Cybersecurity assessments: Building legal sector defences

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

October 19, 2023 - A cybersecurity assessment is an objective analysis of how an organization protects electronic information and IT assets. The findings help establish the effectiveness of an organization’s security risk management in relation to the protection of digital assets from unauthorized access, alteration, damage, disclosure, or misuse.

Securing the legal sector

In the legal industry, a cyber attack or data breach could result in legal action being taken, regulatory fines, or reputational damage. If a law firm is found to have insufficient security measures and has ignored recommendations to strengthen them, the validity of any cybersecurity insurance, or the success of a legal claim for damages could be jeopardized.

As with all insurance-related matters, solicitors need to report truthfully to their brokers regarding their IT risk assessments and remediations. A lawyer may not need to fully understand every detail of a cybersecurity assessment, but law firms should educate their staff and provide best practices so that appropriate security controls can be implemented and understood by all stakeholders.

Overview: Cybersecurity assessment

A cybersecurity assessment aims to mitigate the likelihood and impact of risks posed by internal and external threats. The results are then finalised in a formal report which includes recommendations to remediate identified risks. The evaluation:

  • Clarifies what IT applications, devices, software, and systems are used by the organization.
  • Reviews relevant law firm policies and handbooks.
  • Assesses the training and behaviour of staff.
  • Establishes an organization’s internal and external risk factors, such as staff working off-site, sharing portable data storage devices, and using their own personal devices for work.

Some considerations when carrying out an assessment include:

  • Be proactive, not reactive: Given the ever-changing threat landscape and new, disruptive tactics used by bad actors, assessments are best carried out on a proactive basis. Avoiding a reactive approach means legal firms can tackle potential threats before they cause significant damage to digital assets.
  • Frequency depends on the organization: Where a law firm has achieved information-security certification, such as ISO 27001, a formal assessment may take place annually as part of the requirement to maintain such standards. Where a law firm has not achieved such standards, the frequency and scope of an assessment can vary depending on its needs. One law firm may need to focus more time assessing some security measures than another, due to the nature of their business, the type of IT structure it has, or recent suspected cyberattacks.
  • Components: There are technical and non-technical aspects to a cybersecurity assessment that, at a high level, evaluates how well policies, processes, people, and systems contribute to the security of electronic information and IT resources.

Depending on the type of assessment, it is likely to cover:

  • IT governance
  • IT risk and asset management
  • Hardware and software supply chain
  • Identity and access control
  • System security
  • Data protection
  • Business continuity
  • Security monitoring
  • Staff awareness and training.

Final considerations

While a law firm can assess itself, it is recommended that this type of assessment is best undertaken by an independent third party that can objectively analyse the effectiveness of security measures. An unbiased outcome can offer the most effective long-term benefit.

This article was originally published in Law Society Gazette Ireland in their August/September 2023 edition under the title: Potential threats. The content has been modified and condensed for this blog. Refer to the full article for Matthew Goodbun’s complete insights on this topic. For more insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.

Matthew Goodbun

Matthew Goodbun is senior privacy consultant at BSI, which supports organizations in maintaining compliance with regulatory requirements and prioritizing privacy. This cybersecurity series is facilitated by Tanya Moeller, inhouse counsel with ServiceNow and vice-chair of the Law Society’s Technology Committee; Nicola Kiely, a partner in Comyn Kelleher Tobin LLP and a member of the Technology Committee; and Deborah Leonard, secretary to the Conveyancing Committee.