Light Dark
February 16, 2018 By Kevin Beaver 3 min read
CISO
Risk Management

When it comes to IT security-related risks, law firms are a prime target. Unfortunately, law firm security is not where it needs to be. Think about it: There’s a ton of juicy information on any given law firm network, and it’s all stored on mobile devices, email systems, web portals and more, both locally and in the cloud.

These organizations are concentrated sources of intellectual property and other sensitive business information, including:

  • Client trade secrets;
  • Attorney-client privileged information involving past, current and future cases;
  • Strategies and tactics involving approaches to litigation;
  • Details on mergers and acquisitions; and
  • Personally identifiable information (PII) as part of security incident investigations.

Not only do law firm network environments serve as an entry point to all this sensitive information, but many organizations are behind the times in terms of allocating reasonable funds to bolster security and minimize risks. This creates the perfect scenario for cybercriminals.

The Risks of an IT-Centric Approach to Law Firm Security

It’s easy for legal professionals to assume that they don’t have anything of value to cybercriminals and that their firm is not a target, but the threat is real. It might even come from inside the network in the form of a negligent or conniving employee exposing sensitive records. External threats could include competitors or foreign governments looking to disrupt legal operations or steal information.

In my experience working in the legal field, IT employees have had to lead the charge for security. Larger firms have begun hiring chief information security officers (CISOs), but many still take an IT-centric approach to security tasks, including:

  • Policy development;
  • Policy enforcement;
  • Ongoing information risk oversight; and
  • Security assessment and audit.

Whether in-house or outsourced, IT management of security functions can lead to a false sense of security among law firm partners and other stakeholders. Perhaps even more dangerous, I have seen situations in which firm partners with little to no IT or security background were in charge of security and risk management. This cost-saving shortcut to security can create more liabilities than it mitigates.

Assuring Clients and Preparing for a Breach

It’s one thing to have a dysfunctional security program, but when it becomes known, bigger issues arise. For example, when law firm clients start questioning security initiatives via those dreaded security questionnaires or worse, a breach occurs, the core of the law firm’s business, integrity and livelihood are impacted. To nip these issues in the bud, law firms must:

  • Manage oversight of security initiatives.
  • Document security policies along with disaster recovery and incident response plans.
  • Implement reasonable security technologies, and hire the right personnel to help enforce policies and oversee sensitive information.
  • Establish a cyber liability insurance policy.
  • Conduct periodic vulnerability and penetration testing.

Preventing security breaches is a worthy goal, but security leaders must also prepare to respond to exploits and outages that will inevitably get through the organization’s defenses. Otherwise, the firm will develop a reputation for negligence and recklessness.

To demonstrate that they are integrating security into the firm’s business practices, security teams should take the following steps.

  1. Know what you’ve got, including intellectual property and PII, along with critical systems and the vendors involved.
  2. Understand how it’s all at risk, including both technical and operational risks that are placing these assets in harm’s way.
  3. Reconfigure business processes, technical controls and organizational culture to protect the data identified in the first step and mitigate the risks outlined in the second step.

Collectively, this approach to information security involves a deep understanding of how both the business and the technology operates in the course of client representation. The key is to understand that you cannot secure the things you don’t acknowledge. Overlooking both technical and nontechnical areas of the practice that deal with sensitive information will lead to a misunderstanding of how security needs to be addressed, and that’s when security breaches happen.

Laying Down the Law on Security Practices

These best practices go beyond security. The American Bar Association’s Center for Professional Responsibility documented its own industry-specific guidance for protecting client information in its “Model Rules of Professional Conduct.” These rules involve not only understanding the technologies you’re using in your law firm, but also demonstrating reasonable efforts to properly handle and secure sensitive information.

Security is not that complicated until it is. That’s why law firms should heed Stein’s Law and address security gaps now before a data breach occurs.

 |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature