Law firms are struggling with their cybersecurity practices
Law firms store some of the most sensitive information available regarding material business transactions, intellectual property and personal data.
But a new study from the International Legal Technology Association (ILTA) and Conversant Group, reveals a disconnect between legal firms' IT and best practice cybersecurity.
"Because law firms are a top target of global threat actors and tactics like ransomware, ILTA recognized the need for a more in-depth, focused cybersecurity benchmarking survey beyond the ILTA technology-focused survey already being issued annually," says Mark Grazman, Conversant president and ILTA technology survey volunteer member. "This focused survey goes much deeper into law firms' security practices and posture, and it will enhance the industry-wide conversation about improving law firm cybersecurity and resilience given their high level of targeting and risk."
Nearly three-quarters of respondents believe they are more or much more secure than their industry peers, yet the detailed results demonstrate significant security gaps across firms of all sizes.
65 percent of responding firms say they have lateral movement defenses in place but the data doesn't demonstrate that multi-factor authentication (MFA) is employed as comprehensively as required to constitute lateral movement defenses.
When asked about the top three threats to security, the top response (39 percent) was user behavior and lack of training to prevent this harmful behavior, rather than any threat actor activities. The data reflects that firms, on average, are not implementing controls that are needed to mitigate user risk, which would put greater control of user risk in IT's hands.
The study also finds that backups are not viewed as a top security control. Only 11 percent view backups as a top control, and only 24 percent report having multiple immutable copies of all data to protect against total loss.
"The key results we see from this survey show clearly that, without policy and procedure, firms are making security optional, left in the hands of users that are not technologically competent or trained enough to know how to be safe in a world that is both ever-changing and harder to innovate in without risk," says Beth Anne Stuebe, director of publications and press at ILTA.
The full report is available on the ITLA site.
Image credit: AndrewLozovyi/depositphotos.com