LegalSEC® - Cybersecurity

LegalSEC™ Blog: Security Awareness Training

By Carlos Rodriguez posted 11-14-2012 09:17

  

"Companies spend millions on firewalls, encryption, and secure access to device
an it's money wasted, because none of these measures address the weakest link in
the security chain"
Famous Haker and Social Engeeniering master Kevin Mitnick


Good morning all. I hope you’ve wrapped up budgeting season, so you can prepare to have a pleasant holiday. I am not done yet, but will get there soon. I want to take a moment to wish all of our members and friends in the Northeast a rapid recovery from Super Storm Sandy. You guys inspire us to keep moving forward, reminding us that after a storm comes calm and that we should say thank you every day for everything that we have in life. I also wanted to apologize for the delay on getting this information back to everyone; unfortunately, some of us have been through changes of a different nature and got behind on this task. We hope you understand and that perhaps this post can still help bring up new items for your “holiday shopping list”, a.k.a initial 2013 budget.

I had the pleasure to participate at an incredible workshop during our annual conference in National Harbor on information security titled “A LegalSEC Workshop: Security Design and Implementation Best Practices.” This was a provocative session where attendees were at the center of the discussion. The idea behind the discussion was to hear everyone’s concerns around this topic. We had three magnificent Legal Technology Professionals leading the discussion, and I want to thank them for such a wonder full job, both personally and on behalf of our community. They are Mark Brophy of Rogers Towsend & Thomas, who led the discussion around Security Awareness; Judith Flournoy of Kelley Drye & Warren LLP, who led the discussion on Security Policies and Procedures; and Tim Golden of McGuireWoods, who let the discussion about Technical Controls. These folks instigated some awesome discussions and gathered great input from our amazing audience, whom I want to thank as well. We are currently feeding into LegalSEC™.

So what we will do is present a series of three blogs around each of the aforementioned topics discussed at conference and what LegalSEC™ and ILTA are doing about themt. And since we are still in the first half of November and because October is Cyber Security Awareness Month, we will start with:

Security Awareness

This is a hot topic for many firms at the moment. There is general consensus in the industry that this is the weakest area of a law firm because of “cultural issues,” lack of understanding of how firm technology works, the intrusive nature of technology in the way lawyers work, a need for immediate accessibility to information anytime anywhere without considering risk and many more reasons. You can buy all the technology and security controls that your budget allows, but the human factor is still the weakest link, and we need to address this problem for the better of the firm and because clients are demanding it through their security audits. Here is what we heard from you and what we are doing about it.

Development of Content Library for Membership: Here is the thing, not only are we having trouble educating our workforce, we are struggling with HOW to do it because this is new to all law firms. Here is what we heard are critical needs and what we are doing about it:

 

What you said you need

LegalSEC™  Action Item

Syllabus for Security Awareness Training

We have put together a team of volunteers and vendors that will help us develop content and a syllabus that we can feed to the membership.

We will release the first set of policy templates in the next few weeks which include a Security Awareness Policy.

We believe a more effective way to deliver training is by segmenting the audience based on their needs.

  • Attorneys and Executives training
  • Targeted Training per Practice Group
  • General Security Awareness for all employees
  • Security Awareness Training segments included in employee/attorney orientation

Methods for delivering content:

  • Use of Multimedia
  • Simple is better
  • ILTA Communication
  • Tying ethical issues & obligations for attorneys to training

 

We will make recommendations on the method and frequency for delivering content depending on the audience. Some are:

 

  • Email
  • Leverage the firm’s LMS
  • Multimedia
  • LegalSEC™ newsletters and webinars
  • Internal and external blogs
  • Delivering CLE based content
  • More Peer to Peer articles and LegalSEC™ Whitepapers
  • Deliver content around Risk Management and Information Governance
  • Drive non-technology employees to local meetings

Assistance in obtaining Management Buy-in.

  • Sample Letter
  • Cost Analysis/Risk Management
  • Polling of client demands
  • Marketing assistance
  • State bar Association/Court Opinions database creation for a single location where membership can help keep track of liability decisions

 

We recognize that this is one of the biggest challenges that we all face in Legal Technology and especially with regard to Information Security.

  • Sample Letter
  • Best practices for conducting Cost Analysis/Risk Management Assessments
  • Leverage client demands
  • Working with your marketing department
  • State bar Association/Court Opinions database creation for a single location where membership can help keep track of liability decisions

Other:

Identify Attorneys that are subject-matter experts as speakers at the ILTA conference and other events.

2013 will be the debut of LegalSEC™ Summit, a one-day Information Security conference in Chicago.

This issue, like in any relationship, is a two-way problem. Lawyers are not the only people we need to educate. We believe it is equally important to educate technology folks and other staff on attorney obligations and topics such as Ethics 20/20  and the Model Rules of Professional Conduct

How to monitor and maintain a sustainable Security Awareness Program effectively. Plan-Do-Check-Act.


Our next post will cover how LegalSEC will help firms develop their Security Policies and Procedures. Until then.

Best regards,

Carlos Rodriguez
PGVP, Servers Operations & Security
Chair of LegalSEC™ Committee



#LegalSEC #ServerOperationsandSecurity
2 comments
91 views

Permalink

Comments

11-15-2012 11:29

couldn't agree more Gil. That is why this area is one of our main objectives. At the end an educational program of any sort seeks to modify behavior. That’s the goal.
I appreciate the feedback.
C.

11-15-2012 10:20

By fostering Security Awareness in staff and attorneys, we can provide the groundwork for most security initiatives. Security Awareness, at a generic level, provides staff and attorneys with basic information about the risks and mitigations i.e. the "why" we need information security controls and the "what" of those controls.
Once that foundation is in place, or at least started, it becomes easier and easier to explain the rules (the policies, standards, guideliness, and procedures) that we can begin, working with the business departments and attorneys, to implement.
And with the rules in place, or at least started, we can more easily explain the controls that are needed to carry out those policies.
Its like learning to read - first you need to learn the alphabet (awareness) then you learn the rules of putting together the letters to form words (policies) and then you can finally really start reading (controls).