Differences

This shows you the differences between two versions of the page.

--- thinking_about_security [2019/08/05 17:14] – neil
+++ thinking_about_security [2021/07/06 09:26] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 =====Thinking about security=====
-Key points:
+====Key points:====
-  * [[#You are never going to be “perfectly secure”|You are never going to be “perfectly secure”]]
+  * [[thinking_about_security#Be realistic, and think about client experience|Be realistic, and think about client experience]]
-  * [[#Security is ongoing|Security is ongoing]]
+  * [[thinking_about_security#You are never going to be “perfectly secure”|You are never going to be “perfectly secure”]]
+  * [[thinking_about_security#Talk to your clients|Talk to your clients]]
+  * [[thinking_about_security#Security is ongoing|Security is ongoing]]
+====Be realistic, and think about client experience ====
+Security is important. So is client experience.
+Some security controls are appropriate for highly confidential information, but some are less appropriate for less confidential information — the likelihood of harm, or the severity of the harm, does not justify the intrusion or inconvenience.
+There comes a point at which providing security makes it more difficult for the client to work with you, contrary to their best interests.
 ====You are never going to be “perfectly secure”====
-Even if it was possible to protect everything against every possible attack – and I suspect that, technically, that’s simply not the case — it is not going to be affordable to do so.
+Even if it was possible to protect against every possible attack while still being able to do your job – and I suspect that, technically, that’s simply not the case — it is not going to be affordable to do so.
 If anyone insists that you must be perfectly or absolutely secure, they are asking you to do something which is unachievable.
+What's important is that you are adequately protected against the realistic risks facing you.
+====Talk to your clients ====
+If your clients are themselves experts, consider letting them take the lead.
+If you act for a tech-aware client, who you know uses encryption for some communications, and they send instructions by unencrypted email, it may be reasonable for you to respond in kind.
+Likewise, if they send encrypted attachments, you likely want to do so as well.
+(You might always want to //offer// encrypted communications, so that less tech-aware clients realise that this is an option.)
 ====Security is ongoing====
-Threats change, and means of protecting against those threats change. So security is an issue which you are going to need to continue to address, as one of the many ongoing responsibilities of being a lawyer.
+Threats change, and the means of protecting against those threats changes. Security is an issue which you are going to need to continue to address, as one of the many ongoing responsibilities of being a lawyer.
 If you are hoping that you can do something, put a tick in a box, and move on, never to think about it again, you’re going to be disappointed.