried to bumble through this territory all by herself. What she realised is that there was no structure around how vendors are engaged, or how they agree to work with (and handle or even access) client information in her online systems. She didn't have a structure for managing the information security knowledge of her staff. She didn't have any business systems, risk assessments, or evaluation processes that could help her if she was doing this on her own.
If I had asked Rosie how her firm performs against international standards for information security management, she would have laughed me out of the room. Knowing this, though, is a fantastic way to start thinking about what your firm needs to do first.
Here are some really common situations for which many firms don't have any structure:
- Files held in cloud services like Dropbox, which makes the information subject to the laws of other countries
- Cloud-based databases (Google Drive, Office365, and others) that may store your client information internationally, making that information subject to the laws of other nations
- Automated information gathering on websites, and stored in website databases that don't have the right levels of security
- Outsourced writers, marketers, advisors, web hosts... the list goes on.
What do you do if your information security management is poor?
The first and most common reaction is to shut all the online and cloud systems down - at a great cost to firm efficiency, and without thinking of the realities of 21st century business.
Shutting things down is not the solution. Embracing the opportunity to improve your firm is the right thing to do. To be blunt, you are better off to think, ‘What can we do?’ rather than, ‘We need to shut everything down'.
If you don't have a policy, your first step is to put one in place. Draft it and get your teams to comment. Inviting collaboration in policies like these results in policies that everyone in the firm can own, contribute to, and improve.
The second thing you need is support from your most senior leadership. If your firm’s staff don’t see support for it at the highest end, will they take it seriously? It’s very unlikely. Conversations about information security management can be added to team mentoring or coaching sessions, where you can ask for feedback, improvements, or suggestions.
You can also start identifying smarter ways of gathering and holding information, knowing that the current economy that makes outsourcing a real and valuable thing.
Cyber security software teams will happily tell you how many companies recover from data breaches, system lockdowns ahead of ransom demands, and other piratical events. It's extremely low: When you think about what would happen if all your systems were offline, and the reputation damage, it's very unlikely your business would recover.
But there is opportunity here, too. Instead of burying your head in the sand and hoping it goes away, own up to it and get things moving.
If you do just one thing today that moves your information security management forwards, you're one step closer than you were yesterday. The first place to start is with your policy and most senior management: Because once your leadership takes it seriously, everything else will start to fall into place.