Audits & Scrutiny Drive Law Firms to Seek Stronger IT Security Profiles
While the retail industry has been in the spotlight lately for a rash of high-profile data breaches, vendors that support the industry have also been scrutinized lately for their role in keeping data secure, including law firms in particular.
The Federal Bureau Investigation (FBI) has been advocating for higher standards of data security within the law firm industry for years, as their concerns stem from the potential for corporate espionage, particularly with law firms that have foreign offices in China or Russia.
In addition to the federal government, major retail and banking corporate law firm clients are also pushing law firms to take a closer look at their security profiles. According to an article from the New York Times Dealbook, clients are the primary driver, as many are threatening to withhold legal work from any law firm that refuses to up their data security profile. As a result, strong IT security has become a differentiator for law firms seeking major corporate clientele.
Compliance Drivers for Law Firm Security
Some larger clients are even requesting data breach liability insurance as a term in their contracts with law firms. Banking clients in particular are facing pressure from financial regulators that require them to ensure their vendors are security-conscious.
Compliance regulations are yet another driver of law firm data security, such as PCI DSS and HIPAA compliance for the retail and healthcare industry. The recently updated HIPAA omnibus rule also puts business associates (vendors) of the healthcare industry into the scope of compliance, driving them to implement the same high level of data security standards as the organizations they support.
As a result of these regulations, some financial institutions are asking law firms to fill out “60-page questionnaires” about their security profiles, and even conducting on-site inspections, according to NYTimes.com.
Law Firms Already Worried
Technology directors and CTOs aren’t completely in the dark about growing security threats - as the 2013 American Law Tech Survey reports, 86 percent of law firm IT professionals are more concerned about security threats now than they were two years ago.
What’s driving the focus on security? Tougher regulatory requirements in law firm client industries, including banking and healthcare; more security-conscious clients and more targeted attacks on law firms by hackers using increasingly more sophisticated techniques.
Another trend seen among law firms is the rise in IT budgets. Capital and operating expense budgets have increased for about half of the survey respondents, at 46 and 49 percent, respectively. Part of that increase in budget is being allocated to security, including security personnel in law firms, according to AmericanLawyer.com.
Protect Against Phishing & Human Error
When it comes to the type of threats that law firms face, phishing attacks and human error prove to be the weakest links, which are really not new or sophisticated. Both often rely on the weakness that comes with using passwords as the only form of protection.
As an extension of industry compliance regulations that require the use of two-factor authentication for remote access to internal networks, law firms have also started to recognize the need for a second layer of authentication security.
Find out more about two-factor authentication in Why Two-Factor Authentication? Read more about lessons learned in retail, healthcare, tech and financial industry breaches, and how they could have used two-factor authentication to prevent data theft and account takeover.
Check out these related posts on compliance:
What Windows XP End of Life Means for PCI DSS & Device Security
PCI DSS 3.0 and Two-Factor Authentication
Streamlining Two-Factor Authentication for Health IT
Two-Factor Authentication for Electronic Health Record (EHR) Apps