Let me guess:
"Our IT guy has us covered" or "we trust them to take care of that for us".
How can you tell if your IT guy is putting your law license, reputation, money and staff at risk? If you always just "trust" them, you'll never know until it's too late and then you've lost $10,000-$20,000 in repair bills (to the IT guy no less), dozens of customers, respect of your colleagues (except the ones that took your clients) and hundreds of billable hours.
Here's some quick customer service questions to start your evaluation off:
- Are your calls not being returned quickly?
- Have your staff been left unable to work?
- Do you get poor communications or recommendations just to sell you something?
- Do your requests take too long to start and you remind them too many times?
Customer service problems are easy. Anyone can be the judge of this. However, these days with everything riding on cybersecurity, technology and processes how can you tell if they're doing everything necessary to secure your firm from hackers, accidental staff web/email clicks, downtime, data loss or other expensive legal or reputational disasters?
Here's a simple checklist we've put into a Cybersecurity Assessment Toolkit for Law Firms that can help.
If you can't "check off" all of these, your current IT guy can actually be jeopardizing your law firm:
IT Outsourcing Checklist
Technology
- Our IT tech insists we need more than a Firewall and Antivirus to adequately protect us?
- We have MORE than just spam software to keep email-borne threats from getting into our systems?
- Our IT guy has implemented software that checks web links in emails and attachments
- Our staff are unable to visit infected Internet web sites because we use web filtering software?
- Our systems deny our staff from using their personal Dropbox, Google Drive and OneDrive programs on our computers?
- Our computers force us to change our passwords every 90 days or less, don’t allow us to use similar passwords each time and the passwords must be complex?
- We review reports that show that we do on-going software updates to fend off hackers?
Policies & Review
- We’ve been hacked before and our IT guys has worked with us to write a Data Breach Response Plan
- Our written policy and technology denies our staff from using their phones on our Wifi?
- Our written policy says that our staff cannot install programs on their computers or we have technology that prevents it?
- Our staff computers are blocked from visiting personal email sites like Gmail, Yahoo, AOL and Hotmail?
- Our staff are educated more than once/year on all types of cyber threats and how to avoid them (preferably monthly and phishing tests are being performed)
- We regularly review reports that show that we do on-going software updates?
- We review our cybersecurity risk position quarterly?
- We have a signed Confidentiality Agreements with our IT guy
- We employ and monitor one or more of the following: Data Loss Prevention (DLP), Behavior Monitoring, Data Rights Management, Data Encryption (stand/in-transit), MFA and/or SIEM?
Legal & Compliance
- We are consistently advised by our IT consultants on how to improve our data privacy, compliance and cybersecurity risk position?
- Our IT guy has recommended that we have a Cybersecurity/Compliance/Data Privacy Committee (or similar but more than a “Technology Committee”) that reviews our cybersecurity risk position at least quarterly?
- Our IT guy specializes in Law FIrm Cybersecurity and has 5+ years evaluating and presenting on cybersecurity threat trends or possess an advance Cybersecurity degree or certification?
- We get cybersecurity reports from our IT guy that we understand and that help us as attorneys fulfill our ethical obligations to our state’s Professional Code of Conduct?
- Our IT guy has made us aware of our state's legislation regarding cybersecurity ex. Ohio Senate Bill 220: The Data Protection Act,a provision for a legal safe harbor to covered entities that implement a specified cybersecurity program effective on November 2, 2018?
- Our IT guy is working with us towards one of the following Cybersecurity Frameworks: NIST, CIS CSC, ISO/IEC 2700, HIPAA, GLBA Title V, FISMA, FedRAMP or another required by a regulatory body?
While not exhaustive this checklist can help you start to measure the risk level of your law firm and how well your outsourced IT consultant is performing for you.
If you are In-house, on staff IT, please use this as a checklist for your IT partners or with your Managing Partner, CxO or Technology Committee to further the goals or your firm.
