Important Update

+
Respectfully, Law Firms are rated on the lowest in terms of Technical Compliance to begin with. I count them as an outlier, and I'm grateful I don't have to manage them as a supplier base in my organization because of the sheer amount of non-compliance they generate, which is absolutely in reverse ratio to their ability to influence us as a client, especially at management level. I only know of one person who had the Moral Fiber to tell the General Counsel the truth, that his panel of contractor law firms his division used to cover the amount of barrister related work that he never staffed up for internally, was a breach waiting to happen. That poor soul for speaking the truth found himself on the street a month later.

The proclivity of barristers to use unsecured, co-located and co-mingled Internet facing file sharing platforms was one of the highest risks we could determine, aside from a sheer lack of internal training, all the way down to the desktop control level. That was BEFORE pandemic. Which again, I point out, if you have control weaknesses beforehand, Covid didn't compel changes for the better, it just exposed them further.

There's no excuse for NOT on-boarding someone and giving them both the tools and the training, remote or not. As a matter of fact, many organizations have moved towards on-boarding in virtual even before the Pandemic, where the new hire hit the ground already having done the necessary paperwork and mandatory training/orientation all online (which includes Security Training which is looked at closely in regulated industries, and on their own time!) before showing up in the office for Day 1. About the only thing that needed to happen was to plant him/her in a chair and hand them their laptop and key fob. It was simple enough to transition that latter piece to a courier service of delivering the hardware with basic connection instructions.
 
Last edited:
I don't disagree with you. I'm just saying that isn't how it works and what you are proposing is a dream. Its a beautiful dream and one that I agree with. But "should do" and "is doing" are entirely different things. I agree with your assessment about information security and technical compliance in the legal services industry broadly except on one crucial point. I don't consider it an outlier. I consider it the lowest common denominator and if you don't plan for worst case, its not a good plan to begin with. You don't just get to sweep it under the rug and call it an outlier, not when its this big and concerns this many people.

Law firms also don't just correspond with other law firms. Its building surveyors, architects, civil engineering firms, private healthcare consultants etc. I'm not seeing best practices implemented there either.

The reality is there is bigtech and fintech, some public/state level service providers that are highly resourced and forward thinking. They take this stuff very seriously and pay for best in class infrastructure + support and then there is everyone else. The heirarchy of everyone else doesn't matter because 1 hole in your perimeter fence is the same as 10 holes.
 
Last edited:
Top Bottom