Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Law Firms: You Can't Buy Yourself Out of Risk

By Mark Sangster
October 01, 2018

While no amount of insurance can protect your reputation, you also can't buy yourself out of the cyber risks that threaten your reputation either. eSentire recently conducted research with 1,250 senior IT and security executives across financial, healthcare, legal, manufacturing, telecommunications, and other industries to gauge their risk tolerance, security maturity, and top risks.

The sample included more than 160 law firm executives (from medium to large firms), and we found that law firms were among some of the highest spenders on security yet were susceptible to some of the most common risks. And the issue will grow over the coming years as the demands of the business drive the adoption of emerging technologies, such as cloud and Artificial Intelligence (AI).

|

Law Firm Overall Spend on Security Is Among the Highest

Law firms rival their much larger counterparts, telecoms companies, when it comes to security spend as a percentage of IT spend. Lowest of any industry, non-firms reported spending less than 5% on security. Only 21% of firms spent between 5-10%; whereas 40% spent 11-30%, and 29% spent up to half of their IT budget on security. It's a good news, bad news scenario. The good news is law firms have awoken to the threat of cyber-attacks and the potential consequences and are responding with a commitment to security efforts.

|

Law Firms Are Most Susceptible to Common Security Risks

And now the bad news. Most law firms report that they are susceptible to common security risks and demonstrating table stakes security efforts. Approximately 60% of law firms struggle to manage both malware and non-malware born attacks, leading to significant IT or business impacts. What's worse, the same percentage of firms struggle to bear the growing cost of security efforts, manage and report the status of security risks and patching, and fail to demonstrate the value of IT spend to senior management. A further 58% report difficulties complying with clients or regulators or aligning to risk management requirements.

|

The Cycle of Despair

The research identified a cycle of despair across all industry segments tied to the gravitational struggle between the demands of the business and the desire to manage risks to the firm. The IT department is caught between the demands of the firm to remain competitive through the adoption of emerging technology, yet held accountable when that technology leads to a security event that causes a material change to the business. As in, the attorneys want new technology, and the partners don't want the associated risk.

Within the cycle, specific contributing factors were identified. Risk was increased by how aggressively firms adopted emerging technologies, such as cloud services, IoT, and AI. These risks were reduced by the overall security maturity posture of the firms, adoption of security technology and services, awareness and understanding of cyber risks at the executive level, and to some degrees, the reporting and spending structure of security efforts.

|

Law Firms Are Among the Least Cyber Mature

So, what constitutes cyber maturity is certainly the contentious issue, but less mature firms were those that reported using basic preventative technologies, such as firewall and anti-virus, and lacked integrated reporting, and threat response capabilities. Remember, these are self-reporting ratings of the respondents. Well above other industries, nearly 70% of law firms only employ preventative technologies, and worse, only 5% have deployed more proactive and predicted security measures to rapidly detect and contain attacks.

Only 27% of law firms deployed endpoint security compared to over double that figure for all other industries. Mobile, cloud, and logging lag around the same percentage.

The effect is compounded, because this rudimentary approach limits law firms' ability to deploy emerging technologies that carry greater risk. Across the board, businesses that reported a higher security maturity level were faster to adopt new technologies, such as mobile, cloud, IoT and AI. And let's be honest, calling many of these technologies “emerging” is like calling the Internet a “fad.” They are already here, burrowed into our digital DNA, and here to stay. For example, nearly 80% of firms have adopted some form of cloud services. They might not have grey hair, but they are not adolescent either.

Over the next three years, AI was consistently selected, across all industry verticals, as one of the top three technologies that will pose the most risk to enterprises. IoT was also selected, across five of the seven verticals included in our study as a leading security risk.

|

Whether It Be Money, Time or Heart, Spend Wisely

Perhaps it cliché, but the adage has merit. Invest your time and money wisely in ways that matter. You can't throw money at the problem, and certainly the majority of law firms I've worked with hold their purse strings closely. Spend wisely and focus on what matters. Applying a strategic approach to security means you improve your posture, which increases your ability to adapt to new technologies and deliver the services that your law firm needs to remain competitive.

*****

Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA). A member of our Board of Editors, he can be reached at [email protected].

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.