With the constant growth of cyberattacks making headlining news, it has become more necessary to manage and respond to threats within the legal industry. With this proliferation, there has been a major increase in reliance responsibility among the legal industry and legal departments. A data breach is a surefire way to risk the success and reputation of your firm.
Firms in the legal sector in recent years are recognizing inconsistent practices within their own practices, but have the unique professional challenge of then turning around to help other organizations to protect their data with the law. The proliferation of cyber threats has immediately heightened the call for those in the legal industry to brush up on cybersecurity practices.
An annual report released by ALM Intelligence outlines some of the major factors that the legal industry is coming up against regarding cybersecurity protection:
- More than 70% of firms reported that clients have pressured them to increase data security
- Expressed concern over the lack of partnerships and/or protocols to protect against and respond to a data breach
- Despite a history of bad reputation within the field of not being up to snuff on cyber protocols, law firms are more confident than ever before in their abilities to combat cyber attack
In response to the need for added talent to effectively respond to cyber threats, more than 40% of the firms surveyed indicated that they expect to grow their staff in the next year. There has been a drastic increase on the corporate side for a more robust response and knowledge of security expertise.
Many firms that don’t have internal cybersecurity backing are struggling to adequately protect their networks and data—the very advocates that must scrupulously protect clients and organizations from the propagation of breaches. The growing market presents a push from clients of legal counsel to necessarily dive into the evolving world of cybersecurity. Research from MarketsandMarkets expects the global cybersecurity market to surpass $202 billion by 2021.
Where to start: NIST Cybersecurity Framework in the legal industry
The framework released by the National Institute of Standards and Technology (NIST) provides companies with a set of industry standards and best practices for managing cybersecurity risks. The framework presents five main functions and categories for organizations to implement for cyber-risk management and oversight:
- Identify—Law firms should know and identify known cybersecurity risks within their infrastructure
- Protect—safeguards should be developed and employed to protect the delivery and maintenance of infrastructure services
- Detect—methods of detection should be implemented in the firm in the case of a cybersecurity event
- Respond—methods to respond to a detected event
- Recover—plans to recover and restore a firm’s capabilities should be developed as a result of a cybersecurity event
The NIST framework provides law firm executives with a foundational set of controls to start a cybersecurity program. With the growing rate of cybersecurity risks, it will likely be common for tech-savvy clients to send specific requests regarding data security. However, law firms and law departments will quickly feel the burden of meeting several constantly changing requests. Law firms in particular will benefit from adopting the NIST framework to avoid trying to incorporate a slew of requests in an attempt to make everyone happy.
ISO 27001: A higher level of security
Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, the ISO 27001 certification is another important set of standards to consider within the realm of the legal industry. ISO 27001 outlines a set of international standards relating to information security. It has an organizational focus, detailing requirements against which the firm’s Information Security Management System (ISMS) may be audited. ISO 27001 is considered to be the highest security standard for examining the adequacy of the firm’s security posture overall.
Adopting the ISO 27001 standards through certification might be a rigorous process, sometimes taking as long as six to twelve months to complete, it goes a long way to add to the reputation and security of clients within the legal industry.
- Identifying and executing comprehensive information security management system
- Creating detailed policies and strategies in compliance with ISO standards
- Taking detailed inventory of the firm’s electronic information and storage locations
- Selecting and implementing appropriate security controls
While ISO 27001 might not satisfy tough clients, the certification process is detailed, recognized internationally, and certifiable. These are extreme benefits to a firm looking to remain secure and credible. It’s a framework that specifies an information security management system to bring information security under a specific management control—something that can be sorely lacking in firms that are a step behind.
Introducing one of these compliance standards is a great way to ensure that your firm is upholding specific standards regarding your security posture. With the accelerating rate of cyberattacks, it’s important that the legal industry stay current with security standards to protect data and avoid devastating breaches. Security postures should be managed closely and reviewed continuously. Incorporating recognized frameworks are a great way to show that you are making a bona fide commitment to cybersecurity, but it’s vital that the industry continues to keep the pace with evolving threats.