While advancements in technology, IT and the internet have made many everyday processes easier, they have also brought with them new challenges and new dangers.
Storing everything electronically allows for instant access, managed distribution, and ease of use, but it also raises the risk of compromise.
While many law firms consider implementing new security products, they often don’t understand whether they need them and what value they will provide.
Understanding the basics of online security, your risk factors, and how security exposures may impact your business are all pivotal to help you get the cost/risk balance right — enabling you to achieve ‘good’ security for your firm.
Being clear on what you are protecting will get you closer to being secure. Think about it this way – if your safe contained $1m, how much would you spend to protect it?
Think you know IT security? Think again
While it’s true that some firms might have ‘tighter’ security measures than others, IT security can’t be measured on a scale. When trying to comprehend their firm’s security, many will ask, “how safe are we on a scale out of 10?”.
It’s an understandable request, but it’s an impossible one to answer. There’s nearly no limit to the amount of security you can implement, so you will never be able to reach a score of 10. And what’s to say you need to? A ‘10’ for someone else might be the equivalent of a ‘7’ for you.
IT security is not as simple as whether your system is secure or not. IT security is about whether you have the balance right between cost and risk for what is being protected and whether you understand how you will respond if a security breach occurs.
Not articulating your security expectations properly will lead to poorly managed security. This can mean compromised IT safety, and an unacceptable risk of breach. And a breach eventually leads to:
- Reputational damage
- Inability to close cases
- Client confidentiality breaches
- Service downtime
- Breached duty of care
These consequences become even more concerning when you realise that the most common way security is breached is through username and password guesses.
It is not a hard or complex scam – it’s not even rare. Using bots to submit 100,000’s of guesses a day, hackers can prey on weak security to gain information to be used against you or even sold on the dark web.
The 3 things to know before making a security decision
There are government guidelines that hint at some best practice security measures. However, many businesses choose not to follow them. This is because the measures are generic, the implementation steps are expensive, and actioning them can place restrictions on employee productivity.
But even if you don’t implement all the recommendations, picking and choosing a couple can be an effective way to beef up your IT security.
But before you do this, it’s important to understand some basic things:
- You can never be 100% secure
No matter how good your insurance or how carefully you drive, you can’t be completely sure you won’t have a car accident. The same can be said for IT security. Regardless of your security systems and practices, a breach could still happen, and being aware of this is an important step towards better understanding your security.
- More security = more time
The more intense your security measures, the greater the time commitment required from staff. Setting up multiple passwords and authentication or restricting access to certain sites or capabilities will slow down your staff. Considering useability and staff productivity is important when making decision around the level of security measures you implement.
- Understand cost vs. risk
Because there is always a financial cost that comes with a managing your security, some will write it off as an unnecessary cost and cut corners where possible. This decision is up to you, but understanding the cost of rectifying a breach and assessing this against the cost of reducing the likelihood is a good place to start before spending (or saving) any money.
Your IT security is what you make it
While it can be easy to get caught up in the fact that you’re never “100% secure”, it shouldn’t stop you achieving good IT security. Making the effort to understand your risk factors and the potential impact of a breach enables you and your IT provider to make security decision that will:
- Reduce risks of breach
- Decrease impact if breach occurs
- Meet your tender requirements
- Maximise your security investment
As we’ve discussed, ‘good’ security is relative. But if you’re looking to decrease your risk factors and increase your peace of mind, there’s a few things you can do:
- Use your competitors as a reference point – how do you want your security to compare to theirs?
- Understand what can be lost in a breach, and what impact that will have on your business
- Consider the need for your data to be online – if less was online would that reduce the impact of a security breach?
- Investigate if there are adequate restrictions on employee access to data, and if you can improve or increase restrictions (within reason)
- Consider how changes will affect staff and their ability to stay compliant
- Convey this information to your IT provider so they can work to match your security to your needs
Remember, IT is more than just IT – your processes, your practices and your systems are all intertwined and require a safe and secure environment to perform properly.
While IT security isn’t easy to measure or easy to understand, Innessco is a leading IT provider specialising in the needs of law firms. If you’d like to find out more about managing your IT security, get in touch with me via email or on +61 2 7200 4400.