This story first appeared in the May Orange Rag, since when we have had further input from firms and will bring our next benchmarking report to you shortly.
Legal IT Insider has been working with industry security experts including Accenture as well as a number of CIOs in order to develop and now soft launch CyLok, an interactive tool that allows contributing firms from across all segments of the market to compare their security setup against industry benchmarks and understand their CyLok cyber-security rating. Our research is on-going and we plan to release a regular report on the benchmark and LITI CyLok Index, with comments from key experts.
Our longer-term ambition is that, with engagement from corporate counsel, the LITI CyLok Index may ultimately reduce the level of work required by law firms to prove their security credentials to clients in RFPs and audits.
We are grateful to the law firms from across the range of UK Top 100 firms that have already completed the Index, from which we can provide some exciting early insights. All results are anonymised and for the firms that are early contributors and adopters of the LITI CyLok Index, we will be sharing with them insights on their rating by segment. Based on the research, we will release general insights to help all firms improve their security.
The trends
Towards the end of 2017 we hosted a cybersecurity roundtable in conjunction with Accenture, in which Kelly Bissell the global head of security at Accenture, set out a number of cyber best practices that were incorporated in the index and against which we can benchmark the early results against.
Cyber spend
According to Bissell, firms playing ‘catch up’ with their cyber capability ought – as a very rough guide – to be spending anything from 10% to 20% of their overall IT spend on security.
For firms that are mature in their security, that figure should be around 3-5% of their overall IT spend.
The majority of firms that have completed the CyLok survey spend 10%, with the range of spend between 5% and 30%.
As set out by Bissell, there is a visible correlation between spend and existing capability.
Background checks
Bissell was visibly astounded that any law firm would hire staff without a background check, which in the legal sector has only recently become common practice.
It is encouraging that all of the law firms that completed the Index undertake personnel background checks.
Multi-factor authentication
Over 75% of the firms that completed the CyLok Index have implemented two-factor authentication, which is an encouraging early result.
Automatic patching
Within CyLok, we ask if software updates and patches are installed automatically.
Bissell, in our roundtable, said: “I sat a dinner in London on a table no different to this with the head of GCHQ, the head of National Cyber Security Centre, the former head of MI5 and MI6 and some other people and we all agreed that most of the attacks we see are still elementary such as systems that are not patched. We better move our mentality from patch when you can to ‘you better patch now’ even at the risk of breaking things.”
In a big shift for the industry, 100% of firms surveyed answered ‘Yes’ to the question above.
A restricted matter/document management function
Pessimistic or ‘need to know’ security – under which access to the document management system is restricted to those involved in a case or transaction is coming, like it or not. However, early indicators point to fewer than a quarter of firms reporting that they have enforced a pessimistic DMS model.
Firms’ main concerns centre on the inability to maintain security and also share knowledge but, speaking in our roundtable, Bissell said: “This also has been solved. McKinsey is superb at knowledge management but protecting client confidentiality.”
Please contact [email protected] for further details