It can seem overwhelming and sometimes it is. Imagine the victims of cyberattacks, like ransomware. Imagine the frequently changing and demanding legal and regulatory requirements for protecting the privacy and security of personally identifiable information. Lawyers and their clients are subject to both. Many are the firms that have concluded that other than the very largest entities, few organizations have the resources needed just to track all of this, let alone implement any meaningful compliance program or controls.
Audits and risk assessments confirm that you cannot eliminate the risk and also the legitimacy of the frustration with the notion of “compliance.” But this sh*t ain’t goin away. So, what does it really mean? What can be done, practically speaking.
Know The Data
A few things all organizations should address. Know the data. Understand the processing of data. Understand that policies, procedures, contract terms, and website terms of use are only part of the solution. Talk about the things unfamiliar to you, such as descriptions/diagrams on data security and privacy frameworks, data maps – the Who, What, and Where of the information your organization processes, and incident response. You don’t need to be the expert. You do need to own the results of what the experts do.
Remember that privacy/security laws and regulations may be applicable to you based on – where the data is stored/processed; the vendors/subcontractors you use; who are the data subjects; where the data subject resides; and the types of data.
Get a Cyber Consultant
Data privacy and cybersecurity should be considered as impacting every aspect of your business. A cyber consultant should be your strategic partner in safeguarding your organization against evolving threats and guide your efforts to protect the confidentiality, integrity and availability of your digital assets in an ever-changing landscape.
How do I find one? Ideally, you want one you know and trust. One that makes you feel comfortable. Comfortable that they know their stuff and comfortable that they appreciate and understand a law firm’s business, clients, and specific concerns. It isn’t easy to find both. It is worth the effort. Look for a technical advisor who will help you decipher the buzzwords and understand the practical implications. Ask them about some of the basics, and how they propose to address those. Can they explain the practical aspects, in a law firm setting, for:
- Incident Response
- Penetration Testing
- Risk Assessment
- Compliance Management
Traits to look for:
No. 1: Expertise and Specialization. Look for consultants with a meaningful understanding of the legal industry and its specific cybersecurity challenges.
No. 2: Proven Track Record. Evaluate the consultant’s experience with assessing and implementing solutions for law firms.
No. 3: Holistic Approach. Seek consultants who adopt a holistic approach, considering not only technology but also people and processes. One who understands your business and its needs before taking any action.
No. 4: Adaptability to Emerging Threats. Ensure the consultant stays up to date on the latest cyber threats and technologies.
No. 5: Clear Communication. Look for consultants who can explain complex cybersecurity concepts in clear, understandable terms. One who can orchestrate collaboration and ensures all stakeholders are on the same page.
No. 6: Customization of Solutions. Each organization is unique, and a one-size-fits-all approach doesn’t suffice.
Now What?
What next? Questions? Concerns? You aren’t alone. Start the conversation. At the end of the day, this sh*t doesn’t mean perfection, but it does require reasonable effort and avoiding the issue is never reasonable.
