When it comes to IT security-related risks, law firms are a prime target. Unfortunately, law firm security is not where it needs to be. Think about it: There’s a ton of juicy information on any given law firm network, and it’s all stored on mobile devices, email systems, web portals and more, both locally and in the cloud.

These organizations are concentrated sources of intellectual property and other sensitive business information, including:

  • Client trade secrets;
  • Attorney-client privileged information involving past, current and future cases;
  • Strategies and tactics involving approaches to litigation;
  • Details on mergers and acquisitions; and
  • Personally identifiable information (PII) as part of security incident investigations.

Not only do law firm network environments serve as an entry point to all this sensitive information, but many organizations are behind the times in terms of allocating reasonable funds to bolster security and minimize risks. This creates the perfect scenario for cybercriminals.

The Risks of an IT-Centric Approach to Law Firm Security

It’s easy for legal professionals to assume that they don’t have anything of value to cybercriminals and that their firm is not a target, but the threat is real. It might even come from inside the network in the form of a negligent or conniving employee exposing sensitive records. External threats could include competitors or foreign governments looking to disrupt legal operations or steal information.

In my experience working in the legal field, IT employees have had to lead the charge for security. Larger firms have begun hiring chief information security officers (CISOs), but many still take an IT-centric approach to security tasks, including:

  • Policy development;
  • Policy enforcement;
  • Ongoing information risk oversight; and
  • Security assessment and audit.

Whether in-house or outsourced, IT management of security functions can lead to a false sense of security among law firm partners and other stakeholders. Perhaps even more dangerous, I have seen situations in which firm partners with little to no IT or security background were in charge of security and risk management. This cost-saving shortcut to security can create more liabilities than it mitigates.

Assuring Clients and Preparing for a Breach

It’s one thing to have a dysfunctional security program, but when it becomes known, bigger issues arise. For example, when law firm clients start questioning security initiatives via those dreaded security questionnaires or worse, a breach occurs, the core of the law firm’s business, integrity and livelihood are impacted. To nip these issues in the bud, law firms must:

  • Manage oversight of security initiatives.
  • Document security policies along with disaster recovery and incident response plans.
  • Implement reasonable security technologies, and hire the right personnel to help enforce policies and oversee sensitive information.
  • Establish a cyber liability insurance policy.
  • Conduct periodic vulnerability and penetration testing.

Preventing security breaches is a worthy goal, but security leaders must also prepare to respond to exploits and outages that will inevitably get through the organization’s defenses. Otherwise, the firm will develop a reputation for negligence and recklessness.

To demonstrate that they are integrating security into the firm’s business practices, security teams should take the following steps.

  1. Know what you’ve got, including intellectual property and PII, along with critical systems and the vendors involved.
  2. Understand how it’s all at risk, including both technical and operational risks that are placing these assets in harm’s way.
  3. Reconfigure business processes, technical controls and organizational culture to protect the data identified in the first step and mitigate the risks outlined in the second step.

Collectively, this approach to information security involves a deep understanding of how both the business and the technology operates in the course of client representation. The key is to understand that you cannot secure the things you don’t acknowledge. Overlooking both technical and nontechnical areas of the practice that deal with sensitive information will lead to a misunderstanding of how security needs to be addressed, and that’s when security breaches happen.

Laying Down the Law on Security Practices

These best practices go beyond security. The American Bar Association’s Center for Professional Responsibility documented its own industry-specific guidance for protecting client information in its “Model Rules of Professional Conduct.” These rules involve not only understanding the technologies you’re using in your law firm, but also demonstrating reasonable efforts to properly handle and secure sensitive information.

Security is not that complicated until it is. That’s why law firms should heed Stein’s Law and address security gaps now before a data breach occurs.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…