The other day I heard from a client in the legal vertical seeking advice. Some attorneys in his firm had proved to be less than enthusiastic about following some of the newly established information security policies put in place around their ISO 27001 certification efforts and the information security management system (ISMS) they’re putting in place.
What could be done to motivate them, he wondered? I suggested that he present them with the following scenario:
You’ve just spent over 100 billable hours working on a client project. As you get into your car to head home for a well-deserved, three-day weekend, you place your laptop on the passenger seat.
On the way home, you stop to run a quick errand. You leave the laptop in the car since it’s a safe area and you’ll only be a few minutes.
Unfortunately, you return to find a window smashed out and the laptop long-gone. The client is expecting your work product at the start of the work week, and your firm is expecting to bill for the deliverable.
What do you do? The answer to that question depends on whether you followed the firm’s InfoSec policies…
If you failed to follow backup policies, then you probably lost a lot of data that otherwise would’ve been on a backup server somewhere. And if you failed to comply with the policy to encrypt your laptop, then now that data’s out in the wild.
The result: lost hours, lost revenue and definitely no three-day weekend. The client will definitely be disappointed—at the very least—and will probably not work with you or your firm ever again.
There is also a liability aspect to the data loss, which may lead the client to pursue legal action to recover damages. Court fines might also be assessed if a filing is missed due to the lost work product.
On the other hand, if you complied with your firm’s policies regarding backup and encryption of your laptop, then notwithstanding a few apologetic phone calls you can rest easy. That proprietary data is safe and the firm doesn’t have to notify the client (and regulators, if applicable) about a data breach. Your work can be restored from a backup so you don’t have to cancel your plans or scramble to recreate it.
In other verticals, the scenario might be a little different but the end result is basically the same. Compliance with ISMS policies equals no worries. Failure to comply equals mounting costs and other negative consequences at every turn.
To get started with establishing information security management policies and procedures for your organization in alignment with your specific risk profile, contact Pivot Point Security.