Cybersecurity

 

The treasure trove of valuable client data residing inside of law firms—such as financial information related to potential corporate transactions and confidential litigation documents or trade secrets—has made law firms top-priority targets of cyber criminals. Indeed, nearly one in four firms reported they have been the victim of a data breach, according to the ABA's 2018 Legal Technology Survey Report.

Law firms have responded to this challenge by making substantial investments in information security systems, technologies and procedures. Part of this response has been the search for the optimal IT framework, a mission complicated by the seemingly endless array of ISO, SOC and COBIT standards we read about frequently in the legal technology space.

As we consult with U.S. law firms, we urge them that the superior approach is to build their IT security framework on the structure laid out in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

NIST is a division of the U.S. Commerce Department that promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security. One of NIST's key strategic initiatives has been the development of a framework of controls, guidelines and best practices to help organizations manage cybersecurity-related risk.

The NIST Cybersecurity Framework provides a structure for managing data security today, as well as a roadmap for improving data security in the future with ongoing development, alignment and collaboration between industry and government. The approach laid out in the NIST framework establishes controls for organizations to implement in their IT systems and processes, ranging from how to identify known cybersecurity risks and detect the occurrence of a potential breach to how to respond to a cyber security incident and restore any organizational capabilities that were impaired.

There are a number of reasons why law firms should consider building their IT framework on the NIST framework, but here are three specific benefits that this strategic decision can deliver to a firm:

1. Creates a Security Playbook

Following the NIST framework will lead to the creation of a "System Security Plan" that law firms can use to operationalize their IT security strategy. This security playbook creates a continuous cycle for security: design; implement; review; update; and then resume the cycle again. Firms should evaluate their information security activities, align their IT budget, implement necessary IT controls, update all relevant documentation and then conduct a comprehensive review at least annually.

2. Provides Risk Assessment

The NIST framework also functions as a built-in risk assessment exercise, helping law firms go through the process of documenting which controls they have in place—and which ones are not as mature—so they can identify areas within their security program that need additional attention. This gap analysis guides the firm's IT planning by serving as a tool for framing and directing where the firm's security framework should evolve in response to changing conditions, threats and needs. Firms can leverage these insights to identify potential weaknesses in their systems and determine where budget is best allocated to mitigate the most risk.

3. Supports Responses to Audits

Roughly one-half of law firms were subjected to a cybersecurity audit last year, according to a presentation from the Association of Legal Administrators. The NIST framework provides a structure to use in organizing important descriptions, data maps and information security processes that are commonly requested in security and compliance questionnaires sent by clients. Maintaining documented structure for the law firm's data protection framework and information security program assists in providing structured and consistent responses related to client compliance. This creates a professional reporting format to provide comfort and assurance around clients' security concerns.

The NIST Cybersecurity Framework provides a comprehensive information security approach that addresses the technical bases of concern to firm stakeholders and clients, delivers law firms with an operational playbook for the protection of their IT systems, and provides an important management tool to support a firm's information security operations. In a world where the alphabet soup of compliance standards seems to grow by the day, the NIST Cybersecurity Framework is a wise foundation for any law firm's approach to information security.

 

 

Ken Kulawiak is Vice President of Information Security and Technology for HBR Consulting. Ken provides guidance on the security strategies implemented for HBR Managed Services clients, as well as HBR Consulting's approach to information governance, information security, data privacy and technology. Prior to joining HBR, he served as a Chief Information Security Officer and led the Information Governance and Risk teams for financial institutions. For more information, please go to www.hbrconsulting.com.