The document summarizes responses from experts in the legal IT field on the biggest risks facing law firms. The experts identify the top risks as lack of operational risk management, data leakage, physical security issues, security awareness, managing confidential information across locations, and internet risks. When asked about risks as firms go global, most experts said risks will grow due to increased complexity. Differences in privacy laws by country were not seen as giving a large advantage to local or regional firms currently. Most experts anticipated security risks increasing over time due to changing technologies and environments. The top risky technologies were identified as voice over IP, mobile devices, flash drives, peer-to-peer technologies, web portals, and email. The economy is affecting security to
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
Regulation raises the risk for global subsidiariesNair and Co.
Reacting to the global debt crisis, the global economic slowdown and increasing financial corruption, foreign governments have revamped regulations to stop fraud and protect their market share of key industries.
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
Regulation raises the risk for global subsidiariesNair and Co.
Reacting to the global debt crisis, the global economic slowdown and increasing financial corruption, foreign governments have revamped regulations to stop fraud and protect their market share of key industries.
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union.
If you missed the webinar Marianne Halvorsen of http://Halvorsenonrisk.com gave on March 25th, 2013, please take a look at the slide presentation that accompanied the webinar. In it you will learn the different types of risks to your company, the costs when an event happens, and how you can protect yourself in the event of a cyber breach.
Der Edelman Privacy Risk Index℠ ist eine globale Studie zum Thema Datensicherheit und Datenschutz. Für die Studie wurden die Angaben von 6.400 Datenschutz- und Datensicherheitsverantwortlichen in Unternehmen aus 29 Ländern von der unabhängigen Forschungseinrichtung Ponemon Institute ausgewertet.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...Doug Newdick
This paper aims to explore what the real issues, risks and constraints are for New Zealand organisations that are thinking about cloud computing and how to address them.
Has your credit union considered how member relations, legal compliance and brand reputation might be affected during a data breach? In this 2012 NAFCU Technology & Security Conference session recording you will learn about the risks of data breaches and how they could impact your credit union.
If you missed the webinar Marianne Halvorsen of http://Halvorsenonrisk.com gave on March 25th, 2013, please take a look at the slide presentation that accompanied the webinar. In it you will learn the different types of risks to your company, the costs when an event happens, and how you can protect yourself in the event of a cyber breach.
Der Edelman Privacy Risk Index℠ ist eine globale Studie zum Thema Datensicherheit und Datenschutz. Für die Studie wurden die Angaben von 6.400 Datenschutz- und Datensicherheitsverantwortlichen in Unternehmen aus 29 Ländern von der unabhängigen Forschungseinrichtung Ponemon Institute ausgewertet.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
The Long White Cloud: Addressing Privacy, Residency and Security in the Cloud...Doug Newdick
This paper aims to explore what the real issues, risks and constraints are for New Zealand organisations that are thinking about cloud computing and how to address them.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
®Three Undocumented Layers of the OSI Model and The.docxLynellBull52
®
Three Undocumented Layers of the OSI Model
and Their Impact on Security
Michael Scheidell
President and Chief Technology Officer, SECNAP® Network Security Corporation
Synopsis
The single most serious threat to the security of sensitive information in today’s world is not individual
hackers, cyber gangs, inadequate firewalls or missing patches. The most serious threat lies in the often
overlooked and undocumented OSI Layers 8, 9 and 10: Politics, Religion and Economics. These
undocumented layers often drive sub‐optimal decisions regarding information systems and data security,
and can leave a program vulnerable to malicious intrusion or attack.
This paper seeks to help the reader understand how the traditional OSI model applies to security, realize
that three additional layers exert a powerful influence over security programs and decisions, and leverage
tips for navigating OSI Layers 8, 9 and 10 to become more effective security professionals.
Since founding SECNAP® Network Security Corporation in 2001, Chief Technology Officer Michael Scheidell
has aggressively pursued the development of network security and email security products and services
with impressive results, including patent‐pending intrusion detection and prevention technology and a
revolutionary email security product line. During the course of his career he has discovered and resolved
vulnerabilities represented on the Common Vulnerability and Exposures (CVE) list, and has been a member
of the FBI InfraGard program since 1996, working with other IT experts to assist the FBI’s investigative
efforts in the cyber arena.
