With the release of LOGICFORCE’s latest Law Firm Cyber Security Scorecard comes a new glimpse into the state of cybersecurity for law firms across the nation. LOGICFORCE, the business and technology advising company dedicated solely to the legal industry, polls law firms large and small across the nation regarding their information technology (IT) and data security practices. The resulting analytic report is issued as a scorecard for the industry as a whole. It provides a fascinating – and troubling – look behind the curtain at how safe corporate data is in the hands of the lawyers and law firms that often must collect and store sensitive information on behalf of their clients.
Preventing Cyber Theft of Information
The threat that looms largest for law firms when it comes to cybersecurity is the infiltration of ransomware into their networks. The recent disruption at “Big Law” firm DLA Piper is a prime example and is highlighted as such within the Scorecard. Systems at the global law firm were offline for days after Petya/NotPetya ransomware breached the firm’s cybersecurity defenses. Petya and its related variant, NotPetya, are notorious ransomware vehicles that infected thousands of computers worldwide in 2016 and 2017.
Once inside, the perpetrators behind them gain access to sensitive and valuable data, which is then held hostage for a ransom typically paid in untraceable Bitcoin or another cryptocurrency. As LOGICFORCE points out, the requirement to pay in cryptocurrency presents yet another problem, as depending upon the negotiated amount of the payment it can sometimes take law firms weeks or even months to accumulate the amount. Failure to pay can result in the public release of sensitive data, to the detriment of both the law firm and their clients.
LOGICFORCE has formulated twelve cybersecurity standards that help law firms to realize the most secure environment possible and fulfill their duties of such to corporate clients. The Scorecard itemizes each standard and provides the percentage of law firms that LOGICFORCE’s polling indicates are currently implementing each particular standard. Below is a shortened summary of the twelve standards.
#1: Information Security Executive
Every law firm should designate a senior-level executive whose responsibility it is to establish and maintain a comprehensive cybersecurity program for the firm. LOGICFORCE industry score: 38%
#2: Cybersecurity Policies and Backup Procedures
Law firm cybersecurity policies should be “documented, accessible, and understood by all employees.” This includes quarterly and periodic review/testing. LOGICFORCE industry score: 43%
#3: Multifactor Authentication
Computer access control at law firms should require users to provide authentication methods from 2/3 of the following categories: knowledge, possession, and inherence. LOGICFORCE industry score: 30%
#4: Cyber Training
Cyber training programs familiarizing all employees with the law firm’s cybersecurity policies and procedures, as well as instructing employees in awareness of common schemes and practices used by outsiders to gain access to systems (such as email hacks), should be regularly done and mandatory. LOGICFORCE industry score: 32%
#5: Cyber Insurance
All law firms’ insurance policies should include a robust cybersecurity rider covering investigation, business loss, cost of extortion, and additional loss categories. LOGICFORCE industry score: 41%
#6: Penetration and Vulnerability Testing
This standard measures the percentage of law firms currently scanning all networked devices on a regular basis for potential vulnerabilities and promptly remediating them when identified. LOGICFORCE industry score: 42%
#7: Penetration Testing by Third Party
Law firms should have a neutral third-party conduct penetration testing of their computer systems at least annually. LOGICFORCE industry score: 79%
#8: Records Management Policy
A vigorous records management policy for law firms should include reference to electronically stored information and provide a framework for retention and destruction practices, as well as define and assign responsibilities for records management. LOGICFORCE industry score: 30%
#9: Cyber Investment
This standard measures how much law firms are spending on cybersecurity, and found that it currently falls around .72% of revenue compared with LOGICFORCE’s recommendation of 2%. LOGICFORCE industry score: rather than a score for the industry, LOGICFORCE indicates only that law firms are currently spending approximately 36% of the recommended budgetary allowance on cybersecurity.
#10: Full-Disk Encryption
Law firms that passed this standard are utilizing full-disk encryption at the hardware level on all law firm equipment, including cell phones and tablets, that contain sensitive information. LOGICFORCE industry score: 38%
#11: Data Loss Prevention Services
Data loss prevention technology can scan documents, emails, and other data leaving the law firm either electronically or by upload to removable media (e.g., flash drives and CDs), looking for data patterns such as Social Security Numbers, and then automatically blocking the transmission. LOGICFORCE industry score: 41%
#12: Third-Party Risk Assessments
Law firms passing this standard are vetting the cyber security and data management policies of the third-party vendors that they are working with, thereby reducing the chances that clients’ sensitive information is vulnerable from an attack on third-party service providers.
LOGICFORCE’s industry Scorecard is a compelling tale of what law firms are doing right, what they are doing wrong, and what needs to be done better. Cyber attacks continue to become both more commonplace and more complex. The legal industry as a whole has been arguably lax in its adoption and implementation of security practices, as seen by many of the woefully low industry scores across the twelve identified standards. However, the good news is that many categories have risen since LOGICFORCE’s last scorecard was issued six months ago, which may be an indication that recent malware events, combined with renewed corporate client pressure to secure information, are compelling law firms to renew their cybersecurity focus. A greater allotment of finances and resources toward cybersecurity practices is going to be a hard requirement for law firms moving forward, especially as hackers continue to cook up new methods and means of infiltration.