If your law firm hasn’t been breached, chances are very high it will. Cybersecurity in the legal sector is a growing concern, with cyberattacks occurring daily. Law firms are particularly susceptible to data breaches due to the nature of the information that resides on their servers and databases. Yet many may not be truly aware of the vulnerabilities and risks of the state of their current cybersecurity posture. In fact, many firms haven’t implemented modern cybersecurity best practices to protect not just their firm’s data, but that of their clients as well.
The American Bar Association (ABA) says that one in four law firms is a victim of a data breach including hostage and ransom, user error, surveillance, hacktivism, or other malicious activity. For the remaining 75 percent of firms who’ve been lucky so far and avoided a breach, get ready: it’s not a matter of “if” but “when.”
This is an even greater concern considering the ABA’s October 2018 opinion, which states that lawyers have an obligation to take “reasonable steps” to monitor for data breaches and are ethically obligated to monitor for breaches and notify current and former clients if data is compromised.
LogicForce conducted a survey in 2018 of more than 200 IT decision makers across small and medium-sized law firms (20-200 attorneys) throughout the U.S. Included among the survey’s findings:
- Less than half of law firms are implementing some of the top-weighted cybersecurity protocols such as multifactor authentication (47%), 3rd party risk assessment (37%), staffing the proper security executive (34%), and SOC monitoring (24%).
- The majority of law firms need better cybersecurity management. According to the survey responses, 67 percent of law firms place the responsibilities for implementing and managing cybersecurity policies on either IT directors or managers or some other non-IT executive at the firm. Roughly 1 in 3 (34%) of firms leave these responsibilities to personnel who have specialized knowledge of cybersecurity, such as a Chief Information Security Officer or an Information Security Manager.
Despite the threats, there are numerous actions you can take to protect your firm and ensure client trust. Where should you start?
- Ensure you have a senior-level executive on your team dedicated to overseeing your cybersecurity program. Ideally, they should be a member of your c-suite or Chief Security Officer.
- Explore options for managed detection and response (MDR) partners who can monitor, detect and respond to threats, leveraging both technology and human analysis to augment your staff enabling them to focus on other high priority objectives.
- As you evaluate potential partners, be sure you have complete visibility into what’s happening behind the scenes of your security provider’s operations.
- Conduct periodic penetration test assessments to ensure you are a step ahead of the hackers and identify if your systems, services, and data are exposed to malicious actors.
Security is a real and growing concern for all law firms. The sheer number of data breaches and cyberattacks can be overwhelming for any law firm. Talk to us for help implementing your security strategy.
By Keith Sazer | Director of Business Development, CRITICALSTART
May 29, 2019