A non-IT person’s guide to IT risk – 9 fundamental rules

Any business service, be it consulting or courier mail, carries a risk. Information Technology has been seen as a major risk factor for law firms, whether warranted or not.

The positive effect of all this negative attention is that a number of systems and processes have been put in place to give you and your clients certain assurances surrounding risk.

While nothing provides 100% certainty, you can massively reduce the risks associated with your IT systems and data by following these 9 fundamental rules.

1 – Password processes

All passwords should be retained by the owner – including those for the database software (eg. FilePro) as well as every single other password used in the business . All passwords should be able to be changed by the owners at any time.

If a password is incorrectly entered three times, the system should lock them out as they may be a hacker or automated software trying to access your systems.

2 – Disaster recovery

Set up a process that replicates your complete systems from one office location to another (ideally every 15 minutes) so if the office location hosting the server is rendered unusable then you can keep working and do not lose time or data.

3 – Consistent backups and archives

Backups ensure data can be restored if accidentally altered, deleted or corrupted. The monitoring and management of backup data in encrypted format (including tests to ensure data can be restored) provide confidence that if needed, backups are made available quickly.

You should ensure a backup is completed at least every 24 hours. As well as this, an archive copy of your data should be created each year and kept in a secure location (e.g. a fireproof safe) on a physical hard drive. Archives should be kept for a minimum of 7 years to help avoid professional indemnity claims.

4 – Database Software

Maintain your business data with modern software that utilises business-grade database technology (like MS SQL) and run it on a secure server environment that is private and only accessible by your business.

5 – AntiVirus/Malware

Make sure you’ve implemented security software tools on all your systems (especially servers) that protect against the contraction of virus and malware software.

6 – Power protection

Your servers should have uninterrupted power supplies (UPS) such as batteries to ensure continued operation in short-lived power outages. Power cuts can crash the server’s operating system and can cause data corruption. You could also experience long term interruptions to workflow if the crash alters your server’s functionality.

7 – Remote Access

Restrict access to your company’s systems and data from specific internet connections/sites. For example, selected staff should be able access the system from their home internet connections but from nowhere else. Also encrypt the data between locations using a Virtual Private Network.

8 – Firewall

Ensure your computer network is protected from external access via the Internet. This is usually handled by your router/modem device on your network.

Make sure you’re using a business grade modem as it will offer much better protection. This is a little complicated so I would recommend getting it configured by an IT professional.

Arrange for an external technical organisation to complete a threat assessment on your network to check if there are any vulnerabilities once every 6 months.

9 – Data Sovereignty

Ensure that all measures put in place to protect your applications and data do not allow data to be sent outside of Australia (eg. Using Dropbox as a backup).

Consider server hosting services

An alternative to working through this list is to host your applications and data in an Australian datacentre. Specialist hosting providers offer a highly secure service backed by strong and specific Service Level Agreements (SLA) – contracts which indicate specifically what they do as part of the service.

You should ensure you fully understand any SLA and associated Terms and Conditions related to any offerings. Don’t hesitate to question the company about the specifics of the agreement and compare that with the fundamental rules of IT risk management.

FilePro has recently released FilePro+, an optional private hosted server solution that combines your software and hardware investment. FilePro+ is powered by private hosted server specialists like Habitat3, a provider that specialises in hosting applications and data for the legal profession. For more information on FilePro+  contact your state’s FilePro representative.

John is the founder and a Director of Habitat3 and works with existing and potential clients to ensure Habitat3 continues to meet the needs of professional services firms. John is a former IT journalist, holds an MBA in IT strategy and has worked within the IT industry for 20 years.

Leave A Comment