Project Management Institute

Protection Clause

The Legal Sector Is Desperate for Cybersecurity Projects

img

ISTOCKPHOTO

As harbors of sensitive client information, law firms are ripe targets for hackers. According to PwC's 2019 global survey, 100 percent of the top-10 surveyed law firms experienced a cybersecurity incident in the past year. And in the American Bar Association's 2019 Legal Technology Survey, the biggest concerns among U.S. lawyers are around poor and worsening cybersecurity approaches, particularly when it comes to cloud-based applications.

“Ten years ago, few law firms were making significant information and cybersecurity investments,” says Mark Walmsley, chief information security officer, Freshfields Bruckhaus Deringer, London, England. “Now, it's considered pure hygiene. It's a business basic principle.”

Yet despite the mounting urgency around legal data privacy, firms’ cybersecurity portfolios rarely match their level of concern. Of the standard precautionary security measures listed by the American Bar Association, the one most commonly used (secure socket layers) was implemented by only 35 percent of survey respondents. Legal teams are worried—and doing little about it.

Feeling the Heat

The cybersecurity push isn't just affecting law firms and their IT teams. The vendors that serve them are also feeling the pressure.

“Several years ago, security was mentioned during the request-for-proposal process, but it wasn't a key determining factor,” says David Carter, senior vice president and CIO, Aderant, Atlanta, Georgia, USA. Aderant provides accounting and related software solutions to 2,500 law firms globally. “Now we spend a tremendous amount of time answering clients’ questions about the security practices we apply as we develop and implement our software.”

Many of those concerns are swirling overhead. A growing number of law firms—58 percent in 2019, up from 55 percent in 2018—are moving their operations to the cloud. But the most commonly used cloud services are consumer platforms, such as Google Docs and Dropbox, not services designed specifically for law professionals.

With the rising anxiety around cybersecurity, “more and more firms ask for third-party certifications of the security regimes of any vendors providing software or IT,” Mr. Carter says. Vendors often must use remote access software for their client interactions, and they have to demonstrate that their own team members have been properly vetted.

As requirements expand, so do project schedules and budgets. That has to be communicated at a project's start, Mr. Carter says, and clients need to understand the benefits of integrating a project's security requirements from day one.

“Building security into IT projects upfront is cheaper than adding it on the back end of projects,” says Sean Thompson, director of information security, Aderant.

img

—Sean Thompson, Aderant, Atlanta, Georgia, USA

Defense Mechanism

Freshfields Bruckhaus Deringer no longer relies solely on traditional cybersecurity measures such as anti-virus and firewalls software to safeguard its clients’ confidential data. The U.K. firm is now investing heavily in cybersecurity projects that incorporate artificial intelligence. Since mid-2017, Freshfields has launched five proactive defense technologies that identify cybersecurity risks before they have a chance to penetrate the firm's security defenses.

To execute these projects, the Freshfields security team relies on a waterfall approach. “Agile delivery has many benefits but must be used with caution,” says Mr. Walmsley. “Agile is better suited to the development of client and business tools, but waterfall is preferred for the delivery of security technology or capability.”—Novid Parsi

Legal Action

Law firms are a hot target for hackers. Here are some of the biggest cybersecurity risks IT project teams must mitigate.

1 Unauthorized disclosure of confidential legal documents

It hurts: The global average cost of a data breach is US$3.9 million, according to the Ponemon Institute's 2019 Cost of a Data Breach Report.

2 Compromised emails

To address the threat, firms have begun to implement multifactor authentication, says Sean Thompson, director of information security, Aderant, Atlanta, Georgia, USA. “If there's a phishing attack, the second factor is still needed to gain access to sensitive emails.”

3 Ransomware

Hackers make their victims pay to recover captured information.

4 Legal malpractice

If a breach causes economic or reputational damage to clients, a law firm could be sued for not properly securing its systems, says David Carter, senior vice president and CIO, Aderant.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.

Advertisement

Advertisement

Related Content

  • PM Network

    Playing with Fire

    By Jones, Tegan With the coastline of an entire continent burning, a scorched-earth urgency had teams across Australia racing to control the damage. Between September 2019 and January 2020, bushfires ravaged…

  • PM Network

    Trees of Life

    By Hendershot, Steve The world needs more trees—and a lot of them—to stem the damage wrought by mass deforestation. Brazil alone is destroying the equivalent of three football pitches per minute in the Amazon rainforest…

  • PM Network

    Rising Risks

    By Nilsson, Ryan For as long as humans have been building cities, they have migrated toward the coasts -- for food, ease of transportation and any number of ecological benefits. Today, it's estimated that more than…

  • PM Network

    From the Rubble

    By Thomas, Jennifer Puerto Rico's infrastructure woes began long ago. But a series of earthquakes this year coupled with hurricanes Irma and Maria in 2017—which racked upUS$139 billion in damage—exacerbated the U.S.…

  • PM Network

    Recovery Mode

    By Scott, Lindsay Project management recruitment specialist, Lindsay Scott, answers questions about failed projects, career advancement, and self-promotion.

Advertisement