News Post

By Chris Colee, Law Practice Management, Alabama State Bar

Securing Your Firm’s Data: Questions to Ask Your IT Company About Cybersecurity

In today’s digital age, safeguarding confidential client information is of great importance for law firms. Lawyers are increasingly reliant on technology for case management, communication, document storage, and more. Robust cybersecurity for law firms of all sizes is essential. Unless you have some background in IT and cybersecurity, I recommend partnering with an IT company to ensure that your firm’s data and systems are protected.

Not all IT companies are equal, so I highly recommend inquiring into the company’s policies and procedures so that you have a clear understanding of their competence and what actions your firm will need to take to help keep your data secure. While IT security should be tailored to your needs, the following are some suggested questions to ask your IT company about cybersecurity for your law firm.

Risk Assessment

A good starting place is understanding your firm’s current cybersecurity risk level. Ask your IT company if they can conduct a thorough risk assessment to identify vulnerabilities specific to your law firm.

Data Encryption

Ensure the protection of client data by inquiring about the encryption protocols in place for data both in transit and at rest. Verify the standards used for encrypting sensitive information. Some of this information may be hard to understand at first, but this is a good time to build trust in the IT company. If they can’t translate this information into a comprehensible form for you, then that suggests potential challenges in future communications, particularly during critical situations.

Access Control

Ask about the measures in place for controlling and monitoring access to sensitive data. I highly recommend multi-factor authentication for securing critical systems. What measures are in place to ensure strong, unique passwords? Another topic to consider is if there is a role-based access control (RBAC) system in place. RBAC assigns access rights based on job functions so that employees have access only to the information necessary for their roles. This minimizes the risk of unauthorized access to sensitive data. Is there continuous monitoring and logging of who accesses what information and when? Regular review of access logs helps identify and address suspicious activities promptly. What is the process for revoking an employee’s access when they leave the firm? Are there additional security measures for remote access? Will the IT company provide VPN access plans?

Incident Response

What is the plan in the event of a breach? Make sure the IT company has a tailor-made plan for your firm. Don’t get caught flat-footed. Knowing what to do in the event of a breach may help in resolving the issue and restoring access caused by any disruptions due to a cyber-attack.

Training

Discuss the cybersecurity training provided to you and other staff members. Is the training only offered at the outset or is there continuing training that keeps you updated on the latest threats? Discuss how the IT company stays informed about the latest cybersecurity threats and trends. Understand the proactive measures in place to defend against new and emerging threats and how that information is relayed to you.

Software Updates and Patch Management

What is the plan to keep all network devices, including routers, switches, and firewalls, up to date with the latest security patches? You will want to establish a patch management process to ensure timely application of updates, but also one that will not interfere with normal firm operations.

Insurance and Liability

Does the plan for your firm’s cybersecurity include liability coverage? Determine if a separate cybersecurity insurance policy or a rider to your existing insurance is necessary.

By posing these questions to your IT company, you are not only taking a proactive approach to cybersecurity but also demonstrating your commitment to safeguarding client trust and confidentiality. Regular communication and collaboration with your IT partner will be key to maintaining a strong and resilient cybersecurity defense for your law firm.