Fifteen years ago, the Harvard Business Review asked its readers, “Can you trust your law firm?” The question then referred to whether corporate lawyers were providing sound advice to their clients. Today, it would also have to account for their approach to cybersecurity.
The entire legal industry faces unique challenges in ensuring proper stewardship of client materials, due to:
- Widespread sharing of confidential documents–from mergers and acquisitions to tax filings–that firms must process and protect; these valuable assets can be sought for purposes like insider trading, making them magnets for cyberattacks
- The uptick in sophisticated threats specifically targeting law firms; notable incidents include the recent breach of the Bermuda-based Appleby, resulting in the Paradise Papers exposure, and the similar Panama Papers leak in 2016
- Underinvestment in security-specific personnel, as well as in technologies capable of defending networks from attacks; a recent study published in The American Lawyer found that only 38 percent of surveyed firms actually employed an information security executive
Clients are acutely aware of such issues, since they regularly face similar pressures on their own operations. They have extended cybersecurity concerns beyond their internal controls and into their lawyers’ practices. It has become a key issue for forward-thinking companies when shopping for law firms.
Client Privileges: Higher Security Expectations for Law Firms
While underinvestment is still a major hurdle to effective cyberdefense in the legal field, these heightened expectations are driving new security initiatives and awareness. According to the 2016 ABA Legal Technology survey, almost one-third (30.7 percent) of all law firms reported receiving security requirements lists from current and/or potential clients. The share was even higher (62.8 percent) among firms serving Fortune 500 companies.
What do these requirements typically include? Fundamentally, they often stipulate how a firm should use and store client data, as well as create performance benchmarks for detection and response. Clients also try to determine whether a firm has basic protections in place–such as a fully staffed cybersecurity team, a properly tested set of security practices, a thoroughly evaluated IT environment, and a cyber liability insurance policy.
ALM Legal Intelligence has determined that many firms have yet to put even the most basic security controls in play. For example, over a fifth (22 percent) do not have plans in place for how to properly respond to a data breach. That’s a significant liability, considering the current and expected threat environment.
Unlimited Liability: Assessing the Security Risks Facing Law Firms Today
The legal industry is a frequent target of all types of advanced cyberattacks. In June 2017, multinational DLA Piper revealed it was victimized by a coordinated ransomware campaign, one of several such high-profile incidents during the year. Plus, the 2017 Verizon Data Breach Investigations Report identified the particular susceptibility of the broader professional services sector to cyberespionage and distributed denial-of-service (aka DDoS) attacks.
There are numerous overlapping causes of these vulnerabilities, including:
- Lack of sufficient risk assessments: IT teams at many law firms are overburdened and short on in-house security experts, often leaving them unable to conduct crucial evaluations and training; this situation is common in all verticals–the 2018 State of IT report from Spiceworks revealed a plurality (48 percent) of IT teams expected no change in staff in 2018–but it’s compounded by underinvestment in IT across the legal sphere
- Less security regulation: Unlike tightly regulated fields such as health care, accounting and government, law is not beholden to any cybersecurity compliance frameworks; lawyers might interact with PCI DSS, HIPAA, SOX, FISMA, etc. on a case-by-case basis, but there’s no rigorous universal equivalent to these standards for their own profession
- A wide range of attack vectors: The high-profile attacks mentioned earlier (e.g., the Paradise and Panama Papers) were targeted attacks by the work of activists with deep resources and expertise who sought a treasure trove of sensitive information; at the same time, seemingly minor exploits, like outdated printer software, can also lead to data exfiltration, as revealed in an incident documented by the Securities and Exchange Commission’s Office of Internet Enforcement
What can law offices do to reduce such elevated levels of risk? Growing reliance on internet-connected services, coupled with shorthanded internal IT teams, creates a recipe for perpetual struggles in network security. Recently, however, there have been some important developments in applicable standards.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is often cited as a practical set of controls. Once it (or an alternative, such as ISO 27001/2) is in place, it’s easier to assess your environments and satisfy clients’ regulators when they perform security checks. It also lays the groundwork for technical solutions such as security operations centers (SOCs). A SOC, especially when delivered via the flexible SOC-as-a-service model, combines professional, dedicated concierge engineers and scalable processes with a cloud-based security information and event management (SIEM) platform for comprehensive security.
Legal Defense: Protecting Data from Theft with a SOC
Why is a subscription-based SOC-as-a-service an ideal fit for the legal profession? For starters, it helps address the financial constraints law firms frequently encounter. Fees are predictable and total cost of ownership over several years is often a fraction of a comparable solution installed and maintained on-premises.
Moreover, SOC-as-a-service provides protection without the need to overwork an internal team or hire additional personnel to monitor the system 24/7. The SIEM within the SOC aggregates logs from disparate systems, while expert security engineers respond to relevant alerts. It combines the people, process and technology needed for comprehensive, round-the-clock cybersecurity.