A guide for law firms to successfully pass a client security audit
Cybercrime is becoming an ever more frequent and sophisticated threat to law firms. At the same time regulatory compliance is becoming tougher, the penalties for non-compliance are escalating, and clients are insisting on exceptional security standards.
A recent study by Briefing magazine showed that 72% of law firms are seeing an increase in security audit requests from both existing and new clients, indicating a huge impact on firms’ ability to win new client business if they fail to meet expected standards. In this challenging, constantly evolving threat landscape, law firms are quite rightly seeking expert help with their data security.
Security matters more than ever for every practice area
Law firms working with corporate clients in the most sensitive and highly regulated fields need no prompting to prioritise data security - their clients insist that they demonstrate the highest standards. These law firms are now investing in security and marketing their capabilities as a competitive differentiator.
Firms dealing with high net worth private clients also need to be increasingly security conscious, because their data is likely to be particularly sensitive and large sums of money are at stake.
Conveyancing firms need to up their security game too, because conveyancing panel managers now have to comply with stringent standards set by banks and other mortgage lenders.
Asking the right questions
A cyber security audit used to be almost entirely focused on compliance and consisted of around ten questions, perhaps even fewer. Attacks are now far more sophisticated and law firms are placing more trust and, critically, more of their client data in cloud-based systems. Due to the amount of sensitive information and the large sums of money at stake, a modern audit digs much deeper to ensure security.
Clients are now better informed around how their data should be protected, therefore audit questions have become more specific and technical requirements more demanding. To succeed a firm will have to demonstrate capabilities such as:
- Immediate logging of security events to a central location
- The ability to provide user IDs, dates, times and details for each security event, as well as device identity and location, network addresses and protocols
- Remediation of threats before they affect day to day operations.
Law firms need advanced security, but what does that mean?
To combat cyber threats, and prove their ability to protect their client data, law firms need to put the following in place:
- 24/7/365 proactive threat monitoring, vulnerability management, analysis, investigation, diagnosis, hunting, notification and remediation. This is essential to provide the continuous event monitoring and incident management required by the regulatory authorities and by the most demanding clients.
- Tools that enable them to identify, analyse and understand attacks as they happen, in order to rapidly execute the required remediation.
- Access to threat intelligence feeds so they can pre-empt and proactively mitigate attacks, protecting the firm before they fall victim.
- Regular reporting of threat activity, producing clear and concise data and trend analysis. This enables management and IT teams to prioritise activities, meet compliance obligations and monitor performance.
How can firms achieve this advanced level of security
Whether firms choose to work with a specialist partner, or create their own in-house Security Operations Centre (SOC), they need to ensure they have the right analytical technology, threat intelligence and understanding of the global threat landscape to confidently address threats. Technology such as centralised logging, correlation SIEM, endpoint analytics, and threat intelligence are necessary for firms, along with an expert team who have the skills to interpret and act upon the intelligence.
The clearest measure of a firm’s security credentials is their Mean Detection Time (MDT) and Mean Response Time (MRT), the standard metrics used by the cyber security industry. Law firms' MDT and MRT have too often been measured in weeks and months: ample time for an attack to cause serious financial and reputational damage. The right security strategy can reduce those months to minutes: proof that the firm is ready to surpass even the most demanding client's security expectations, particularly as firms are being asked more often to prove how imminently they can respond to an attack.