It’s that time of year again. As we begin 2018, businesses, including law firms, should be considering potential resolutions for improving their security practices in the year ahead. Here are six action items that have the potential to substantially increase overall cybersecurity. I am not suggesting that every client or firm pursue each action item, but everyone should at least consider efforts in these areas.

1. Take inventory of information assets

While it seems entirely fundamental, very few businesses, regardless of size and sophistication, have an accurate map or inventory of their information assets. Unfortunately, without an accurate inventory, it is impossible to be confident that assets are adequately protected. That is, you cannot protect assets if you don’t know where they exist, or if they exist at all. Take time this year to create or update your inventory, at least of your key information assets, and then review existing security protocols, procedures and policies to ensure those assets are protected.

2. Improve employee training

The old adage of “an ounce of prevention…” could not be more appropriate when it comes to employee cybersecurity training. It is generally agreed upon that employee training is one of the best means of improving overall security for an organization. It is also generally agreed upon, particularly in light of the numerous breaches that have occurred over the past year, that user errors are one of the primary sources of compromises. In the year ahead, think of quality, not quantity, of training. Explore means of better communicating cybersecurity issues to your personnel. Take a look at my blog post that discusses possible approaches to employee training here.

3. Tune up vendor and business partner agreement practices

The likelihood of a cybersecurity breach by “insiders” to the business cannot be overstated. Business partners and vendors who have access to company systems and their data, particularly cloud providers, present one of the greatest risks to information security. Take time to assess your current contracting practices to ensure your form agreements include appropriate, detailed provisions regarding information security and legal compliance. Ensure those provisions are supplemented with pre-contract due diligence to ensure the business partners’ and vendors’ security practices are consistent with your own, that the partners and vendors have not had prior breaches, that they train their own personnel well, that they have well-documented security policies, etc.

4. Revisit existing vendor and business partner agreements

Identify your key existing vendor and business partner agreements, assess the risks presented by those contracts and consider appropriate action to take when those agreements become eligible for renewal. Renegotiate problematic contracts to provide better data protections. If the vendor or business partner is unwilling to offer those protections, look for potential replacement vendors or identify other means of mitigating risk (e.g., the use of encryption).

5. Review and update security policies

If you have not assessed the currency of your security policies in the last year, plan a full review for this year. An assessment of existing policies is particularly useful following an inventory of information assets, as discussed above. In any event, facilities and systems change, industry practices evolve and new legal requirements may have issued. Review and update your security policies to ensure they keep pace with these changes.

6. Conduct an audit or update existing audits

Finally, if you have not conducted a third-party audit of your systems and facilities in the last year, consider this year as the perfect time to conduct your first audit or an update to your last audit. Audits can help reset security programs by identifying new vulnerabilities and, potentially, previously known vulnerabilities that have not been mitigated. Audit results are also very useful in updating corporate security policies.

Including one or more of the foregoing action items in your plans for the new year will achieve several ends. First and foremost, they are proven means for increasing overall information security. Second, they will decrease potential liability. Third, if a breach should occur, these efforts are extremely effective in showing you have acted reasonably to protect your data and systems, which is what governmental regulators first look for when assessing whether to pursue actions against businesses.

This article was originally published in substantially similar form on CSOOnline.
com on December 14, 2017.
Read that version here.

Disclaimer: The information in this article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this article may be considered Attorney Advertising.