With all the attention given to cybersecurity, law firms would do well to remember to pay attention to the firm's physical security as well, especially with expanded remote working
Given the immense amount of critical information that now exists solely in electronic form, law firms are wise to increase the ways that they protect their digital data repositories, particularly in light of increasing ransomware and other cyber-attacks. However, law firms should not forget about the continuing need for physical security. especially when so many legal professionals are working remotely at least part-time. Today, the need for physical security has risen dramatically, even though this attracts far less attention than cybercrime.
Physical security protects i) employees and ii) the physical assets of an organization against a broad range of threats. This includes protecting employees from workplace violence; protecting sensitive or valuable information (for example, locking file cabinets to securely store sensitive client documents and installing alarms on valuable works of art); and protecting infrastructure, such as monitoring for fire, water leaks, natural disasters, and break-ins.
How to think of physical security
Most people tend to think of physical security in terms of patrolling security guards, self-locking doors, security cameras, and automatic lights. We see these things so often that they become virtually invisible as we take these measures for granted. In the past year, however, the move from a centralized office model to a distributed workforce working from home has meant that these security services and systems are not available outside empty (or partially empty) offices, even as critical work is taking place in lower security locations. This increases the risk of physical security breaches, including some that have potential to become cybersecurity threats.
Temporarily empty offices also lose a powerful protection — the everyday workforce. Employees who work in the same space every day are much more likely to spot items out of place or other issues than if they only visit that workspace infrequently. Without a regular employee presence, informal but effective “if you see something, say something” security measures are materially weaker than they would otherwise be.
One key aspect of the centralized office is that all employees work in a single location, under roughly similar conditions, making it possible to apply a unified set of security tools and solutions to everyone at the same time. However, when employees work from home or other remote locations, the same physical security cannot easily be extended to hundreds of places, each with unique placement and potential weaknesses. As a result, in theory at least, it is far easier for an intruder or thief to gain access to these remote work locations.
Fortunately, as a practical matter, most remote work locations are not high-visibility locations and, statistically at least, are relativity safe repositories for law firm information, though not necessarily for the employees themselves. People generally feel safe at home, and home break-ins, especially for documents, remain relatively infrequent. However, if a specific target is identified (for example, a managing partner’s house) and an incident such as a laptop theft does occur, law firm security resources will not be nearby to help.
Further challenges arise when employees set up their own alternate work locations. The need for socially distanced workspaces has led to an explosion of repurposed garden sheds, RVs, travel trailers, and other non-traditional structures being made into private offices and workspaces. Some of these locations have proven surprisingly effective for individual employee productivity, but they provide even less physical security than a house or other mainstream structure, with camouflage (the unexpected use) serving as primary security.
Assessing physical security for your organization
Physical security needs vary tremendously from organization to organization, and from office to office. Organizations should look to their own risk factors and highest value assets, both physical and intellectual, as well as their physical environment to assess the protocols that they may need to have in place.
For example, a law firm in a building that maintains its own separate security measures will have different needs than a firm occupying an entire building with sole responsibility for building and infrastructure security. Firms should also review their current staffing to identify who, if anyone, is qualified to conduct a competent assessment of existing security measures. It is likely that a law firm may need to look to an outside specialist for appropriate expertise. Often, specialists in cybersecurity may have recommendations for someone specializing in physical security — and vice versa.
Assessing risks facing an organization’s remote workforce presents additional complications because this analysis must rely in large part on self-reporting by employees about their immediate workspaces and practices. Typical areas of weakness include the non-secure storage of work laptop computers (data may be encrypted, but the device can still be stolen) and other equipment, as well as the inconsistent storage of sensitive hardcopy materials. However, a comprehensive assessment should examine more. Do employees lock the doors to their residences at night? Do all employees have cell phones or some other way to alert authorities in case of an emergency? These may be sensitive issues for some employees, but they remain part of a law firm’s physical security risk matrix in today’s decentralized workplace environment.
Ultimately, a physical security assessment should accomplish several basic goals. It should identify and rank assets by value, and it should identify priorities and strategies for protecting assets, both in terms of materials and employees. A good assessment will also review redundancy in existing security measures. Redundancy does not necessarily mean that equivalent backup systems are in place — this is typically unnecessary and cost-prohibitive. However, good redundancy measures should include monitoring existing security measures so that any failure is quickly identified, with procedures in place to provide spot coverage, such as extra security guards or the temporary use of retired security cameras and equipment, until the primary system failure has been resolved.
Ultimately, it is important to remember that perfect security is impossible — a sufficiently motivated interloper will almost always be able to exploit something to penetrate law firm security. However, a good assessment should help lower that risk and help organizations find an appropriate balance among security, cost, and inconvenience.
Building best practices to maximize physical security
Every organization uses a combination of technology, human oversight, and employee behavior to build effective physical security systems. But the best security system cannot keep out intruders if employees don’t remember to lock doors behind them. In turn, the most security-conscious employees will be limited in what they can do if they lack the ability to lock filing cabinets and desk drawers and don’t have access to emergency panic buttons (or cell phone speed dial numbers) in strategic locations.
Spy thrillers typically focus on ways that intruders compromise technology to infiltrate physical locations. In real life, it is far more likely that clever social engineering will require less effort to accomplish the same objective. It is tempting to rely on employee training sessions and signed agreements to “manage risk,” but such measures provide paper protection, not necessarily real-life support. Much in the same way that organizations test digital security measures with phishing and white-hat hacker penetration exercises, organizations should consider conducting live tests of physical security measures. Will employees report suspicious behavior? Will they take effective measures if they feel they are being threatened? Sometimes, only a practical test can help answer those questions and identify topics for high-value follow-up training.
Effective physical security receives less attention than cybercrime, and it is sometimes viewed as a problem that has largely been solved. However, a thoughtful physical security assessment, designed and managed by a security specialist, will likely discover gaps in an organization’s security infrastructure and help identify additional cost-effective protective measures to maintain or increase existing security.
In a time of innovation in the future of the workplace, this modest investment could pay significant dividends for law firms and businesses alike.