Security Audits Trouble Small and Mid-Sized Law Firms
“Now they want screenshots.”
“Longtime clients are asking for them.”
“There’s just no way.”
These were some of the things we heard recently in conversations at a conference for leaders of small law firms.
As cybersecurity audits from corporate clients become commonplace, smaller firms are feeling the brunt.
Security audits are not exactly new. Clients have been asking law firms to prove that they are taking security seriously for about a decade. A 2014 article in The New York Times entitled, “Law Firms Are Pressed on Security for Data” reported even then:
Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others, said people briefed on the matter who spoke on the condition of anonymity. Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections.
But as more industries beyond Wall Street have become concerned about the safety of their data, the scrutiny has intensified, becoming widespread.
The International Legal Technology Association’s (ILTA) recently released 2019 Technology Survey, which polled 537 firms, revealed that a quarter of law firms were subject to audits in the past year, up from 16% in 2016. (Accordingly, in answer to the question “What are your three biggest law firm security challenges?” 24% cited “client security requirements,” up from 14% in 2016). And the statistic seems poised to keep going up.
What Do the Audits Want?
As they shore up their own defenses to avoid a potentially disastrous, high-profile data breach, corporations are looking to their legal representation to do the same. To continue working with their favorite outside attorneys, companies have to ensure those law firms will not constitute a weak link in their data privacy programs.
Security audits ask for proof that the latest defensive technology and processes are in place. The detailed questionnaires, which started appearing within the last five years, have lengthened in that time, often running to 90 pages or more. They now request more evidence and granularity, including questions about specific configurations. On-site inspections are also increasingly part of the deal.
On a basic level, these are some of the defenses clients are requesting:
- Managed firewall
- Intrusion detection
- Anti-virus and malware protection
- Modern firewall
- Regular vulnerability testing
- Endpoint tracking and modeling
- Incident remediation
- Documented security policies and procedures
- User security awareness training
- Email targeted threat protection
- Web filtering
Security Audits Intensify Competition
The legal industry’s giants have dedicated entire units to answering security audits, which typically come from Wall Street and healthcare companies, as well as from technology companies concerned about their intellectual property. These security departments provide state-of-the-art security defenses in response to client demands, including certified security analysts tasked with round-the-clock intrusion detection.
The situation has become dire for smaller firms as clients threaten to withdraw work if security requirements aren’t met. Longstanding relationships are on the line. In some cases, clients are also requesting that firms purchase pricey insurance for data breaches to add to their malpractice coverage.
Managed Security Services Offer a Solution
What are smaller firms to do? Their legal work may be stellar, but they simply do not have the resources to build out an on-site security center.
First, it is imperative to review the state of your systems from top to bottom. You need to make sure there are no easy ways in, that you have not been penetrated already and that there are a number of basic tools that have been incorporated and operational to address intrusion, access to certain areas within your network, etc. You need to have a strong password policy as well as an on-going review of your systems 24×7, together with frequent backups, among other things. After you have all of that taken care of, you still need a service to monitor your environment and run periodic tests. The key is to understand this is not one and done. It is on-going and must be accompanied by continual user education.