The annual audit myth: Why law firms cannot treat cyber security as a tick box exercise

With cyber criminals deploying increasingly sophisticated methods of attack organizations must go the extra mile to protect their data and avoid costly financial and reputational damage. With new threats emerging each day, these risks cannot be taken lightly. This is particularly true for corporate legal teams and law firms who are prime targets for cyber attackers given the amount of sensitive client information that they hold.

According to IBM’s Cost of a Data Breach 2022, the average consolidated total cost of a data breach in the UK is £3.36 million, up from £2.37 million in 2015. Given the financial and reputational damage a data breach can cause, legal teams and law firms cannot treat cyber security as a tick box exercise. However, there is a tendency to fall into a key myth of cyber security: "We are doing fine as long as we pass our annual security audit."

Although security audits are vital to demonstrate accountability, they should not be the 'be-all and end-all'. Audits need to be part of a wider strategy. After all, cyber security is a constant process, rather than a destination that can be reached.

Here are some important steps you can take to go beyond the audit and help ensure law firms and legal teams have appropriate levels of protection:

1. Create a map of the entire network

The first step in leveling up security measures is to start with the network. Instead of starting with the basic requirements of the audit, companies should create a comprehensive map of everything that is connected to the network.

This includes:

1. Routers, switches, firewalls and WAF
2. Printers and connected devices
3. Internet of Things (smart TVs, thermostats, cameras, etc.)
4. Mobile devices
5. Cloud/SaaS -- software subscriptions and passwords

Seeing the full picture of your network allows you to apply segmentation. Doing this is important as not everything in the network can be focused on at once, so segmentation allows vulnerable parts of the network to be kept separate from the most crucial data.

2. Know where the weaknesses lie

After the network has been mapped, it’s important to build a plan to assess and patch vulnerabilities. According to Forrester’s State of Application Security Report, application vulnerabilities are the most common external attack method, making patch management critical. Research from the Ponemon Institute also shows 57 percent of cyber attack victims report their breaches could have been prevented by installing an available patch and worryingly, 34 percent of those victims knew of the vulnerability, but hadn’t taken action.

This is why companies need to build a plan to assess and patch vulnerabilities and emphasize the importance of network segmentation. If companies have legacy systems, they may not be able to patch them, but they can be decoupled from sensitive information using network segmentation.

Deploying a vulnerability scanner can help to keep companies up to date on where patches are needed and prioritize the network segments with the most risk.

3. Build a user awareness program

The only threat more pressing than patching vulnerabilities is the risk associated with people within the business. Recent statistics from the Information Commissioner’s Office (ICO) revealed that more than two-thirds (68 percent) of data breaches in the UK legal sector were caused by insiders, as opposed to only a third (32 percent) caused by outside threats, such as external malicious actors. 

A separate Verizon report shows 80 percent of hacking-related breaches employ reused, stolen, or weak passwords. There’s been an almost 30 percent increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to a company for the last four years.

Hackers know teams are investing in cyber security. Their best chance of getting into the network is to gain the credentials of someone who has permission to access the network. Therefore, no matter how well the network is protected, if an employee’s credentials are stolen, it creates a huge risk.

To lower this risk and make sure employees are following best practices, there are a few tips to follow:

• Send out a monthly security newsletter: Speak openly about the threats that exist and take the opportunity to teach one component at a time.
• Educate users on how to protect their personal data: When educating the wider business, connect the cyber security issues to real threats that exist in employees’ personal lives so that they can relate. As they are educated on best practices to protect themselves and their families, they will apply better habits at work.
• Perform phishing campaigns: Human curiosity leads people to click on links, which leads to problems. Some companies have their own fake phishing campaigns to test and train their employees. The goal is to create a little bit of healthy paranoia so users will hesitate before clicking on any link.
• Invest in a password vault: Weak and stolen passwords are a critical component of cybersecurity. Using a password vault allows employees to have strong passwords without the constant frustration of forgetting them.

4. Evaluate your vendors

The adage "you can measure a person by the company he or she keeps" applies to firms as well. Vendors can directly influence a firm’s security posture. For mission critical solutions, firms need to select vendors that actually strengthen operations with inheritable security controls and independent compliance validations. As you work with your existing vendors and consider new ones, use these points to evaluate the strength of the security they offer as a vendor-partner with your firm:

• Does the vendor have a mature security infrastructure? Are they following internationally recognized standards for implementing their security controls?
• Does the vendor undergo regular, independent security audits by accredited third parties to validate their compliance with those international standards? Do they share the results of those audits with customers and interested parties?
• Does the vendor share current, useful information about their information security systems so their customers can know and understand what security controls and procedures the vendor is using?
• Does the vendor have staff and procedures dedicated to helping vendor customers meet customer due diligence requirements?

An ongoing proactive approach

There’s no denying that annual security audits are necessary and useful to ensure a baseline level of protection. However, IT departments should not fall into the trap that passing the audit means everything will be safe.

From insider threats to malicious malware, cyber security threats are everywhere. To have any chance of mitigating the risks, corporate legal departments and law firms need to ensure that they take a proactive approach to cyber security. This means building an ongoing process of evaluation and improvement and adopting the right tools to build a solid defense. 

Photo Credit: r.classen/Shutterstock

David Hansen is Vice President of Compliance at NetDocuments. Founded in 1999, NetDocuments is a cloud-based content services and productivity platform. NetDocuments offers a complete end-to-end platform for document and email organization and management, including award-winning security and research capabilities, robust collaboration and search technologies, and seamless integrations with other tools professionals use daily. It recently launched PatternBuilder, a new product empowers legal professionals to replicate and automate their unique templates and processes, resulting in faster, higher-value client service