Law firms must address cyber threat says Deloitte

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelawyer.com/analysis/the-lawyer-management/law-firms-must-address-cyber-threat-says-deloitte/3010900.article

While high-profile targets like major banks or critical infrastructure such
as power stations or transport networks may be seen as facing the most
obvious risk, the legal sector should not underestimate the threat it faces.

Law firms often benefit from a long, trusted relationship with their
clients. They have privileged access to sensitive, high-value information
such as intellectual property, commercial details around mergers and
acquisitions and personal information. Law firms may also be considered
targets for cyber attacks due to their client base and connection to public
interest or high profile cases.

If any of this information were to fall into the wrong hands it could
affect client relations and cause irreparable damage to a firm’s
reputation. Furthermore, a major cyber security incident could trigger
potentially devastating legal proceedings and result in regulatory
sanctions.

Law firms are increasingly being targeted because they are often regarded
as a weak link in the security chain and an easy route to clients’ data.
Attackers are likely to be highly sophisticated and will invest time and
resources in getting to the information law firms hold. Companies must
adapt their security to respond to this threat.

Companies are now recognising the risk posed by third party security
breaches and are starting to take action, for instance by contractually
requiring suppliers to maintain a certain level of cyber security.  In the
US, many banks are now auditing their law firms to assess their level of
security, with non-compliance having the potential to result in the loss of
business. With increased regulatory scrutiny on both sides of the Atlantic
regarding cyber security, we expect this trend to quickly spread to Europe
and to all industry sectors.

Legal organisations need to act now to address their cyber security risks.
They must ensure their systems are appropriately protected to retain the
trust of their clients and the competitive advantage.

Law firms should consider three key points:

-To work towards long term cyber resilience, they need to understand their
risk profile and identify what specific threats they face, which assets in
the organisation are most at risk and what the potential impact of an
attack would be.

-They must then consider implementing flexible and focused security
strategies that will continuously improve their security. Activities
include training and awareness programs, risk assessments, policy and
procedure creation and role-play simulation to increase board-awareness of
the cyber issue.

-In the immediate term, firms need to consider what would happen if a
successful attack was to happen tomorrow. They must decide how will they
react and how will they notify any affected clients and the appropriate
regulator. Firms must ensure they are monitoring their systems so that they
know as soon as possible if an attack is happening, and have a clear and
effective response procedure to quickly stop the attack and limit any
damage.

Law firms should not view cyber security as a drain on valuable resources;
instead it should be considered a business enabler. By proving they are
taking the risk seriously and reassuring clients that their data is safe,
they can secure clients’ trust and gain business from competitors who do
not offer the same protection.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.