iVision recently had the opportunity to discuss information technology security for law firms in 2021 with several iVision client firm CIOs and CISOs as part of a Legal Virtual CIO/CISO Forum. The primary objective was to learn how law firms are approaching IT security from a people, technology and process standpoint in 2021. The “people” component included IT security professionals such as leaders, architects, engineers and analysts. The “technology” component included key products and service partners. The “process” component included IT security intelligence, assessing security and overall annual spends.
The CIOs and CISOs collectively recognized that the 2021 cybersecurity landscape presents both old and new challenges and pressures. Unfortunately, law firms are frequently top targets for cyber criminals for a variety of reasons, including their public visibility, increased reliance on information technology, possession of highly-sensitive information and perceived financial resources. Some of the top cyber threats discussed included:
- Ransomware – Ransomware is expected to remain a top threat to law firms in 2021. Recently, increased awareness of the threat of ransomware has led to more robust data backup practices. As a result, ransomware threat actors have added the threat of exfiltration and publication of sensitive data stolen from the victim’s environment prior to encryption.
- Business Email Compromises – Business email compromises are also on the rise with the goal of defrauding law firm employees, clients or partners. The most common example is targeted phishing attacks designed to capture user credentials to collect sensitive information or intercede in email communications. The FBI has issued warnings about the rise of BEC exploits, which were responsible for over $1.7 billion in losses in 2019 alone.
- “Industry Breaches” – The past few months have also highlighted the risks associated with “industry breaches,” with SolarWinds and Microsoft Exchange being the top examples. The emerging frequency of these incidents may cause organizations to reevaluate their third-party IT vendor management programs and how they engage with vendors and service providers.
- Work-From-Home Challenges – The shift to work-from-home arrangements has introduced additional security issues such as increased remote connections from employee home networks to corporate networks, as well as information governance issues associated with increased work on personal devices.
These unique challenges will require law firms to focus on various IT security areas, particularly as they relate to data security, governance, security risk management and compliance. For instance, the threat landscape is leading to heightened scrutiny and more demanding requirements to achieve compliance with regulatory, legal or industry security frameworks, such as the Payment Card Industry Data Security Standard, the New York Department of Financial Services Cybersecurity Regulation or the Healthcare Insurance Portability and Accountability Act Security Rule. Similarly, safeguarding of client data and monitoring the integrity thereof is becoming more paramount as clients demand stronger protection and data security measures. Through this lens, law firms have the great responsibility of assessing and managing risk by balancing the implementation of security measures with business operations, efficiency and cost considerations. Some key takeaways from the Forum are the following:
Organizationally, most iVision client law firms have security personnel reporting to the CIO. The design and reporting structure below the CIO level, however, was inconsistent and several different approaches were observed. Perhaps most notably, the number of “full-time equivalent” employees devoted to security ranged from 24 to 0.1 FTEs, with a mean of 4.62 FTEs and median of 2.0 FTEs. While this, of course, has to be controlled for firm size and revenue, firm IT security leaders recognized that, in general, they needed more professionals dedicated to security. Many firms expressed interest in SOAR solutions that can potentially alleviate some of the personnel issues through automation.
Consistently, iVision client law firms displayed extremely effective use of security technology. About half of the firms use a managed SIEM/SOC provider to improve the quality of alerts and remove the continual tuning efforts. The other half have implemented self-managed SIEM or will be looking at adding this capability in 2021. There also has been a clear movement to EDR and XDR solutions. Firm use of technology also illustrates the adoption of layered security through the use of “best of breed” network security products with overlapped and complimentary tools. Additionally, firms have invested resources in email security technology through use of targeted threat protection solutions and multi-factor authentication.
iVision client law firms are also leveraging a variety of IT security intelligence resources to evaluate the current and emerging threat landscape. These include both free services, such as FBI Bulletins, and paid services, such as ILTA LegalSEC. In terms of allocating financial resources, the data revealed that firms typically have one IT Security FTE for every $100-150 million in revenue. Most firms noted that the work-from-home arrangements will impact security-related processes moving forward, including the focus and scope of security auditing and assessments.
A consistent theme recognized by the CIOs and CISOs was the increased reliance on external resources to enable firms to scale. For instance, nearly every IT security leader referenced cloud migration of large workloads. Another example was the increased outsourcing of security components, such as externally-managed SIEM. While leveraging these resources certainly makes sense and enables firms to handle tasks that would not have been practicable if everything was conducted “in-house,” this transition also highlights the need for trained security professionals who understand and can manage and respond to issues that arise from these solutions.
In sum, law firm IT security leaders certainly recognize the increased threats their industry faces. The key remains determining the best way to allocate limited resources to defend against these. Moving forward, we expect to see continued enhancement of people, technology and process resources as external pressures, such as client demands and regulatory requirements, increase the visibility of law firm security posture. As your trusted managed IT services provider, iVision’s goal is to help law firms address their unique challenges and enable their success through use of strategic solutions using technology, services and support. Thanks again to all participants for the fascinating insights.