As DarkReading recently reported, there is good news about law firm security: The legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry. It's hard to surprise me, but this report did. As much as I've seen greater attention to cybersecurity by law firms over the past several years, I've also seen a lot of data breaches, some public and some not. Since BitSight uses publicly disclosed breaches to benchmark security, it may be that there are a lot of law firm data breaches that have not been publicly disclosed. It is probably also true, since BitSight analyzed 1,269 legal entities, that it probably did not include a lot of solo and small firms.
The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and e-mail servers and VPNs, and a large percentage of law firms scored low security-wise.
BitSight provides a credit-score type security rating system for various industries. On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year's rating of 690.
70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular "fire drills" for incident response. The report said firms were confident in their ability to thwart attacks.
Um, that's not what they tell us. But it does make for good PR.
"Many firms' confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat," said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analysis. "For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan."
Now that rings truer to my ears.
Hat tip to Dave Ries.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology