I recently read an article HERE describing how law firms may be vulnerable to cyber-attacks as Mr. David Ries is pictured holding technologies that are at least ten years old.
Mr. Ries is considered to be a "leading expert" in cyber-security and is only now coming to the press with this information?
I guess the joke is on "them"...
Indeed this article addresses security concerns, ones that will not be addressed until the hand is strictly forced.
Having performed security consulting work in these environments, I have made numerous attempts to “pitch” the need for robust security infrastructure and methodologies inside law firms.
Training and education, standards, quality security employees or teams, etc. etc… before the tsunami strikes.
Unfortunately, many law firms tend not to employ highly trained, experienced or recognized security professionals, particularly those seated at “higher” positions within the firm.
Having performed security consulting work in these environments, I have made numerous attempts to “pitch” the need for robust security infrastructure and methodologies inside law firms.
Training and education, standards, quality security employees or teams, etc. etc… before the tsunami strikes.
Unfortunately, many law firms tend not to employ highly trained, experienced or recognized security professionals, particularly those seated at “higher” positions within the firm.
Law firms tend to keep the circle tight and don't always subscribe to industry style structuring, especially regarding information security. Many firms are accustomed to hiring "experts" for cases or trial and then quickly giving them the broom.
My personal experience has been that many law firms generally hire those that are average at best, and give those average employees too much to protect with too little funding or personnel to achieve their goals – because law firms are not being strictly “compelled” to protect those assets.
It all comes down to risk vs reward and many law firms do not see the need… especially when it comes down to allocating the required funds for experienced security “leaders”.
Read the exhaustive list of standards and requirements and you will not find where law firms are strictly or specifically included… where are formal reporting or audits included?
I would argue that law firms (lawyers) make incredible arguments, considering that is what they are paid to do, and that it will be difficult for any outside body to compel them to follow a strict standard – Judges are lawyers too.
I have read many articles that state “no large breach has taken place that would require notification”. Considering there are no real legal requirements to do so, it is disingenuous to make such a statement. There have been reported breaches, but those are only the tip of the iceberg. There is much, much more taking place behind the curtain that is not being reported.
Most importantly, some of this information can be just as confidential, if not more confidential, than medical and financial information.
So where is the outcry and why is this sector largely ignored?
It all comes down to risk vs reward and many law firms do not see the need… especially when it comes down to allocating the required funds for experienced security “leaders”.
Read the exhaustive list of standards and requirements and you will not find where law firms are strictly or specifically included… where are formal reporting or audits included?
I would argue that law firms (lawyers) make incredible arguments, considering that is what they are paid to do, and that it will be difficult for any outside body to compel them to follow a strict standard – Judges are lawyers too.
I have read many articles that state “no large breach has taken place that would require notification”. Considering there are no real legal requirements to do so, it is disingenuous to make such a statement. There have been reported breaches, but those are only the tip of the iceberg. There is much, much more taking place behind the curtain that is not being reported.
Most importantly, some of this information can be just as confidential, if not more confidential, than medical and financial information.
So where is the outcry and why is this sector largely ignored?
I personally believe that the general public is ignorant regarding the information possessed by law firms, that law firms inherently know the laws and willingly accept the risk because there are few “real” deterrents or penalties that could be easily administered.
When the ethics rules and opinions relating to law firms openly use wording such as “reasonable” to define what must be done to safeguard information, and then does nothing to define "reasonable"… that is clearly an ambiguous statement that allows for plausible deniability.
If Mr. Ries and those like him wish to truly secure their assets and trade-craft, I would strongly suggest hiring long term, highly qualified security leaders that are capable of leading a team of security professionals.
Professionals that understand the threats of today, potential threats of tomorrow and have already covered the passé threats of yesteryear.
