Given the immense amount of critical information that now exists only in electronic form, law firms are wise to increase the means to protect their digital data repositories, especially in light of the increase in ransomware. and other cyber attacks. However, law firms should be mindful of the continued need for physical security. especially when so many legal professionals work remotely at least part time. Today, the need for physical security has increased dramatically, although it attracts far less attention than cybercrime.
Physical security protects I) employees and ii) the physical assets of an organization against a wide range of threats. This includes protecting employees from workplace violence; protect sensitive or valuable information (for example, lock filing cabinets to securely store sensitive customer documents and install alarms on valuable works of art); and infrastructure protection, such as monitoring fires, water leaks, natural disasters and break-ins.
How to think about physical security
Most people tend to think of physical security in terms of patrolling security guards, self-locking doors, security cameras, and automatic lighting. We see these things so often that they become virtually invisible when we take these steps for granted. Over the past year, however, the shift from a centralized office model to a distributed workforce working from home has meant that these security services and systems are not available outside of empty offices (or partially empty), even if critical work takes place in lower areas. security locations. This increases the risk of physical security breaches, including some that could become cybersecurity threats.
Temporarily empty offices also lose a powerful protection: the daily workforce. Employees who work in the same space every day are much more likely to spot misplaced objects or other issues than if they rarely visit that workspace. Without a regular employee presence, informal but effective “if you see something, say something” security measures are significantly weaker than they would otherwise be.
A key aspect of the centralized office is that all employees work in one place, under roughly similar conditions, allowing a unified set of security tools and solutions to be applied to everyone at the same time. However, when employees work from home or other remote locations, the same physical security cannot easily be extended to hundreds of places, each with a unique location and potential weaknesses. As a result, in theory at least, it is much easier for an intruder or thief to gain access to these remote workplaces.
Fortunately, from a practical standpoint, most remote workplaces are not high-visibility places and, at least statistically, are safe repositories of relativity for law firm information, but not necessarily for law firm information. the employees themselves. People generally feel safe in their homes and break-ins, especially for documents, remain relatively infrequent. However, if a specific target is identified (for example, the home of a managing partner) and an incident such as laptop theft occurs, the law firm’s security resources will not be at risk. proximity to help you.
Other challenges arise when employees create their own alternative workplaces. The need for socially remote workspaces has led to an explosion of garden sheds, motorhomes, caravans and other non-traditional structures being converted back into offices and private workspaces. Some of these locations have proven to be surprisingly effective for individual employee productivity, but they offer even less physical security than a house or other traditional structure, with camouflage (unexpected use) serving as the primary security.
Assess the physical security of your organization
Physical security needs vary greatly from organization to organization and office to office. Organizations should examine their own risk factors and higher-value assets, both physical and intellectual, as well as their physical environment to assess any protocols they may need to put in place.
For example, a law firm in a building that maintains its own separate security measures will have different needs than a firm occupying an entire building with sole responsibility for the security of the building and infrastructure. Companies should also review their current staff to identify who, if any, is qualified to perform a competent assessment of existing security measures. It is likely that a law firm will need to hire an outside specialist to obtain the appropriate expertise. Often times, cybersecurity specialists can have recommendations for someone specializing in physical security – and vice versa.
Assessing the risks facing an organization’s remote workforce presents additional complications as this analysis must rely heavily on self-reporting by employees of their immediate workspaces and practices. Typical areas of weakness include the insecure storage of business laptops (data can be encrypted, but the device can still be stolen) and other equipment, as well as inconsistent storage of sensitive paper documents. However, a full assessment should look further. Do employees lock the doors of their residences at night? Do all employees have cell phones or some other means of alerting authorities in an emergency? These issues may be sensitive for some employees, but they are still part of a law firm’s physical security risk matrix in today’s decentralized work environment.
Ultimately, a physical security assessment should achieve several basic goals. It must identify and categorize assets by value, and it must identify priorities and strategies for protecting assets, both in terms of materials and employees. A good assessment will also examine the redundancy in existing security measures. Redundancy does not necessarily mean that equivalent backup systems are in place, which is usually unnecessary and expensive. However, good redundancy measures should include monitoring existing security measures so that any failures are quickly identified, with procedures in place to provide one-time coverage, such as additional security guards or the temporary use of cameras and safety equipment removed, until the major system failure has been resolved.
Ultimately, it’s important to remember that perfect security is impossible – a sufficiently motivated intruder will almost always be able to exploit something to break into the security of a law firm. However, a good assessment should help reduce this risk and help organizations strike an appropriate balance between security, costs and inconvenience.
Build best practices to maximize physical security
Every organization uses a combination of technology, human oversight, and employee behavior to create effective physical security systems. But the best security system can’t keep intruders out if employees can’t remember to lock the doors behind them. In turn, the most security-conscious employees will be limited in what they can do if they do not have the ability to lock filing cabinets and office drawers and do not have access to the panic buttons. emergency (or mobile phone speed dial numbers) in strategic locations.
Spy thrillers typically focus on ways in which intruders compromise technology to infiltrate physical locations. In real life, it’s much more likely that smart social engineering will require less effort to achieve the same goal. It’s tempting to rely on employee training sessions and signed agreements to “manage risk,” but such measures offer paper protection, not necessarily real-life support. In the same way that organizations test digital security measures with phishing and hacker penetration drills, organizations should consider conducting live testing of physical security measures. Will employees report suspicious behavior? Will they take effective action if they feel threatened? Sometimes only a practice test can help answer these questions and identify topics for valuable follow-up training.
Effective physical security receives less attention than cybercrime, and is sometimes seen as a largely resolved problem. However, a thoughtful physical security assessment, designed and managed by a security specialist, will likely uncover gaps in an organization’s security infrastructure and help identify additional cost-effective protective measures to maintain or increase security. existing.
In an era of innovation in the future of the workplace, this modest investment could pay big dividends for law firms and businesses.
The opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the principles of trust, is committed to respecting integrity, independence and freedom from bias. Thomson Reuters Institute is owned by Thomson Reuters and operates independently of Reuters News.