With a big focus on the Ashley Madison hack, law firms are showing increased anxiety around external threats to their computer systems, a new report has found.
The report, prepared by Digital Defense Inc. as the International Legal Technology Association conference gets underway in Las Vegas this week, examines the North American legal industry’s information security practices. While the focus is largely on the United States, the more than 150 firms that participated also included responses from Canada.
“I think they’re very applicable to the Canadian market as well,” says Meg Grant, a vice president of Digital Defense, of the study’s findings. Her company provides businesses with security software and consulting services.
According to the report, external threats such as hackers have replaced malware as the biggest perceived security threat. As for law firms’ top information security concerns, they range from employee negligence to phishing attacks and viruses.
Despite the concerns, the study found 65 per cent of the law firms that participated have no staff devoted to information security, with 31 per cent of them reporting budgets for the issue in the range of $10,000 to $50,000. The study covered a range of law firm sizes with 36 per cent of them employing less than 150 people.
In terms of law firms’ actions to deal with security threats, the study noted a couple of areas of concern. The biggest is around vendor management, in particular the lack of an evaluation process. According to the study, 63 per cent of respondents don’t use a vendor evaluation process.
“A lot of breaches are a result of phishing attacks not only on employees but on third-party contractors,” says Grant.
“I would say that would be something that firms would really want to evaluate,” she adds, citing the need to ensure vendors meet criteria around issues such as access to law firms’ networks and information.
When it comes to firms’ responses to security threats, the most common one is information security training for employees followed by encryption and intrusion detection.
“That’s a positive trend because that’s a big target for hackers,” says Grant of the vulnerabilities around employees.
Firms commonly conduct such training once a year or when hiring new employees. A further 11 per cent of respondents have no training programs around information security.
While the Ashley Madison hack is the big issue of the day, of course, Canadian law firms have suffered significant breaches in the past. In April 2011, hackers attempting to access sensitive documents targeted four Canadian law firms by posing as partners who were working on an acquisition of a Chinese company.
Overall, Grant says she has seen some improvements in law firms’ responses to the issue but notes what’s key is dealing with the issue on a regular basis.
“You have to have a program in place,” she says.