Reviewing your IT systems is essential to maintaining clients, according to a new report from LogicForce. Of the 200 law firms that the IT consultancy company surveyed in its Law Firm Cyber Security Scorecard study, 18 said they lost a client for failing an IT audit, and 1 firm lost an entire practice group.
The report found that the majority of the law firms surveyed have incredibly poor cybersecurity practices. As many as 95% of law firms are not compliant with their own cybersecurity policies, and 77% don’t maintain cyber insurance coverage. This is despite the fact that law firms are widely known as lucrative targets for cyber criminals, something that the report backs up. Two thirds of respondents reported a breach last year, and 40% suffered a breach that they were not aware of until much later.
Law firms ‘aren’t doing enough’
Although LogicForce acknowledges that some law firms implement appropriate mediation techniques, “the fact is, many aren’t doing enough when it comes to protecting themselves.” It continues:
[Law firms] are not protecting their clients’ data. Corporations are auditing the firms they work with much more frequently to ensure these measures are in place and to check that the firms are taking their responsibility more seriously. They want to know that their information is being kept secure and will only work with firms that are doing what is required to keep it that way.
Combating the threat of cyber breaches
To protect against cyber threats, LogicForce advises law firms to perform a number of actions, such as appointing a CISO/CIO to lead a cybersecurity policy, developing a regularly scheduled training program for staff, and implementing multi-factor authentication for any Internet-enabled applications.
Firms would be best advised to consolidate their cybersecurity policies in an information security management system (ISMS). ISO 27001 is the international standard that describes best practice for an ISMS, providing a framework for securing and protecting confidential, personal, and sensitive data.
Certification to ISO 27001 eliminates the need to repeatedly undergo detailed IT audits, because the certification body has already done the audit.
ISO 27001 is the only international information security standard against which organizations can achieve independently audited certification. Achieving certification means that companies can demonstrate that they are compliant with data security laws and provide the necessary assurance to stakeholders and clients that the business is taking steps to protect its information.