Posted by Mohamed Bakeer, chief technology officer at Legal Futures Associate CTS
Nobody in the legal sector is denying the importance of cyber-security. Protecting the sensitive data your firm holds on behalf of its clients is essential.
It’s an established fact that the threat from cyber criminals is increasing and evolving rapidly, and law firms are responding by prioritising cyber-security. It is now the sector’s number one technology investment area.
Nevertheless, different firms have different ways of tackling this crucial issue. As legal sector cloud and IT specialists, we deal almost exclusively with law firms. In our experience, their approaches broadly divide into three strands.
“We’ve never been attacked, so let’s just make sure we’re compliant and get the basics right”
“Just enough but no more” is a tempting philosophy for a cost-conscious firm. Especially if you have never experienced the severe damage a cyberattack can cause.
Firms understand the need to be compliant, not least to avoid severe penalties in such a heavily regulated sector. They also acknowledge that certain measures are essential to protect the firm and its clients.
The measures they are likely to have in place include: antivirus software, patch management, firewalls and network segmentation, email security, web content filtering, two-factor authentication, intrusion detection, back-up and disaster recovery.
That seems like a long and comprehensive list. It’s easy to see why a firm with all that in place might think “that’s cybersecurity boxed-off, on to the next problem”.
They may also believe that cyber-insurance covers them against the potential losses resulting from a breach (but please read to the end and then reassess the level of cover and any exclusions on the policy before coming to that conclusion).
But you need to assess the true cost. This option is frequently chosen on a ‘cost versus risk’ basis, so it’s important to have a clear picture of the true cost of a major-cyber security incident, including:
- Staff, equipment and office downtime;
- Crisis management;
- Loss of existing and future business resulting from reputational damage;
- Legal costs if clients feel that their data has not been sufficiently protected;
- Fines imposed by regulators; and
- Higher insurance premiums.
In short, whilst firms choosing this approach are undoubtedly taking the problem seriously, they may nevertheless be underestimating the full costs and consequences of an attack.
“Let’s be security self-sufficient, whatever it costs”
To address the rising cyber-threat, firms are leveraging new technology that enables them to detect and respond to threats more quickly to mitigate their risk.
To attain an advanced level of threat protection, firms require a team of experts equipped with the latest technology, who are entirely focused on addressing incoming threats.
Setting up your own dedicated security operations centre (SOC) to achieve this is, of course, only possible for large firms. But even a law firm with sufficient resources needs to consider the true cost and complexity before opting for a go-it-alone approach.
- The staff resource required to run a 24/7/365 operation;
- The scarcity of these skilled and highly paid professionals;
- The complexity of obtaining a CSOC (Cyber Security Operations Centre) accreditation to verify your SOC’s capabilities;
- The level of initial and ongoing training required;
- The cost of the technology;
- The constant developments required to keep pace with the ever-evolving threat landscape and advancing technologies; and
- The overwhelming number of different threats that need to be detected, analysed and remediated every day.
“We prefer to work with a specialist partner to manage our cyber security risk”
Full disclosure: this is the option we at CTS provide and recommend. But our clients don’t trust us with their cyber-security just because we offer it.
Choosing to work with a recognised, fully resourced security specialist is a hard-headed business decision, taken by law firms to avoid data loss, minimise downtime and protect both their reputation and their financial wellbeing at a manageable cost.
Managed detection and response gives you access to the latest, constantly updated detection, deception and incident response technologies, without having to make a large upfront investment.
Above all, it means you are pre-empting threats rather than simply reacting to them. It adds a proactive dimension to cyber security that would be difficult for an in-house set-up to realistically match, with: centralised logging; vulnerability management; correlation SIEM (security information and event management); endpoint analytics; network behaviour analytics; threat intelligence; and user and entity behaviour analytics.
Firms that are looking to partner with a specialist to manage their security risk must ask potential providers the following questions:
- Do they provide actionable remediation advice to enable your firm to eliminate threats quickly?
- Do they have specialist legal sector knowledge, and experience of dealing with IT environments like yours?
- Are they using the most up to date technology, and do they have access to the latest threat intelligence?
Remember, above all, that advanced cyber-security can pay for itself by giving firms a major advantage in winning new business, especially from larger corporate clients.