Do as I say, not as I do: Most law firms lack adequate cyber protection

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.propertycasualty360.com/2015/01/16/do-as-i-say-not-as-i-do-most-law-firms-lack-adequa?t=es-specialty

Cyber threats are on the radar for most law firms in their overall risk
management, yet many lack in their preparedness against a significant
event, Marsh’s 2014 Global Law Firm Cyber Survey reveals.

For law firms, protecting the confidential data of clients and the firm is
imperative as any unintended leak of information related to intellectual
property or a prominent legal case can be disastrous. A security breach
could potentially harm business transactions, halt a pending merger or
acquisition, or damage relationships. Furthermore, firms could face
financial burdens associated with the expenses following a breach.
First-party costs can mount from notification expenses, business
interruption issues, or preparing a regulatory defense.

It is no surprise that 79% of survey respondents view cyber and privacy
security as one of their top 10 risks in their overall strategy, and more
than 40% of those would place it as an even more critical threat, listing
it as one of their firm’s top five risks.

The concern surrounding cyber threats in the legal profession supports
research dating back to 2011 from cybersecurity firm Mandiant, which stated
that 80% of the largest 100 law firms had been hacked. In Marsh’s survey,
7% of respondents stated that they had been subject to a successful cyber
attack within the last three years.

Even within the last year, many law firms have faced serious cyber
incidents. In May 2014, a grand jury in the Western District of
Pennsylvania indicted five Chinese military hackers in a case involving
AmLaw 100 firm. Another large firm suffered a breach in February of current
and former employees’ personal data, which was held by a vendor. The
documents included tax information, Social Security numbers, passport
information and other valuable federal data.

But despite the pressing concern, results indicate that 72% of respondents
acknowledged that their firm has not assessed and scaled the cost of a data
breach based on the information. Furthermore, 51% have not taken the
precautionary measures to insure their cyber risk, or are unaware if their
firm has taken such action. And nearly two-thirds of respondents have not
calculated the effective revenue lost or extra expenses incurred in the
aftermath of a cyber attack.

Yet, almost all of the respondents say they are aware of the risks and take
cyber/privacy risks seriously. The legal industry, as a whole, has been a
target of regulators and government industries for not having enough
defense surrounding the personal data and client information they collect
in store. As early as 2009, the FBI has cited that the legal industry, as a
group, could easily succumb to cyber incidents. Furthermore, in 2011, the
FBI began an initiative to bring awareness and education to law firms at
risk, meeting with major law firms in New York to discuss their cyber
preparedness. The Bureau also followed up with the firms to educate them
about precautions to secure their offices from cyber attacks, hacktivists
and data breaches by third-party vendors, employees or former staff.

And many firms have taken some security precautions. Ninety-eight percent
of respondents have secure redundant systems in place, including offsite
data vaults and servers. Another 75% have internal controls in place to
detect non-compliance with privacy policies.

However, many firms are still vulnerable in other areas. Survey results
show that 67% of respondents outsourced vendors for their information
technology needs, despite the fact that recent cyber incidents revealed
that exposure to third-party suppliers and vendors is a weak spot in a
business’ cyber defense, often allowing unauthorized personnel to access
valuable and confidential information.

Still, most respondents treat their cyber and privacy security with a
top-down approach. Information technology teams were most involved in the
review and management of overall cyber/privacy risks, followed by the
firm’s management group, general counsel and risk management team.

Ameliorating the threat can still be a difficult (and even impossible)
task, especially as hackers find new ways to obtain confidential
information. Law firms are also not required to disclose a hacking
incident, unlike many other organizations or consumer-oriented companies,
making analyzing a firm’s cybersecurity a challenging tasks. They may have
been hacked, and not even know it.

For an industry that pushes for their clients to protect themselves
extensively against risks that could lead to extensive damages to their
business, results show that not all firms practice what they preach. When
it comes to cyber security—and insurance protection—lawyers sometimes
approach with a “do as I say” mentality, not “do as I do.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!