GPSolo Magazine - December 2003
There’s no way around it: Information security is a cost of doing business these days. Hackers, worms, and viruses are very real and substantial business threats, and insufficient or improper protection plans leave your practice vulnerable to costly downtime and theft—possibilities that loom no matter how large your firm. Given that one computer is just as open to infection as are one hundred, how can a small law firm tackle such a vast issue on a small budget?
The solution is one part good planning and two parts solid program enforcement. Good planning begins with a measurable objective. If your objective is simply to make your firm more secure, how will you know when you’ve succeeded? Security requires a maintenance and monitoring plan for the system, and a solid security objective addresses this need up front, for example: “We will reduce our risk exposure on our top five critical systems over the next six months.” In short, a good objective ultimately begs the question where you’re at now.
Laying the Groundwork
Start the process by forming a security awareness team. If you’re a solo practitioner, you may want to contract with your IT provider to assist you with this process. The first step for the security awareness team is to assess your current security posture. The following questionnaire will give you a quick picture. Please note that these questions address only the bare necessities; larger firms with sophisticated needs should not use this questionnaire to gauge their situation. These questions address the issues of a small law firm with one location, fewer than 25 workstations, and no internal IT support:
1. Do you have policies addressing computer and Internet usage, and are they routinely enforced?
2. Do you use a firewall?
3. Do you use strong passwords (e.g., passwords more than eight characters in length containing non-alphanumeric and non-dictionary words)?
4. Do you use antivirus software; is it automatically updated?
5. Do you keep your servers and work-stations continuously patched?
6. Do you actively monitor system logs and security alerts?
7. Do you have your system security reviewed annually by a third party?
8. Do you know how to handle a suspected security incident?
How to Grade Yourself
If you answered no to any of these questions, you have a significant hole in your security profile and could use some teamwork to figure out ways to address the missed sections. If you are truly facing the first step, check out the computer security division of the National Institute of Standards and Technology (NIST, at http://csrc.nist.gov). NIST posts practical security guidelines and policy templates for small businesses. If you answered each question affirmatively, you’re on your way to meeting the minimal requirements of a security program. Now that you know where you stand, it’s time to think about the future. The four phases of implementing a solid security program are planning, products, patching, and perpetuation.
A good plan includes an achievable objective, detailed action steps, and a list of measurable desired outcomes. Ask yourself what you would want in an ideal world, and then get realistic. Once your objective is clear, pull your security awareness group together and do the following:
1. Discuss your concerns, create a timeframe, and decide on desired outcomes.
2. Assign a budget—and then stick to it.
3. Commit your plans to paper.
Once you know where your weaknesses lie, an investment in security technology is a wise next step. Be mindful that the right product is a compromise between the right features and the right price; don’t be penny wise and pound foolish. A good product that is well maintained will address many of your security concerns. Research the various products. One easy way to do this is to check out Network Computing magazine (www.nwc.com), which provides informative, easy-to-read product reviews. The products you’ll be reviewing are appliance-based firewalls, antivirus programs, and (if you have remote users) VPN technology. Look for companies that have staying power. There’s a lot of consolidation going on in information security; as a result, buying from a small unknown company may be risky because the company or its product line is more likely to go defunct or be bought and shelved by a larger competitor.
Staying current on patches is an essential part of any information security program. A patch is nothing more complicated than a “hotfix” or code upgrade posted by software vendors such as Microsoft, designed to correct system flaws and/or security vulnerability. Typically, vendors notify users about hotfixes at their support website, where users can download a given patch. Multiple hotfixes are referred to as a “service pack.” The recent Blaster and Lovsan worms could have been wholly avoided had people simply patched their vulnerable Microsoft Operating Systems; consumers and businesses had over a month to do this yet failed to take action. Talk with your IT contractor about ways in which your firm can get patches updated regularly. Microsoft does provide some auto-updating maintenance programs. A word of caution, however: Patching does not always go smoothly. Some service packs, particularly those from Microsoft, have been known to take servers down or, at a minimum, cause service interruption. Have a professional on hand to assist you if anything happens. Also, perform maintenance only after office hours.
Information security is a never-ending process of fine tuning and remediation. Putting a firewall in place and forgetting about it is a surefire way to inspire the furies. Once your security team is formed, set a schedule for quarterly meetings to review the current state of information security, and then follow through on it. During the meetings, the team should address the following: Have there been any issues? How were they resolved? Do you have concerns about any particular areas? If you have the money, an annual assessment by a well-referenced information security practitioner can be valuable.
The bottom line is that there is no magic security bullet. One special note of caution: Although creating policies may be easy enough, consistently enforcing them is an entirely different matter. Once you figure out the basics, tactical product solutions can help—but only if they’re applied within a consistent framework of security awareness and program maintenance. Law firms that define policies, assign roles and responsibilities, utilize technical controls, and monitor and maintain their solutions will be far ahead of the game.
E. Kelly Hansen is the CEO of Neohapsis, Inc., in Milwaukee, Wisconsin; she can be reached at firstname.lastname@example.org. David Gloede is an information security consultant with Neohapsis. He can be reached at email@example.com.