Michael Scheidell and his talented technical team know how difficult it can be to affect positive change
within an organization. When it comes to navigating the executive suite and the undocumented layers of
the OSI model, the staff at SECNAP® Network Security have the experience and expertise to assist CIOs,
CISOs and IT management in developing effective strategies to successfully drive security improvements.
The Most Serious Threat to Data Security is Not What You Think
The single most serious threat to the security of sensitive information in today’s world is not
individual hackers or gangs of cybercriminals. It is not an inadequate firewall, lack of logging or
missing patches. Nor is the most serious threat to data security found in OSI Layer 7—no
amount of application filtering or testing can address this threat.
The single most serious threat to the security of sensitive information lies in the often
overlooked and undocumented layers of the Open Systems Interconnection (OSI) model: Layer
8 (Politics), Layer 9 (Religion) and Layer 10 (Economics).
You can conduct GLBA, SOX, FACTA, HIPAA, FERPA and ISO audits until you are buried in reams
of audit reports. You can recommend implementation of DOD or NIST standards until you feel
like Dilbert trying to convince his boss to do something log.
The SolarWinds hack, first detected in December 2020 and referred to as “the largest and most sophisticated attack the world has ever seen” by the president of Microsoft, was a watershed moment in cybersecurity. Hundreds of organizations, including Fortune 500 companies and government agencies, were affected, with sensitive data compromised. A year on, a major study conducted by Splunk has found that 78% of companies expect the same thing to happen again.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
This new edition of the Cyber Risk Governance Report includes a case study that illustrates how our cyber risk governance model works in practice.
FERMA has made the ongoing digital transformation a priority for our advocacy work for several years now.This is why, in 2017, we launched one of the first European cyber risk
governance models jointly with our European colleagues and internal auditors from the ECIIA.
Events since then have only strengthened our view that corporate governance models will quickly become obsolete if they do not embed governance for cyber risks under the leadership of a risk and insurance professional.
The Stand Against Cyber Criminals Lawyers, Take The Stand Against Cyber Crimi...Symantec
Many law firms would suffer greatly from being breached due
to the extreme sensitive data they are handling on a daily basis.
Any cyber attack in this sector can be catastrophic so do lawyers
feel ready to stand against the rising tide of cybercrime?
With this in mind, Symantec, in conjunction with the law
publication Managing Partner, conducted a study into how law firms see cyber security.
Third party risk management with cyber threat intelligenceCharles Steve
A community built by cyber risk management and compliance practitioners for securing digital health solutions and medical devices - https://www.opsfolio.com/
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
cybersecurity - You Are Being Targeted
Business executive with high-level management and hands-on analytical skill sets and over 27 years of professional experience in technical solutions and service offering development and implementation, organizational strategies for efficiency, cost controls, and bottom-line profitability, multi-million dollar enterprise-wide client engagements, compliance with schedule, budget, and quality requirements, hiring and leadership of high-performance IT employees.
Keyven Lewis, CMIT SOLUTIONS- Cybersecurity - You Are Being Targeted.
An overview to help SMB owners understand the dynamics (exp. the who, the why, and the how) of cybersecurity as it relates to their business.
The business of data analytics and business intelligence 15 nov 2016David Cunningham
Panel presentation with insight on data analytics for law firms and legal departments. Speakers include Paul Davies of Deloitte, Ben Weinberger of Prosperoware, David Cunningham of Winston & Strawn, and Rupert Collins-White of LPM Magazine.
Company Valuation webinar series - Tuesday, 4 June 2024FelixPerez547899
This session provided an update as to the latest valuation data in the UK and then delved into a discussion on the upcoming election and the impacts on valuation. We finished, as always with a Q&A
How to Implement a Real Estate CRM SoftwareSalesTown
To implement a CRM for real estate, set clear goals, choose a CRM with key real estate features, and customize it to your needs. Migrate your data, train your team, and use automation to save time. Monitor performance, ensure data security, and use the CRM to enhance marketing. Regularly check its effectiveness to improve your business.
