In the legal industry, attorney-client trust is critical and depends on a law firm’s ability to safeguard a client’s sensitive information: documents, business dealings and intellectual property. This was a lot easier to do when most documents were on paper and required physical presence to access. Now, most sensitive data has shifted to electronic formats and is stored on computers connected to the Internet.
Information that law firms amass is a veritable treasure trove for hackers and so law firms big and small are quickly becoming attractive targets for cyber attackers. According to the American Bar Association’s 2018 study, overall 23% of respondents reported that their firms had experienced a security breach at some point. The highest reported breach rate—42%—is for practices with between 50 and 99 attorneys.
While breaches don’t always make national news, attacks are growing in frequency. Hackers know that most law firms usually have less sophisticated security programs, house valuable confidential data including trade secrets, medical documents and financial data, and that they represent a vulnerable entry point into larger targets.
Adding to the cybersecurity challenge facing law firms is the industry trend of mergers and acquisitions. Securing the diverse technology footprints of consolidated law practices is more complicated. Raising all the offices to the same security standards, and operating under the same security umbrella, can be immensely challenging.
Unfortunately, while law firms are a major target for cyberattacks—they are not prepared. Recent industry reports say more than half of law firms do not have a dedicated information security professional, less than a third have formal cyber security training programs and most don’t have formally documented cybersecurity policies.
Poor cybersecurity can potentially result in attorney discipline, legal malpractice allegations, civil litigation or irreparable harm to a firm’s reputation—resulting in loss of clients and future business. Now more than ever, law firms need to take action to protect sensitive client and attorney data. At the same time, they need to comply with regulations that govern their clients, as well as state and federal laws.
But while attacks are increasing, law firms’ IT staff and their available time hasn’t.
Building up an in-house cybersecurity program is becoming increasingly challenging as security technology is becoming more complicated and more expensive, and skilled talent is becoming harder to find. A report from Cybersecurity Ventures predicts 3.5 million cybersecurity jobs will go unfilled worldwide by 2021.
For these reasons, many law firms have turned to Managed Security Service Providers to obtain Security-as-a-Service. The key benefit is that Security-as-a-Service companies can provide law firms immediate access to skilled cybersecurity professionals and field-tested security processes that become an extension of internal IT resources.
A good Security-as-a-Service provider will offer you a combination of four basic elements:
• Instant access to skilled cybersecurity expertise
• Field-tested and mature cybersecurity processes
• Technology that you may be lacking
• 24x7x365 active security coverage
Together, these elements should combine in ways that become an extension of your internal technology and IT team.
The best way to get started with a Security-as-a-Service provider is to make a checklist of considerations that are key to your business before having your first meeting. Most importantly, you want to determine which cybersecurity providers can deliver trusted advice when you are working to navigate the constantly changing cybersecurity landscape. They should become an extension of your IT team and become familiar with your business processes, compliance requirements and security goals.
Here are five ways law firms can use Security-as-a-Service to protect themselves and to protect their clients’ information:
(1) Monitoring and Hunting for Threats: Law firms need to be proactive and continuously look for threats to ensure their firm isn’t breached. The challenge is that IT teams at many firms lack the time—and sometimes lack the skills—to properly investigate the security alerts that their technology provides. A good Security-as-a-Service provider will pick up the slack and triage alarms for you, letting you know about what’s important.
Look for Security-as-a-Service providers who will quickly perform root cause analysis and implement steps to remediate a situation before the damage of a data breach becomes more extensive. Additionally, it’s important to note that many security compliance regulations call for system monitoring, incident detection and response capabilities.
(2) Responding to Incidents: Security incidents can take many forms, but, in essence, they’re a deviation from the organization’s security policy. Examples of security incidents are unusual traffic on an unsanctioned port, unauthorized access to a specific file share, or a range of other activities that violate an organization’s acceptable standards.
Risk is best mitigated by acting quickly. Without the right technology or processes in place that generate alerts when systems are compromised, the scope of an incident will grow and ultimately can result in a catastrophic business impact or even regulatory fines.
(3) Maturing Security Processes: It’s important to have solid, tested and repeatable processes in place when incidents arise. But most law firms lack the skills to develop—or the time to constantly update—security processes that stay up-to-date with their evolving business systems and evolving threat vectors. Security-as-a-Service providers can give you immediate access to field-tested processes that are the product of thousands of hours of work based on knowledge gained from hundreds of customer environments.
(4) Patching Systems: Sophisticated attackers exploit unpatched and misconfigured software every day, which makes patch management a vital part of any cybersecurity program. But, while the rate that patches need to be applied is steadily increasing, lack of time and staff, as well as technical, organizational and process control challenges all contribute to why lean IT teams don’t continuously scan for vulnerabilities and regularly patch systems.
A Ponemon Research cybersecurity study found that 57% of breaches were due to an unpatched vulnerability, and that 34% of breached organizations knew they had unpatched vulnerabilities but did nothing. Those breaches could have been prevented with proper patch management.
Security-as-Service providers can help law firms manage a systematic program to scan for vulnerabilities and unpatched or misconfigured software across Windows, Unix, Linux and Mac servers, workstations and laptops—even applications such as Office, Adobe or Java.
Recommended scans include internal, external, authenticated and non-authenticated. These scans will help you see the hackers’ view of your internal and external vulnerabilities and help to uncover updates that need to be applied.
But finding vulnerabilities is only half the job. Your service provider should also help locate needed patches and then help with patch deployment. Most importantly, they should give you change control processes to review, approve, schedule, apply, validate, and, if needed, roll-back patches.
Having a good patch management program can make drastic improvements to a law firm’s security posture, prevent attackers from exploiting known vulnerabilities and is also key to meeting compliance mandates.
(5) Compliance: On top of monitoring and responding to incidents and patching systems, law firms must also make sure they are effectively meeting compliance regulations by following security best practices.
Law firms, now more than ever, are facing increasing cybersecurity obligations from state bars, the ABA, and even from clients. Critically, law forms need to support the compliance mandates that their clients operate under—HIPAA, SOX, CCPA, GDPR etc. Protecting client information and passing client-required security audits and adhering to their client’s regulatory compliance mandates, are driving law firms to adopt cybersecurity services. Recent industry reports say almost half of law firms had their data security practices audited by at least one corporate client in the past year.
Compliance can be a major challenge since different industry regulations have specific requirements. Look for Security-as-a-Service providers who will help you with client-requested audits, and that help prepare documents and artifacts to satisfy your compliance requirements.
Cybersecurity for law firms of any size can be daunting. The good news is you don’t have to do it all yourself. When you can’t add headcount—and you don’t want to buy or deploy software—Security-as-a-Service can help you increase the quality of your cybersecurity program—across one, or many, locations.
By leveraging Security-as-a-Service as part of your law firm’s cybersecurity posture, you can make it more manageable. In the end, everyone’s goal is the same—to keep client and attorney data safe and out of the hands of a cyber attacker.
Mike Cote is vice president of products and solutions at Cygilant.