According to The American Lawyer’s 18th annual survey of law technology, a full 86 percent of technology directors and CTOs from 87 Am Law 200 firms say they are more concerned about security threats today than they were two years ago. Amid the perfect storm of heightened regulatory scrutiny, new technology such as cloud computing, and the opportunity for human error, clients are closely vetting their law firms’ and service providers’ security measures.
An agent from the FBI’s cyber crime branch in New York told The American Lawyer that law firms are increasingly the targets of cyberattacks because of the sensitive information they house about client deals and litigation. Leaving proprietary information on an external-facing network creates vulnerabilities and increases the risk that this valuable information will be stolen.
As a result, law firms are adding new types of security defenses. For example, annual security audits and testing are now de rigueur for top law firms. To bolster security on a day-to-day basis, some firms have added new IT security staff to their payroll. In addition, by hiring outside security specialists to try to hack into their systems, law firm technology directors can pinpoint and address any potential weaknesses before an actual cyberattack occurs.
But even the best-laid plans are subject to human error, which is the biggest potential gap in any organization’s security defense systems. Technology directors and CTOs should ensure that all employees are educated on the potential threats that can affect the organization and be equipped with techniques to guard against them. For example, sophisticated cybercriminals target law firms with authentic-looking e-mails that can, if clicked, infect an entire network system with malicious code to extract sensitive data. Each member of the firm, regardless of position or title, must be knowledgeable and remain vigilant against potential security breaches such as these.
In short, clients want reassurances that prospective law firms and service providers have strict security controls in place before engaging them. To win their business, preventative measures are just half of the equation. While security certainly begins with front-end measures designed to block cyberattacks, it also requires detailed procedures that enable a quick, effective response in the event of a breach. Turning to rigorous industry certification such as ISO 27001 as guidance can help. Having an independent accredited auditor vet security measures can ensure that comprehensive information security management standards are in place.