LA HUG - Video Testimonials with Chynna Morgan - June 2024Lital Barkan
Have you ever heard that user-generated content or video testimonials can take your brand to the next level? We will explore how you can effectively use video testimonials to leverage and boost your sales, content strategy, and increase your CRM data.🤯
We will dig deeper into:
1. How to capture video testimonials that convert from your audience 🎥
2. How to leverage your testimonials to boost your sales 💲
3. How you can capture more CRM data to understand your audience better through video testimonials. 📊
Discover the innovative and creative projects that highlight my journey throu...dylandmeas
Discover the innovative and creative projects that highlight my journey through Full Sail University. Below, you’ll find a collection of my work showcasing my skills and expertise in digital marketing, event planning, and media production.
Tata Group Dials Taiwan for Its Chipmaking Ambition in Gujarat’s DholeraAvirahi City Dholera
The Tata Group, a titan of Indian industry, is making waves with its advanced talks with Taiwanese chipmakers Powerchip Semiconductor Manufacturing Corporation (PSMC) and UMC Group. The goal? Establishing a cutting-edge semiconductor fabrication unit (fab) in Dholera, Gujarat. This isn’t just any project; it’s a potential game changer for India’s chipmaking aspirations and a boon for investors seeking promising residential projects in dholera sir.
Visit : https://www.avirahi.com/blog/tata-group-dials-taiwan-for-its-chipmaking-ambition-in-gujarats-dholera/
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.AnnySerafinaLove
This letter, written by Kellen Harkins, Course Director at Full Sail University, commends Anny Love's exemplary performance in the Video Sharing Platforms class. It highlights her dedication, willingness to challenge herself, and exceptional skills in production, editing, and marketing across various video platforms like YouTube, TikTok, and Instagram.
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
The risk landscape dave cunningham quoted sep 2008
1. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 1 of 4
Search
M em bers Vendors Publcat ons
i i M eet ngs
i Archi
ves Recordi
ngs Servi
ces Aw ards login
E-Mail Print
the risk landscape apply
hom e archi
ves peer t peer archi
o ves novem ber 2008 - ri m anagem ent
sk t ri l
he sk andscape register
network
At ILTA's annual conference, the Risk Management Peer Group Track offered several informative and well attended panel discussions
about the new and growing challenges in legal IT security. Our volunteer panelists shared their thoughts on the current state of security, sponsor
risk and conflicts management, and they offered valuable and insightful predictions for firms to consider as they manage risk in the
context of new technologies and a changing economy. volunteer
We are grateful that many of these panelists were willing to put down some of their thoughts on these questions, and we present their
answers to you here. We think their answers to our seven questions will help firms form or fine-tune their risk strategies and enable them Am I a member?
to grow more confidently. The respondents in this article are: Browse the member listing...
• Richard Patterson, Director of Security, Sidley Austin, 1,800 attorneys
• Kevin R. Davidson, Director of Information Security, Stinson Morrison Hecker LLP, 325 attorneys
• Andy Jurczyk, CIO, Sonnenschein Nath & Rosenthal LLP, 550 attorneys
• Jim Soenksen, CEO, Pivot Group, LLC, an information security audit and assessment firm
• David Cunningham, Managing Director, Baker Robbins & Company, an independent technology consulting firm dedicated to
developing and implementing innovative solutions
• Dan Safran, Executive Vice President, Project Leadership Associates, a business and technology consulting firm focusing on the
legal market
What do you think are the three biggest risks facing law firms today?
Patterson: The three things I think are the biggest risks are the lack of an operational risk management role, data leakage - which is to
say there's too much client information leaving firm's on too many forms of media and technology - and physical security and IT security
at trial sites and with contract attorneys.
Davidson: I think the three biggest risks include a general lack of security awareness by attorneys and staff; myriad locations of
confidential information (Have we performed an EDD on ourselves lately?); and the Internet. Access to the Internet is no longer restricted
to computers that are safely behind a firewall; plus there are the social aspects of various Web 2.0 applications.
