Ride the Lightning

Big Law Firm Risk Managers Think People Are the Main Data Security Risk

May 29, 2013

Last week, at the invitation of Georgetown Law Professor Jeff Baumann, John and I met with a group of risk managers from big D.C. law firms to discuss information security. While our conversation was far-reaching – and on the highest level we have ever encountered – it was clear by the end of day that these folks are not nearly as worried about technology as they are about people endangering their security.

First on their hit list was the demands of partners (I want this device or that device, I want to connect my personal device to the network, I want to bring my own network) who, apparently, cannot be denied. Consequently, risk managers and security experts have to do their best to implement technology to prevent damage caused by the partners' demands for whatever they believe is the latest and greatest in technology.

Second was training for employees at all levels – apparently many are impervious to education and others refuse to participate in it. We discussed social engineering and spear-phishing in particular, both of which have been successfully used by hackers many times.

Amazing to us that these large firms have such brilliant people working for them – and they refuse to take their security advice. It explains a lot about why hackers are so successful at getting into law firms!