The International Legal Technology Association (ILTA) and US headquartered IT infrastructure and security consulting company Conversant Group today (6 June) announced the release of their first benchmarking survey on cybersecurity practices in global law firms.
“Security at Issue: State of Cybersecurity in Law Firms” was targeted specifically at understanding law firms’ cybersecurity controls, tools, practices and assumptions to determine how their cyber defences could be improved.
Key findings from the report include:
- Nearly three-quarters of respondents believed they were more or much more secure than their industry peers; yet the detailed results demonstrated significant security gaps across firms of all sizes.
- Sixty-five percent of responding firms state they have lateral movement defences in place; yet the data did not demonstrate that multi-factor authentication (MFA) was employed as comprehensively as required to constitute lateral movement defences.
- When asked about the top three threats to security, the top response (39%) was user behaviour and lack of training to prevent this harmful behaviour, rather than any threat actor activities. The data reflected that firms, on average, were not implementing controls that are needed to mitigate user risk, which would put greater control of user risk in IT’s hands.
- Backups are not viewed as a top security control—at firms’ peril. Only 11% viewed backups as a top control, and only 24% reported having multiple immutable copies of all data to protect against total loss.
- Large to very large firms demonstrate more mature security programs than their smaller peers through established proactive testing, dedicated security staffing, formalized change processes, etc. Yet, the report concluded they could still improve their security through a more layered approach to security across people, process and technology, rather than a focus on compliance.
“The data shows that legal IT staff suffer from both a definitional and paradigm problem,” said John A. Smith, CEO of Conversant Group. “IT leaders understand terms, definitions, and concepts differently, and while no survey instrument can fully capture those nuances, the data shows that there are gaps in understanding what it means to be secure.”
“The key results we see from this survey show clearly that, without policy and procedure, firms are making security optional, left in the hands of users that are not technologically competent or trained enough to know how to be safe in a world that is both ever-changing and harder to innovate in without risk,” said Beth Anne Stuebe, director of publications and press at ILTA.
See the Executive Summary, here.
Full Report Details: https://www.iltanet.org/resources/publications/surveys/security23