Jurczyk: I can list the three biggest risks. First, there's the evolving technical risk landscape. Over the past few years we've seen
technical attack vectors move from the network layer up to the application layer. This evolution magnifies the risk because these
application-layer attacks can be used to steal information (e.g., corporate espionage, state-sponsored espionage, etc.) and have a direct
link to productivity. Second, there are the recent changes and global differences in the rules and regulations surrounding information
handling. These range from privacy regulations to discovery laws and are a major source of risk to law firms given our diverse customer
base. Third, it's the economy. The partnership model has its strengths and, weaknesses but, simply put, the underlying causes of this
recession and the symptoms in the open market are the perfect storm for this model. This rears its ugly head in a partnership's ability to
raise capital and operate in the short term, and may present long-term problems without extensive risk management efforts.
Soenksen: I see the three biggest risks being vendor management, data privacy and insider threats; and by that last one, I mean
attorneys leaving the firm and taking intellectual property with them or disgruntled employees sabotaging the network, as well as the
general loss or leakage of data that accompanies this.
Cunningham: First, financial growth and overall stability: To quote from a recent issue of The Lawyer, "Around 500 firms have been
referred to the so-called intensive care units (ICU) of their banks because they are facing financial difficulties. It is understood that 21 of
the United Kingdom's top 150 firms are being treated in Barclays' ICU, which is known as 'business banking support', although the bank
refused to confirm this number."
Second, there's malpractice, mostly via rogue lawyers who cause the firm to be sued or to lose significant business. This is not the most
likely risk, but it is serious enough that general counsels in New York reported it as the risk that keeps them awake at night . . . well, at
least it did before the risk described above became an issue.
Third, I consider information governance a major risk. Inability to identify and control the firm's online content results in firmwide holds to
address litigation, inability to match clients' retention policies, massive duplication of data, lack of clarity around the retention of new
media (electronic voice mail, instant messages, etc.) and increased recovery times for lost data.
Safran: The three biggest risks today are, first, complying with the revised Federal Rules on Civil Disclosure and other global/national
rule sets. I realize this isn't pure security but it certainly overlaps relative to information access and overall firm risk management. Next, I
think it's the challenge of staying on top of continually changing security threats in rapidly changing internal and external environments to
protect the firm's intellectual and client data. And finally, it's raising management and employee awareness to fund proactive security
measures and identify threats.
http://www.iltanet.org/MainMenuCategory/Archives/PeertoPeerArchives/November2008/... 11/5/2011
2. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 2 of 4
As many firms look toward going global, do you see their security problems growing, shrinking or staying the same and changing?
Patterson: It's growing, especially if you ignore the risks that other corporations have addressed when they globalize.
Davidson: It's growing, especially in complexity.
Jurczyk: In the context of the risks I mentioned above, I foresee the security problems growing exponentially. Although I see many of
the technical problems remaining the same, I do expect our technical security problems to grow linearly as a function of the amount of
technology we use. And it's no surprise that the financial risk will grow at a non-linear rate as we look to fund larger operations.
However, I see the exponential growth coming largely from changes in rules and regulations and client demands from different areas of
the world.
Soenksen: It's growing. Lack of control of systems in other countries, change management issues, the configuration of a network to be
uniform and other considerations are increasing the complexity of security. Also, knowledge and compliance with different data privacy
laws will add to the complexity.
Cunningham: Almost by definition, security issues will grow and change. Electronic data interchange agreements are a fine example of
security problems that few firms have yet tackled well.
Safran: With complexity in growing and managing global enterprises comes a natural increase in security problems. More things and
people to manage, different cultures, different values and different levels of government controls and rules based on location all
contribute to the increased complexity. An example is where certain countries monitor Internet traffic or others that have stringent rules
around transmission of in and outbound data . . . all of this adds complexity to privacy and security requirements.
Differences in security and privacy laws as well as practice guidelines vary from country to country. Do you believe these differences are
giving an advantage to local and regional firms focused in primarily one country?
