The Legal Sector Is Desperate for Cybersecurity Projects
As harbors of sensitive client information, law firms are ripe targets for hackers. According to PwC's 2019 global survey, 100 percent of the top-10 surveyed law firms experienced a cybersecurity incident in the past year. And in the American Bar Association's 2019 Legal Technology Survey, the biggest concerns among U.S. lawyers are around poor and worsening cybersecurity approaches, particularly when it comes to cloud-based applications.
“Ten years ago, few law firms were making significant information and cybersecurity investments,” says Mark Walmsley, chief information security officer, Freshfields Bruckhaus Deringer, London, England. “Now, it's considered pure hygiene. It's a business basic principle.”
Yet despite the mounting urgency around legal data privacy, firms’ cybersecurity portfolios rarely match their level of concern. Of the standard precautionary security measures listed by the American Bar Association, the one most commonly used (secure socket layers) was implemented by only 35 percent of survey respondents. Legal teams are worried—and doing little about it.
Feeling the Heat
The cybersecurity push isn't just affecting law firms and their IT teams. The vendors that serve them are also feeling the pressure.
“Several years ago, security was mentioned during the request-for-proposal process, but it wasn't a key determining factor,” says David Carter, senior vice president and CIO, Aderant, Atlanta, Georgia, USA. Aderant provides accounting and related software solutions to 2,500 law firms globally. “Now we spend a tremendous amount of time answering clients’ questions about the security practices we apply as we develop and implement our software.”
Many of those concerns are swirling overhead. A growing number of law firms—58 percent in 2019, up from 55 percent in 2018—are moving their operations to the cloud. But the most commonly used cloud services are consumer platforms, such as Google Docs and Dropbox, not services designed specifically for law professionals.
With the rising anxiety around cybersecurity, “more and more firms ask for third-party certifications of the security regimes of any vendors providing software or IT,” Mr. Carter says. Vendors often must use remote access software for their client interactions, and they have to demonstrate that their own team members have been properly vetted.
As requirements expand, so do project schedules and budgets. That has to be communicated at a project's start, Mr. Carter says, and clients need to understand the benefits of integrating a project's security requirements from day one.
“Building security into IT projects upfront is cheaper than adding it on the back end of projects,” says Sean Thompson, director of information security, Aderant.
—Sean Thompson, Aderant, Atlanta, Georgia, USA
Freshfields Bruckhaus Deringer no longer relies solely on traditional cybersecurity measures such as anti-virus and firewalls software to safeguard its clients’ confidential data. The U.K. firm is now investing heavily in cybersecurity projects that incorporate artificial intelligence. Since mid-2017, Freshfields has launched five proactive defense technologies that identify cybersecurity risks before they have a chance to penetrate the firm's security defenses.
To execute these projects, the Freshfields security team relies on a waterfall approach. “Agile delivery has many benefits but must be used with caution,” says Mr. Walmsley. “Agile is better suited to the development of client and business tools, but waterfall is preferred for the delivery of security technology or capability.”—Novid Parsi
Law firms are a hot target for hackers. Here are some of the biggest cybersecurity risks IT project teams must mitigate.
1 Unauthorized disclosure of confidential legal documents
It hurts: The global average cost of a data breach is US$3.9 million, according to the Ponemon Institute's 2019 Cost of a Data Breach Report.
2 Compromised emails
To address the threat, firms have begun to implement multifactor authentication, says Sean Thompson, director of information security, Aderant, Atlanta, Georgia, USA. “If there's a phishing attack, the second factor is still needed to gain access to sensitive emails.”
Hackers make their victims pay to recover captured information.
4 Legal malpractice
If a breach causes economic or reputational damage to clients, a law firm could be sued for not properly securing its systems, says David Carter, senior vice president and CIO, Aderant.