Re: Law office recommendations?

From: JohnNicholson@aol.com
Date: 02/20/03

  • Next message: Marc Suttle: "RE: wireless security question."
    Date: Thu, 20 Feb 2003 11:22:21 -0500
    From: JohnNicholson@aol.com
    To: tim@heagarty.com (\"Tim Heagarty\"), security-basics@securityfocus.com
    
    

    From a philosophical standpoint, there are two problems that you have to face when dealing with law firms. First, speaking as a lawyer, law school, in general, is a refuge for the mathematically challenged, the mechanically incompetent and the techincally declined, so lawyers rarely understand the technical details of their computer systems. However, there are few people who consider themselves more expert at everything than lawyers. Second, when it comes to making infrastructure (e.g., technical) purchases, money spent on computers comes out of partners' pockets, so they frequently underspend.

    Other than those problems, the biggest problem that I've seen manifest itself inside a law firm is poor internal access control. Senior lawyers did not grow up in the computer era. Younger lawyers did, and frequently have superior technical skills. Because the law firm management is made up of senior lawyers, they frequently do not understand how to manage sensitive information, and I have seen incidents where very sensitive internal information was exposed to "curious" younger lawyers.

    I'd second the comment about v-mail passwords. Law firms frequently mandate network and PC password changes, but not v-mail. Some lawyers will have the same v-mail password for years.

    I'd also suggest looking into the firm's data erasure policy. Many firms lease PCs, and it may not be clear what is done with them either before or after the PCs are returned to the lessor. There could be a LOT of very sensitive information on hard drives being sent out for resale. (This one applies to all companies, obviously, but law firms deal with an abnormal amount of sensitive info, and, due to the philosophical points above, may not be as good about dealing with it as other companies.)

    Hope this helps,
    John