Patterson: Not really; the lawyers in the offices in those locations become the experts on the local regulations, you just develop internal
local expertise.
Davidson: Not yet.
Jurczyk: I believe that non-revenue generating functions can only impact two of the three dials linked to competitive advantage:
customer perceived value and cost of operations. It is my opinion that compliance with these rules and regulations in many countries is
required and/or implied, therefore, it cannot impact customer perceived value. To the extent that a firm is able to demonstrate
compliance with these rules and regulations at a cost less than its competitors, I believe strong risk management/security programs can
contribute to a competitive advantage so long as revenues associated with serving the clientele necessitating compliance are realized.
Soenksen: Maybe . . . The local attorneys in each office should or will be aware of their particular laws and educate the other partners
as to what their requirements are for their jurisdiction. The issue will be whether the firms' technologies, policies, training and support
infrastructure will be in place to keep the local offices competitive.
Cunningham: A one-country firm would only have potential advantage with one-country clients. A firm dealing with multinational clients
has to understand and address these multinational issues, not stop working across borders.
Safran: They may have a slight increase in competitive advantage, but knowledge of local laws does not provide a high barrier to entry.
A firm's local or regional understanding of security and privacy rules can help support local and collaborative law practices; however, my
sense is that the competitive advantage of local or regional firms does not greatly differ from global firms. After all, many global firms
acquire local or regional offices of other firms or lateral hires or they hire local talent with that competitive knowledge.
Everyone admits the technical landscape is changing, and nobody argues the link between technology and risk. As a result of these
changes, do you foresee risks increasing, decreasing or staying the same in size, scope and magnitude?
Patterson: Risk will always increase as you make systems and data more widely available to people on more platforms and over new
and varied mediums.
Davidson: I see it increasing, as it is only more difficult to stay on top of the risk with the methods, laws, and exploits changing so
quickly.
Jurczyk: I believe that as new technologies are developed, released and adopted by the masses, our cumulative risk does grow; not
growing is simply unavoidable in this context. However I also believe that a good risk management process can balance the incremental
risk against potential value to the firm. For example, by producing more donuts, you are increasing the total calories that I can consume,
thus my belt size. However, by my choosing to only eat half of the donut or better yet (and less likely) me not eating the donut, I am
controlling my calories, thus belt size. These same basic rules apply to managing technical risk.
Soenksen: I see it increasing; as technologies such as Web applications and software as a service become more prevalent, the risks
associated with sharing confidential or private information become an increasing challenging to protect.
Cunningham: Technical risks increase but in a relatively small way compared to information management and people risks.
Safran: For much the same rationale in question three, I see risks increasing, mostly due to the increased complexity in firm growth,
geographic expansion and increasing country rules and regulations. Technology continues to evolve and progress, which adds increased
complexity to user and network environments. Integration with other rapidly advancing technology sets also causes greater risk.
If you had to identify three technologies that carry with them the greatest risk, what would they be?
http://www.iltanet.org/MainMenuCategory/Archives/PeertoPeerArchives/November2008/... 11/5/2011
3. The Risk Landscape - The Experts Help Your Firm Guard Against Risk Page 3 of 4
Patterson: VoIP, virtualization and Outlook Web Access, which is less a technology and more an application, but I had to throw it in.
Davidson: Mobile devices, flash drives and WiFi.
Jurczyk: First, there are the peer-to-peer technologies, including collaboration technologies such as instant messaging, that place the
firm at great risk. The pressure to allow the use of these technologies in service of our clients is rising globally while, at the same time,
recent studies released by the FBI suggest that these technologies are becoming a conduit for information theft by crackers, hackers and
state-sponsored espionage programs. Although our options for blocking and logging use are getting better, I believe many are reactive
and largely useless in the long term, and the only real solution lies in embedding security into the information which transcends corporate
boundaries.
Also, portal and information collaboration platforms, which represent the melding of my two top risks - the upward trend in attack targets
(application layer) and the increasingly complex regulatory landscape. Without belaboring the point, I believe this melding of the technical
and non-technical represents quite possibly the biggest risk facing firms today and over the next two to four years.
