Cybersecurity is essential for every kind of business, across every industry. Many companies have no choice but to shore up their cyberdefenses, with legal mandates and penalties applied for noncompliance. And, while cybersecurity requirements for law firms are relatively lax in comparison to other industries, lawyers still have an obligation to keep their clients safe. For many firms, partnering with a cybersecurity provider is the best way to do so.
But what makes a good cybersecurity partner for a law firm? Let’s discuss.
4 Law Firm Cybersecurity Best Practices
Law firms aren’t bound to legal-specific regulatory codes for cybersecurity, at least for now. But the American Bar Association (ABA) does require attorneys to protect their clients’ information, via rule 1.6 of the Model Rules of Professional Conduct. Plus, formal opinions in 2017 and 2018 specified tighter restrictions on digital information and data breach protocol, respectively.
Given these strictures, it’s imperative to find a quality cybersecurity partner to help implement all law firm cybersecurity best practices. Specifically, there are four key criteria your cybersecurity should help you with:
- Cyberdefense architecture and implementation
- Threat and vulnerability management
- Third party risk management
- Regulatory compliance
These qualities are an absolute necessity for any cybersecurity partner you consider. Below, we’ll first describe what each quality is. Then, we’ll illustrate why it’s critically important.
Quality #1: Cyberdefense Architecture and Implementation
The first and most important quality in a cybersecurity partner is the outright strength and capability of the provider’s cyberdefense services. Nothing is more important to the overall cyberdefense of a company than the basic framework or architecture upon which it’s built.
You should seek out a partner who’s able to build a strong foundation — one that’s custom- tailored to the specific needs of your organization and adaptable to the ever-growing threats of cybercrime.
Since law firms aren’t beholden to industry-specific cybersecurity frameworks, your cybersecurity may be based off a more generalized model, such as:
- CIS’s Critical Security Controls – Developed by the Center for Internet Security (CIS), the 20 controls specify safeguards and protocols across three tiers:
- Basic controls that govern bare minimum practices all institutions should implement, such as routine inventory and monitoring protocols.
- Foundational controls for next-level protections around a company’s perimeter, as well as within and between the various software and servers it uses.
- Organizational controls that operationalize security across the entire company, including training of all personnel and deep analytical measures.
- NIST’s Cybersecurity Framework – A set of core cybersecurity practices recommended by the National Institute of Standards and Technology (NIST):
- Identify foundational specifications of your network
- Protect critical resources by implementing safeguards
- Detect and categorize cybersecurity events as they occur
- Respond immediately to limit impact of such events
- Recover resources compromised as a result of events
These models, along with others (like the ISO/IEC 27001), provide flexible and scalable solutions that apply to a wide variety of businesses, including law firms. But there are scenarios in which targeted regulatory frameworks may apply to your practice (see quality #4 below).
Quality #2: Threat and Vulnerability Management
The second quality your cybersecurity partner should have is a strong focus on potential weaknesses in your architecture and general network — vulnerabilities that could be exploited by cybercriminals. This internally focused form of cyberdefense is often referred to as threat and vulnerability management.
Just as threats vary widely across companies, so too do the specifications for how to manage them. The Department of Homeland Security (DHS) has developed a four-step, cyclical approach to vulnerability management that’s applicable for any company:
- Step 1: Define strategy – Defining the overall scope and purpose of your vulnerability management, including three sub-steps:
- Determine scope and mission of strategy
- Determine appropriate and ideal methods
- Determine resources for implementation
- Step 2: Develop plan – Composing the specific plan(s) that will carry out the mission defined in the first step, including eight sub-steps:
- Define plan parameters
- Define metrics for assessment
- Define training for participants
- Define resources and tools
- Define sources of information
- Define responsibilities and roles
- Engage agents and participants
- Establish framework for revision
- Step 3: Implement plan – Putting your plan into action, including seven sub-steps:
- Implement ongoing training
- Assess and monitor resources
- Document found vulnerabilities
- Prioritize vulnerabilities by criticality
- Address immediate exposure to risk
- Determine efficacy of mitigation
- Analyze root causes of vulnerabilities
- Step 4: Assess and correct – Monitoring and analyzing the efficacy of your plan as it’s enacted, including three sub-steps:
- Documenting status of strategy and plan
- Analyze outputs and results of implementation
- Improve plan and/or overall strategy
A stringent focus on the risks that exist within your architecture is one key to staying safe. But it’s far from the only consideration, as many risks also lurk outside your perimeter.
Quality #3: Robust Third-Party Risk Management
The third quality you should look for in a cybersecurity partner is an unrelenting commitment to minimizing risks that come from outside the firm — namely, risks from other strategic partners. Third-party risk management (TPRM) involves vetting and ongoing oversight of all other businesses you work with to ensure that they don’t bring any cybersecurity risks into your orbit.
The HITRUST Alliance has defined a flexible TPRM process applicable to any institution, including law firms and legal practices. It includes the following procedures:
- Initiate the following steps prior to any new contract or change in contract
- Collect all possible information about the third-party’s cybersecurity practices
- Qualify integrity of third-party by vetting accuracy of information
- Accept or decline the third-party, given the level and type of risk evident
- Select third-party officially and confirm security requirements via contract
- Monitor third-party throughout course of relationship for changes to security
While you can exercise complete control over your own cybersecurity architecture and practices, you have scant control over other businesses’ practices. When entering into contract with a vendor, supplier, or other third-party, you need to account for any potential flaws in their armor.
Your cybersecurity partner should help develop and implement a plan based on this (or any other) TPRM framework. That way, one partner can become the key to security across all others.
Quality #4: Comprehensive Compliance Guidance
The last quality you should look for has to do, ironically, with the legality of your own legal practice. You want a cybersecurity partner that helps you meet all legally required security measures as defined by any regulatory guidelines you need to be compliant with.
Aside from the ABA guidelines detailed above, legal practices aren’t categorically beholden to many specific cybersecurity rules. However, one regulatory body that governs the majority of law firms is the Security Standards Council (SSC) of the Payment Cards Industry (PCI). This is because all businesses that process credit card payments need to be PCI-compliant.
Specifically, if you accept credit payments from clients, you’ll need to follow the rules set out in the PCI’s Data Security Standard (DSS), including:
- Building secure network systems
- Safeguarding sensitive cardholder data
- Vulnerability management (see #2 above)
- Implementing access control protocols
- Testing and analyzing networks routinely
- Develop and maintain security policy
While these rules don’t apply categorically to law firms, there are very few businesses that don’t accept credit cards. As such, PCI DSS compliance is a de-facto requirement for all businesses.
A slightly more niche set of requirements you may need to follow come from the Health Insurance Portability and Accountability Act, more commonly known as HIPAA. While HIPAA applies unilaterally across covered entities in the healthcare sector, it also applies to select business associates, like attorneys, who come into contact with protected health information.
Find Your Perfect Cybersecurity Partner
Ultimately, your firm needs a cybersecurity partner that takes you and your clients’ safety seriously — one such as RSI Security.
We’re experts with over a decade of experience providing cybersecurity solutions to law firms and all other kinds of businesses. We’re highly flexible and happy to tailor a cybersecurity plan to the exact needs and means of your company.
As we addressed above, the specific cybersecurity requirements for law firms are relatively lenient, compared to other industries. But that’s no reason for legal practices to take a similarly lax approach to cyberdefense. For a partner that provides a robust framework, addresses internal and external risks, and oversees compliance, contact RSI Security today!