Protection Clause

The Legal Sector Is Desperate for Cybersecurity Projects



As harbors of sensitive client information, law firms are ripe targets for hackers. According to PwC's 2019 global survey, 100 percent of the top-10 surveyed law firms experienced a cybersecurity incident in the past year. And in the American Bar Association's 2019 Legal Technology Survey, the biggest concerns among U.S. lawyers are around poor and worsening cybersecurity approaches, particularly when it comes to cloud-based applications.

“Ten years ago, few law firms were making significant information and cybersecurity investments,” says Mark Walmsley, chief information security officer, Freshfields Bruckhaus Deringer, London, England. “Now, it's considered pure hygiene. It's a business basic principle.”

Yet despite the mounting urgency around legal data privacy, firms’ cybersecurity portfolios rarely match their level of concern. Of the standard precautionary security measures listed by the American Bar Association, the one most commonly used (secure socket layers) was implemented by only 35 percent of survey respondents. Legal teams are worried—and doing little about it.

Feeling the Heat

The cybersecurity push isn't just affecting law firms and their IT teams. The vendors that serve them are also feeling the pressure.

“Several years ago, security was mentioned during the request-for-proposal process, but it wasn't a key determining factor,” says David Carter, senior vice president and CIO, Aderant, Atlanta, Georgia, USA. Aderant provides accounting and related software solutions to 2,500 law firms globally. “Now we spend a tremendous amount of time answering clients’ questions about the security practices we apply as we develop and implement our software.”

Many of those concerns are swirling overhead. A growing number of law firms—58 percent in 2019, up from 55 percent in 2018—are moving their operations to the cloud. But the most commonly used cloud services are consumer platforms, such as Google Docs and Dropbox, not services designed specifically for law professionals.

With the rising anxiety around cybersecurity, “more and more firms ask for third-party certifications of the security regimes of any vendors providing software or IT,” Mr. Carter says. Vendors often must use remote access software for their client interactions, and they have to demonstrate that their own team members have been properly vetted.

As requirements expand, so do project schedules and budgets. That has to be communicated at a project's start, Mr. Carter says, and clients need to understand the benefits of integrating a project's security requirements from day one.

“Building security into IT projects upfront is cheaper than adding it on the back end of projects,” says Sean Thompson, director of information security, Aderant.


—Sean Thompson, Aderant, Atlanta, Georgia, USA

Defense Mechanism

Freshfields Bruckhaus Deringer no longer relies solely on traditional cybersecurity measures such as anti-virus and firewalls software to safeguard its clients’ confidential data. The U.K. firm is now investing heavily in cybersecurity projects that incorporate artificial intelligence. Since mid-2017, Freshfields has launched five proactive defense technologies that identify cybersecurity risks before they have a chance to penetrate the firm's security defenses.

To execute these projects, the Freshfields security team relies on a waterfall approach. “Agile delivery has many benefits but must be used with caution,” says Mr. Walmsley. “Agile is better suited to the development of client and business tools, but waterfall is preferred for the delivery of security technology or capability.”—Novid Parsi

Legal Action

Law firms are a hot target for hackers. Here are some of the biggest cybersecurity risks IT project teams must mitigate.

1 Unauthorized disclosure of confidential legal documents

It hurts: The global average cost of a data breach is US$3.9 million, according to the Ponemon Institute's 2019 Cost of a Data Breach Report.

2 Compromised emails

To address the threat, firms have begun to implement multifactor authentication, says Sean Thompson, director of information security, Aderant, Atlanta, Georgia, USA. “If there's a phishing attack, the second factor is still needed to gain access to sensitive emails.”

3 Ransomware

Hackers make their victims pay to recover captured information.

4 Legal malpractice

If a breach causes economic or reputational damage to clients, a law firm could be sued for not properly securing its systems, says David Carter, senior vice president and CIO, Aderant.



Related Content

  • Project Management Journal

    Identifying Subjective Perspectives on Managing Underground Risks at Schiphol Airport member content locked

    By Biersteker, Erwin | van Marrewijk, Alfons | Koppenjan, Joop Drawing on Renn’s model and following a Q methodology, we identify four risk management approaches among asset managers and project managers working at the Dutch Schiphol Airport.

  • Project Management Journal

    Collective Mindfulness member content locked

    By Wang, Linzhuo | Müller, Ralf | Zhu, Fangwei | Yang, Xiaotian We investigated the mechanisms of collective mindfulness for megaproject organizational resilience prior to, during, and after recovery from crises.

  • PMI Case Study

    Saudi Aramco member content open

    This in-depth case study outlines a project to increase productivity with Saudi Arabian public petroleum and natural gas company, Saudi Aramco.

  • PM Network

    A certeza da incerteza member content open

    By Fewell, Jesse Por mais que ansiamos por um retorno pré-pandêmico, é ingênuo pensar que as velhas formas de trabalho um dia voltarão - mesmo para o ágil.

  • PM Network

    The Certainty of Uncertainty member content open

    By Fewell, Jesse, As much as we yearn for a pre-pandemic return, it's naive to think the old ways of work will ever return—even for agile.