Third, mobile devices carry a lot of risk. These devices continue to grow in storage and processing capability and are becoming required
in order to practice law. This trend, coupled with the rapid integration of non-business features such as music, video and the Internet, has
opened up a new dimension to the risk landscape. I believe these technologies will grow in use, will become more and more consumer-
focused and will be a future attack platform of choice.
Soenksen: Ubiquitous computing, meaning the use of BlackBerry devices, PDAs and iPhones outside of the confines of the traditional in
-house network, is the greatest risk since these devices can contain highly sensitive information and are easily lost. Next, there are the
Web-based portals; accessing highly confidential data from outside the boundaries of the law firm carries the risk of this data being
compromised, either by a hacker or unauthorized party. This data can be accessed from any public computer and leave residual
confidential information on the hard drive of an unauthorized computer. Or, it is accessed from home where employees do not have the
same level of security found in the enterprise. If this data is then downloaded to the home computer, the risk increases. Then there's e-
mail. Due to the capacity of e-mail accounts, the "smoking gun" of a lawsuit will be buried in the countless number of e-mail messages.
Additionally, if the uses of Web-based e-mail such as Gmail accounts are incorrectly used by employees to conduct law firm business,
the risk of this information being compromised is great, since the law firm does not have control over the Gmail servers.
Cunningham: The use of e-mail has single-handedly broken down the former partner review and records management processes of
firms. What used to be a letter carefully read by a partner before it left the door is often now a casual e-mail message sent directly by a
junior lawyer. Then there are remote access configurations; many are poorly or thinly configured and have password-only authentication
- a hacker's dream. And then there's Google, which is used more often than any partner thinks.
Safran: The three most risk-filled technologies are mobile devices, websites and mobile workers. Mobile devices lead to more local data
that needs to be secured and further decentralizes where risky documents and records reside. Also, collaborative applications and
websites are risky, for the same reasons as above. And the increasing number of mobile and dispersed home knowledge workers
means more data records need to be protected in environments that are inherently localized, unstructured and flexible.
How do you think the economy is affecting security in law firms?
Patterson: As clients go under firms lose revenue streams. Plus, clients are using firms like banks; they're not paying their bills or they
are very slow to pay the bills.
Davidson: As our clients are affected, we become affected. Some verticals (bankruptcy, for example) are stronger.
Jurczyk: The economic problems we're facing today are unprecedented in modern history - at least since technology has become
mainstream. In light of these extreme circumstances, I believe all non-revenue generating activities have been affected in varying
degrees, which include a firm's investment in technology, accounting, marketing and security.
However, after looking at our finances and reflecting on what my peers are doing, I believe the economy is having less effect on security
spending (proportionally) than in other areas for two reasons. First, once security matures in an organization, capital and operating costs
tend to decline sharply making it one of the least expensive areas to operating when compared to others. Second, and probably more
important, you may be able to defer an upgrade one more year, but you can't afford to leave systems unprotected; in order to work, you
must protect systems from viruses and respond to intrusions. In that respect, security is like accounting - you have to pay your bills in
order to keep the lights on, just like you have to protect your organization's capacity to work.
Soenksen: Law firms are feeling the effects of the recent downturn in the economy as the demand for some legal services are
declining. Thus, law firms are reviewing all capital and expense items and are determining what security initiatives need to be performed
this month/quarter/year or delayed until the next month/quarter/year.
Cunningham: No noticeable effect seen yet. More firms are auditing IT now, so that could have a long-term effect by ensuring firms at
least understand their security situation. However, this could be offset in the short-term by firms that may stop advancing the staffing and
investments in security.
Safran: As firms evaluate overall spending, it becomes harder to rationalize spending on information or other security measures versus
investments that spur business. I am already hearing about security budgets taking a squeeze in many of our clients - and headcount
reductions and freezes are having some effect.
Looking into the future, do you see a convergence between security as it exists today and broader risk management (e.g., enterprise risk
management)? If so, what's behind this shift?
http://www.iltanet.org/MainMenuCategory/Archives/PeertoPeerArchives/November2008/... 11/5/2011