Last week eSentire participated in LegalTech New York, the legal industry’s largest technology event of the year. This annual conference provides firms and legal departments with practical tips that they can adopt to improve the way that their practice is managed. This year’s event offered an assortment of trend discussions, with the overarching theme focused squarely on cybersecurity and data protection.
The legal industry continues to face mounting pressures from government and industry regulators as they work to address cybersecurity defense gaps. And while it’s evident that there’s been a shift in thinking when it comes to cybersecurity defense planning, the industry remains largely unregulated.
Law firms have become a popular target with cybercriminals looking for easy access to rich data. With one strike, cybercriminals can interrupt mergers and acquisitions, manipulate business transactions or acquire business and client data. Contrary to what many might believe, small and medium-sized firms are just as vulnerable to attacks as larger firms. All client data is a target.
eSentire presented an emerging technology talk track at LegalTech New York to highlight industry recommendations and help firms understand how those new standards can be applied.
Attorney and author Jill D. Rhodes recently published The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals, a resource that is informally regarded as the industry's cybersecurity roadmap. The book helps to define cyber and data security risk and best practices, describes data security and lawyers’ legal and ethical obligations to the client.
Perhaps of greatest interest are the top ten measures that all firms should consider to defend their firm against cyber attacks. Recommended measures suggest that firms:
- Evaluate their cybersecurity risk profile.
- Evaluate client-specific data security considerations (regulatory).
- Organize and empower an information security and data governance committee.
- Appoint a Chief Information Security Officer (CISO/CSO) to run day-to-day operations.
- Define and implement an auditable, security program.
- Establish a stringent requirement for data security (in-house and vendor).
- Develop a security incident response protocol to address breaches.
- Develop controls on Internet access and personal devices (BYOD).
- Educate lawyers and staff within the firm of their cybersecurity obligations.
- Conduct routine audits and conduct vulnerability assessments.
Ms. Rhode’s suggestions reinforce the advice that eSentire regularly shares with clients as they work to beef up their cybersecurity defenses. At eSentire, we recognize that breaches are inevitable. The key in managing risk is to shift thinking from simply blocking and prevention to Detection and Response. Knowing where to start can be a challenge, so we’ve developed a best practices framework specifically for law firms to help build out (or expand) cybersecurity initiatives.
While last week’s conference emphasizes the real and present danger that cyber threats pose to the industry, attendees also made it clear that the industry is committed to strengthening its cybersecurity stance.