Your firm may not be privy to the legal secrets of the stars like Grubman Shire Meiselas & Sacks, which was hit by a REvil ransomware attack that threatened to release one terabyte of stolen celebrity client data. However, your attorneys do store and manage volumes of confidential data. And the data you store is just as valuable to your clients.
According to the American Bar Association’s 2019 Legal Tech Report, 26% of all law firms have experienced a data breach.
Particularly vulnerable are firms with 10-49 attorneys, 42% of whom reported they had suffered a security breach.
Add to that fact that ransomware attacks were up 25% overall in Q1 2020, and you are right to be concerned about this alarming trend.
After all, 60% of small businesses fold within six months of a cyber-attack.
Cybercriminals target law firms, making information security a critical aspect of managing a firm. Yet less than half of firms have implemented commonly used cybersecurity protocols. Do you have an information security program today? Who is managing it? If the answer is your IT team, do they have the expertise needed? [Click here to learn your information security risk score].
To protect yourself and your firm, you must have a resource who understands the enemy, has the specialized knowledge necessary to face it, and is empowered to lead. That is where a CISO comes in.
What is a CISO? A Virtual CISO?
Along with the resulting standards and frameworks created for managing information security, increasing cybersecurity threats and data breaches has led to the creation of a new role on the executive team: Chief Information Security Officer. That’s CISO (pronounced see-so) for short.
Because law firms are such high-value targets for hackers and must often navigate a variety of information security compliance requirements, the CISO role has become an essential element of proper firm management. A CISO is responsible for developing and executing an organization’s information security strategy and program. They serve as an advisor to the executive team and a guide for everyone in the organization. Together with their information security team, people in this role are generally responsible for meeting six key objectives:
- Identify and assess information security vulnerabilities
- Implement effective controls to reduce risk and inform stakeholders on progress
- Create a culture of information security among the staff through training
- Validate the firm’s security hygiene through testing and audits
- Demonstrate a strong security posture to clients and vendor partners
- Continually improve the firm’s security posture to meet evolving threats
A Virtual CISO performs the same tasks on an outsourced or fractional basis. They bring the same knowledge, credentials, and expertise to organizations at a lower cost than a full-time executive-level employee. Virtual CISOs are especially attractive to small to mid-sized firms that may have a unique environment, scope of services, or risk appetite. CISOs don’t need to be on-site to serve in their role, and they often bring a team of experts to help them create, manage, analyze, and monitor your security program, which means you don’t have to build a team of infosec experts.
Why do we need a Virtual CISO?
- Your security posture may not be as strong as you think. Even firms with existing information security programs find previously unknown risks when performing a security gap analysis. Just like threats evolve, so do law firm operations – technology, processes, and personnel. A risk management strategy must evolve with it. If your program isn’t holistic and up to date, or your executive committee doesn’t receive regular reports on active risks and mitigation activities, there is a reason for concern. Successful threat protection requires a security culture that starts with a leadership team member who is fully responsible for information security.
- Your law firm IS a target for cybercriminals – no matter the size. You hold and handle extremely sensitive and confidential information for all your clients, whether you have 20 or 2000. Hackers and other cybercriminals know this. They also know it is highly lucrative to sell that information on the dark web or hold your systems hostage for ransom.
- For clients, information security is akin to attorney-client privilege: Essential. As an attorney, you are required to maintain the confidentiality of the information your clients discuss with you. From an ethical standpoint, this confidentiality extends to the information and data they share with you. Your information security program quality and effectiveness are equally as important to them as your legal strategy. And clients, especially corporate legal teams, are validating their firms’ security posture. [Download our checklist, “20 Questions to Ask When Evaluating Information Security,” so you’ll be ready to answer just a few of their questions.]
- Avoiding breaches and incidents is much less expensive and time-consuming than managing them. Ending and managing a data breach involves notifications, forensic investigation, compliance, monitoring, reputation management, public relations, and more. Do you have immediate access to the information about your assets, repositories, documentation, personnel, and network access you need to manage a breach today? A best practices approach to security ensures you are prepared for an incident and can rapidly respond in a way that helps protect your clients and limits your firm’s exposure.
- Getting security right is complex, and it goes beyond IT. Many law firm leaders think of information security as an IT exercise that’s once and done. While your IT team may have implemented a stack of security tools, that can lead to a false sense of security without the appropriate policies, controls, training, testing, and monitoring. Information security is specialized and, without detailed knowledge of frameworks, compliance requirements, and best practices, it can also be complex. Like many aspects of law, good outcomes require specialized experience.
- InfoSec resources are scarce and expensive. Because information security is a top issue for most companies, the personnel you need are in demand. That makes building an in-house information security team costly and time-consuming. The good news is, depending on the complexity of your organization, your state of readiness to implement or enhance a program, and your risk appetite, you probably don’t need a full-time CISO. Choosing an outsourced CISO (and their team of resources) can provide cost-effective leadership, skillset, and know-how.
- Cybersecurity insurance isn’t an alternative. When it comes to risk, some leadership teams look to insurance policies over security protocols to reduce their potential exposure. Cybersecurity insurance is an integral part of an overall strategy, but it only works in conjunction with a suitable information security program. Many carriers won’t provide coverage without documentation of an effective plan. If they do, they often will not pay a claim if you cannot demonstrate that you’ve taken the right steps to protect your organization. A CISO can help ensure that you’ve met those requirements.
A Virtual CISO can help build confidence in your firm’s ability to protect itself and its clients against threats that impact sensitive and confidential information. In addition to specialized knowledge, they bring flexible availability, established vendor relationships, relief for your IT and HR teams, and proven expertise at a fraction of the cost of a full-time employee.
Contact EXTEND Resources to learn more about our Virtual CISO services and legacy of information security expertise. We’ve helped law firms like your secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats.
Steve Henn
shenn@extendresources.com
203.803.2127
