Robust information security practices are critical to the legal sector - yet there is a notable gap between the risks that firms face and their ability to mitigate them.
Neil Ford, website copywriter at IT Governance, global
provider of IT GRC solutions, explains how gaining ISO 27001 certification - the international standard for information security management - can close that gap, improve business efficiency, and support compliance.
As well as its own corporate data, your firm holds a wealth of client information - including confidential business information, proprietary information and intellectual property, litigation strategy information, financial information, personal data, and other legally privileged information. Law firms are also known to be reasonably insecure. These two factors make you a very attractive target for criminals.
Although information security incidents affecting high-profile firms seem to be hitting the headlines on a much more regular basis, it’s worth remembering that targeted cyber-attacks are only part of the legal sector’s problem - and it’s not just big firms that are at risk.
PwC’s 25th Annual Law Firms Survey 2016 found that 73 per cent of all law firms suffered an information security incident in the previous year - a conservative figure, given that the time it takes security breaches to be discovered is typically measured in months rather than days, and smaller firms in particular lack the resources to identify incidents.
Every law firm faces information security risks. Automated phishing emails and ‘drive-by’ attacks indiscriminately spread ransomware and other malware via security flaws in your computer systems. Staff can access information they shouldn’t, increasing the risk that they will email it to the wrong person - whether maliciously or inadvertently. Laptops can be lost, phones stolen and paperwork misplaced.
All of these incidents represent data breaches and, if they affect personal data, could incur fines of up to four per cent of your annual global turnover or €20 million - whichever is greater - under the new General Data Protection Regulation (GDPR), which will apply from May 2018. (The government has now launched its Data Protection Bill, which, among other things, will bring the GDPR into UK law in time for Brexit. However, as the bill is yet to be enacted, I refer to the GDPR.)
Information security is not just about technology
PwC’s survey found that 41 per cent of all law firms had suffered information security incidents as a result of their own staff. It is this human element that often leads firms to overestimate the strength of their defences. As a rule, people will always take shortcuts to make their jobs easier - and good security can often be a casualty of the race for efficiency.
When any employee can jeopardise your firm’s security with a single careless mouse-click, it should be clear that mitigating information security risks is about far more than implementing processes, and installing antivirus and anti-malware programs. A more proactive approach is needed.
What is ISO 27001?
Having worked with top law firms - including Eversheds, Freshfields, and Slaughter and May - as well as many smaller practices, IT Governance knows the importance of implementing robust information security best practice within the legal profession, as defined in the international standard ISO/IEC 27001:2013 (aka ISO 27001).
ISO 27001 sets out the requirements for an information security management system (ISMS), a best-practice approach that incorporates people as well as processes and technology, and mandates regular staff awareness education and training as well as technical and procedural measures.
What are the benefits?
- Because its approach is based on regular risk assessments, ISO 27001 can help your firm maintain the confidentiality, integrity and availability of your and your clients’ information assets by implementing controls that address the specific risks you face – whether they be from targeted or automated attacks.
- It helps improve your organisation’s cybersecurity posture and business efficiency while ensuring you meet your legal and regulatory data protection obligations.
- Firms that implement an ISO 27001-compliant ISMS can achieve independently audited certification to the Standard to demonstrate their information security credentials to clients, stakeholders and regulators.
- Once your ISMS has been certified to the Standard, you can insist that contractors and suppliers also achieve certification, ensuring that all third parties that have legitimate access to your information and systems also maintain suitable levels of security. This is especially important for GDPR compliance, as you will be liable as a data controller if any third-party data processor suffers a breach.
- You’ll be in good company, too: approximately 25,000 organisations around the world - including numerous law firms - are already certified to ISO 27001, and companies looking to contract with governments or large corporate clients will increasingly find that ISO 27001 is a prerequisite for doing business.
I should emphasise that certification is merely advisable, not compulsory, and you will still benefit if you simply want to implement the best practice set out in the Standard - you just won’t have the certification to demonstrate your credentials.
How long will it take and how much will it cost?
Unfortunately, it’s all but impossible to describe an ‘average’ ISO 27001 project for the simple reason that there’s no such thing: each ISMS is specific to the organisation that implements it, so no two projects are the same. The entire project, from scoping to certification, could take three months to a year and cost you hundreds to thousands of pounds, depending on the size and complexity of your firm, your experience and available resources, and the amount of external support you need.
An ISMS covers the entire organisation, and many people are understandably daunted by the scale of implementing one, but complying with ISO 27001 needn’t be a burden. An early stage of any ISMS implementation is a gap analysis to determine how far short of the Standard’s requirements your existing practices fall. As the majority of organisations already have some information security measures - albeit ones that have been developed ad hoc - you could well find that you already have many of ISO 27001’s controls in place. Bringing them into line with the Standard’s requirements and integrating them into a proper management system could be well within your grasp.
If you’re new to management systems, it’s worth getting expert advice, but if you are more confident in your ability to implement an ISMS, I recommend that you start by buying a copy of ISO 27001 and its supporting code of practice, ISO/IEC 27002:2013, enrolling on ISO 27001 foundation and lead implementer training courses, and reading an ISO 27001 implementation guide.
Find out more information about ISO 27001 and how it can help you.
Buy the newest (2013) version of the international standard for ISMSs.
See our GDPR resources.
About the author
Neil Ford is website copywriter at IT Governance. Neil has worked for IT Governance since 2013. He writes about all IT governance, risk management and compliance issues.