- Legal Futures - https://www.legalfutures.co.uk -

How to pass a client security audit

Posted by Mohamed Bakeer, chief technology officer at Legal Futures Associate CTS [1]

Bakeer: Corporate clients insist firms demonstrate the highest security standards.

Cyber-crime is becoming an ever more frequent and sophisticated threat to law firms. At the same time regulatory compliance is becoming tougher, the penalties for non-compliance are escalating, and clients are insisting on exceptional security standards.

A recent study by Briefing magazine showed that 72% of law firms are seeing an increase in security audit requests from both existing and new clients, indicating a huge impact on firms’ ability to win new client business if they fail to meet expected standards.

In this challenging, constantly evolving threat landscape, law firms are quite rightly seeking expert help with their data security.

Security matters more than ever for every practice area

Law firms working with corporate clients in the most sensitive and highly regulated fields need no prompting to prioritise data security – their clients insist that they demonstrate the highest standards. These law firms are now investing in security and marketing their capabilities as a competitive differentiator.

Firms dealing with high net-worth private clients also need to be increasingly security conscious, because their data is likely to be particularly sensitive and large sums of money are at stake.

Conveyancing firms need to up their security game too, because conveyancing panel managers now have to comply with stringent standards set by banks and other mortgage lenders.

Asking the right questions

A cyber-security audit used to be almost entirely focused on compliance and consisted of around 10 questions, perhaps even fewer.

Attacks are now far more sophisticated and law firms are placing more trust and, critically, more of their client data in cloud-based systems. Due to the amount of sensitive information and the large sums of money at stake, a modern audit digs much deeper to ensure security.

Clients are now better informed around how their data should be protected, meaning audit questions have become more specific and technical requirements more demanding.

To succeed a firm will have to demonstrate capabilities such as:

Law firms need advanced security – but what does that mean?

To combat cyber-threats, and prove their ability to protect their client data, law firms need to put the following in place:

How can firms achieve this advanced level of security?

Whether firms choose to work with a specialist partner, or create their own in-house security operations centre, they need to ensure they have the right analytical technology, threat intelligence and understanding of the global threat landscape to confidently address threats.

Technology such as centralised logging, correlation SIEM, endpoint analytics, and threat intelligence are necessary for firms, along with an expert team who have the skills to interpret and act upon the intelligence.

The clearest measure of a firm’s security credentials is their mean detection time and mean response time, the standard metrics used by the cyber-security industry.

Law firms’ detection and response times have too often been measured in weeks and months, ample time for an attack to cause serious financial and reputational damage.

The right security strategy can reduce those months to minutes – proof that the firm is ready to surpass even the most demanding client’s security expectations, particularly as firms are being asked more often to prove how imminently they can respond to an attack.

CTS has published a whitepaper [2] on managed detection and response, outlining how firms can accelerate their cyber-threat response time, achieving advanced threat protection without huge upfront investment.