Cybersecurity-as-a-Service Can Help Law Firms Protect Client Information, and Satisfy Client Audits
By leveraging Security-as-a-Service as part of your law firm's cybersecurity posture, you can make it more manageable.
May 10, 2019 at 01:10 PM
8 minute read
In the legal industry, attorney-client trust is critical and depends on a law firm's ability to safeguard a client's sensitive information: documents, business dealings and intellectual property. This was a lot easier to do when most documents were on paper and required physical presence to access. Now, most sensitive data has shifted to electronic formats and is stored on computers connected to the Internet.
Information that law firms amass is a veritable treasure trove for hackers and so law firms big and small are quickly becoming attractive targets for cyber attackers. According to the American Bar Association's 2018 study, overall 23% of respondents reported that their firms had experienced a security breach at some point. The highest reported breach rate—42%—is for practices with between 50 and 99 attorneys.
While breaches don't always make national news, attacks are growing in frequency. Hackers know that most law firms usually have less sophisticated security programs, house valuable confidential data including trade secrets, medical documents and financial data, and that they represent a vulnerable entry point into larger targets.
Adding to the cybersecurity challenge facing law firms is the industry trend of mergers and acquisitions. Securing the diverse technology footprints of consolidated law practices is more complicated. Raising all the offices to the same security standards, and operating under the same security umbrella, can be immensely challenging.
Unfortunately, while law firms are a major target for cyberattacks—they are not prepared. Recent industry reports say more than half of law firms do not have a dedicated information security professional, less than a third have formal cyber security training programs and most don't have formally documented cybersecurity policies.
Poor cybersecurity can potentially result in attorney discipline, legal malpractice allegations, civil litigation or irreparable harm to a firm's reputation—resulting in loss of clients and future business. Now more than ever, law firms need to take action to protect sensitive client and attorney data. At the same time, they need to comply with regulations that govern their clients, as well as state and federal laws.
But while attacks are increasing, law firms' IT staff and their available time hasn't.
Building up an in-house cybersecurity program is becoming increasingly challenging as security technology is becoming more complicated and more expensive, and skilled talent is becoming harder to find. A report from Cybersecurity Ventures predicts 3.5 million cybersecurity jobs will go unfilled worldwide by 2021.
For these reasons, many law firms have turned to Managed Security Service Providers to obtain Security-as-a-Service. The key benefit is that Security-as-a-Service companies can provide law firms immediate access to skilled cybersecurity professionals and field-tested security processes that become an extension of internal IT resources.
|Security-as-a-Service
A good Security-as-a-Service provider will offer you a combination of four basic elements:
• Instant access to skilled cybersecurity expertise
• Field-tested and mature cybersecurity processes
• Technology that you may be lacking
• 24x7x365 active security coverage
Together, these elements should combine in ways that become an extension of your internal technology and IT team.
The best way to get started with a Security-as-a-Service provider is to make a checklist of considerations that are key to your business before having your first meeting. Most importantly, you want to determine which cybersecurity providers can deliver trusted advice when you are working to navigate the constantly changing cybersecurity landscape. They should become an extension of your IT team and become familiar with your business processes, compliance requirements and security goals.
Here are five ways law firms can use Security-as-a-Service to protect themselves and to protect their clients' information:
(1) Monitoring and Hunting for Threats: Law firms need to be proactive and continuously look for threats to ensure their firm isn't breached. The challenge is that IT teams at many firms lack the time—and sometimes lack the skills—to properly investigate the security alerts that their technology provides. A good Security-as-a-Service provider will pick up the slack and triage alarms for you, letting you know about what's important.
Look for Security-as-a-Service providers who will quickly perform root cause analysis and implement steps to remediate a situation before the damage of a data breach becomes more extensive. Additionally, it's important to note that many security compliance regulations call for system monitoring, incident detection and response capabilities.
(2) Responding to Incidents: Security incidents can take many forms, but, in essence, they're a deviation from the organization's security policy. Examples of security incidents are unusual traffic on an unsanctioned port, unauthorized access to a specific file share, or a range of other activities that violate an organization's acceptable standards.
Risk is best mitigated by acting quickly. Without the right technology or processes in place that generate alerts when systems are compromised, the scope of an incident will grow and ultimately can result in a catastrophic business impact or even regulatory fines.
(3) Maturing Security Processes: It's important to have solid, tested and repeatable processes in place when incidents arise. But most law firms lack the skills to develop—or the time to constantly update—security processes that stay up-to-date with their evolving business systems and evolving threat vectors. Security-as-a-Service providers can give you immediate access to field-tested processes that are the product of thousands of hours of work based on knowledge gained from hundreds of customer environments.
(4) Patching Systems: Sophisticated attackers exploit unpatched and misconfigured software every day, which makes patch management a vital part of any cybersecurity program. But, while the rate that patches need to be applied is steadily increasing, lack of time and staff, as well as technical, organizational and process control challenges all contribute to why lean IT teams don't continuously scan for vulnerabilities and regularly patch systems.
A Ponemon Research cybersecurity study found that 57% of breaches were due to an unpatched vulnerability, and that 34% of breached organizations knew they had unpatched vulnerabilities but did nothing. Those breaches could have been prevented with proper patch management.
Security-as-Service providers can help law firms manage a systematic program to scan for vulnerabilities and unpatched or misconfigured software across Windows, Unix, Linux and Mac servers, workstations and laptops—even applications such as Office, Adobe or Java.
Recommended scans include internal, external, authenticated and non-authenticated. These scans will help you see the hackers' view of your internal and external vulnerabilities and help to uncover updates that need to be applied.
But finding vulnerabilities is only half the job. Your service provider should also help locate needed patches and then help with patch deployment. Most importantly, they should give you change control processes to review, approve, schedule, apply, validate, and, if needed, roll-back patches.
Having a good patch management program can make drastic improvements to a law firm's security posture, prevent attackers from exploiting known vulnerabilities and is also key to meeting compliance mandates.
(5) Compliance: On top of monitoring and responding to incidents and patching systems, law firms must also make sure they are effectively meeting compliance regulations by following security best practices.
Law firms, now more than ever, are facing increasing cybersecurity obligations from state bars, the ABA, and even from clients. Critically, law forms need to support the compliance mandates that their clients operate under—HIPAA, SOX, CCPA, GDPR etc. Protecting client information and passing client-required security audits and adhering to their client's regulatory compliance mandates, are driving law firms to adopt cybersecurity services. Recent industry reports say almost half of law firms had their data security practices audited by at least one corporate client in the past year.
Compliance can be a major challenge since different industry regulations have specific requirements. Look for Security-as-a-Service providers who will help you with client-requested audits, and that help prepare documents and artifacts to satisfy your compliance requirements.
|Summing Up
Cybersecurity for law firms of any size can be daunting. The good news is you don't have to do it all yourself. When you can't add headcount—and you don't want to buy or deploy software—Security-as-a-Service can help you increase the quality of your cybersecurity program—across one, or many, locations.
By leveraging Security-as-a-Service as part of your law firm's cybersecurity posture, you can make it more manageable. In the end, everyone's goal is the same—to keep client and attorney data safe and out of the hands of a cyber attacker.
Mike Cote is vice president of products and solutions at Cygilant.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Trump's Return to the White House: The Legal Industry Reacts
- 2Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
- 3Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 4Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 5The Law Firm Disrupted: Big Law Profits Vs. Political Values
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250