You cannot possibly fix what you do not know is broken. That’s a fact. We are now at a point where 15 percent of attorneys have received from a client or prospective client a request for a security assessment. Thirty-four percent have received some sort of client security requirements document. We also know from our own clients that assessments required by insurance companies in order to get cyber insurance are becoming much more prevalent.
Even if know one requires you to do an assessment, your firm absolutely needs one—and it should be done annually as a best practice. Why don’t law firms have an assessment done? Mostly because lawyers fear the costs of the assessments—and the costs they may incur in fixing what’s wrong. Fear of the unknown?
While it’s true that large law firms generally seek out large (and therefore more expensive) cybersecurity firms, it’s equally true that there are many smaller cybersecurity firms with reasonable fixed-fee prices for doing assessments and providing reports identifying network vulnerabilities.
What should you be looking for besides a reasonable price? Make sure the company has true cybersecurity certifications. IT certifications are not cybersecurity certifications. Make sure they follow NIST Cybersecurity practices and standards with reporting following the guidelines of a reputable organization such as the Center for Internet Security.
What you want as an end result is to know what critical vulnerabilities you are exposed to, so those can be fixed right away. The report will also identify medium and low risks which should also be addressed as soon as possible. The report should further detail and provide options for consideration to mitigate and manage potential risk. The idea is to use the assessment as a baseline and a planning guide for protecting not only the firms privacy, but the lifeblood of your firms revenue….Your Clients Information.