You can protect client data from malicious hackers, right? Prove it. “We have a request a month from clients to demonstrate how secure we are,” said Lionel Cochey, director of information security governance and risk management for Bennett Jones LLP.
Hackers can’t always crack the digital defences of a target organization. So, they attack those of their lawyers instead. They may use any information they can steal to hurt a business through its lawyers.
ISO 27001 certification
Service providers (like lawyers) whose clients value security may want to consider acquiring ISO 27001 certification. “This is a comprehensive standard,” said Cochey. “More than 300 security controls apply to the organization, and you need to go through them one by one,” he said.
Cochey ought to know. Two years ago, Bennett Jones attained ISO 27001 certification.
Cloud-based document and e-mail management service provider NetDocuments did the same thing around the same time and for the same reasons.
“Businesses that engage with NetDocuments to store and organize their information need assurance that we have implemented appropriate controls to protect their information,” said David Hansen, director of compliance for NetDocuments. Certification took both companies two years. If it takes this long, why not just download the documentation and implement the standard? “We can tell (clients) a good story,” Hansen said. “They need to have that verified independently. That’s where national and international standards come into play.”
Cybersecurity certification process
To start the process, Cochey recommends firms dive into requirements, then perform a mock audit about a year after getting started. “You identify and fix gaps,” he said. Before the real certification audit, he recommends another mock audit.
Hansen explained that ISO 27001 audits run on a three-year cycle. “The first year, you do a comprehensive audit,” he said. “You receive your certification. In years two and three they do a surveillance audit. They ensure you’re still practising the things that were initially audited. In the fourth year, you start the process over again with a comprehensive certification audit.”
Audit costs for NetDocuments will rise. “We’ve added new controls to our scope that we didn’t have several years ago. We want auditors to understand and document them,” Hansen said.
One group bears most of the certification burden. “The IT group has formally documented procedures,” Cochey said. “It also affects contractors who work with the firm.”
Other parts of the firm must also buy in. “You need to engage management, the senior partners, the board of directors,” Cochey explained. He added that IT must inform end users of changes that affect them.
Changes in cybersecure businesses
Hansen expects changes to go deeper. He noted that people have approached him from other departments and said: “David, here’s a situation we have. What do we need to do to ensure we meet security obligations if we go down this path?”
“Security is part of the daily thought process for all these departments. That is really exciting! This wasn’t happening when I first got hired.”
ISO 27001 isn’t the be-all and end-all of cybersecurity. It’s just the start. “(The standard) is a set of best practices, so it can’t be specific in terms of technical controls,” Cochey said. “For example, it says you need an anti-malware solution to protect your systems. It doesn’t say you need this type of solution to protect you against ransomware.”
ISO 27001 isn’t the only security standard. “We’re looking to undergo an audit against GDPR (General Data Protection Regulation), the new unified standard for data protection and data privacy coming out of the European Union,” Hansen said. He expects certification against ISO 27018 (for cloud service providers) and certain elements of HIPPA regulations later this fiscal year.
Law firms moving towards cybersecurity
Why will law firms seek certification? In Cochey’s view, they can’t afford not to. “Because law firms are not regulated as the finance industry or the electricity industry are, there is no other obvious cybersecurity certification for law firms (than ISO 27001),” he said.
“The industry is maturing and it is expected that more cybersecurity guidance or frameworks will come to light within the industry,” Cochey added. “In the meantime, more and more clients are imposing their own cybersecurity requirements on law firms, and this is driving the level of security compliance within these firms.”
This article originally appeared on The Lawyer’s Daily website, published by LexisNexis Canada Inc.
Well, the problem is many lawyers use free email accounts for official work. They do not invest in a paid email account or domain name which represent their identity.
Also, even after 27001 compliance 100% security cannot be achieved. Training and Awareness and being alert is the main control for any incident to be avoided.
“Human Behaviour is the Biggest Risk in Security” – Vicky Shah, Asvocate