Stepping Up Security in the Legal Industry

By the time you finish reading this blog, at least three successful cyberattacks will have happened, and an unknown number will have been attempted. Around the world, a data breach happens every 39 seconds – across all industries and impacting individuals as well. While these numbers reflect worldwide cybercrime, the threat is still hitting close to home. According to a study last year by the American Bar Association, 29% of U.S. law firms reported a data security breach. An additional 21% didn’t know whether they had experienced a security breach.

At Gulfstream Legal Group, we take data security extremely seriously. It is an absolute must since we are handling very sensitive information on behalf of our clients (read about our security practices here). Not long ago, though, we realized we could be doing more. So we took steps to increase our security practices, and we want to encourage our law firm and corporate legal department clients to do the same. Beyond complex passwords and basic security hygiene like locking devices, there are many additional, easy-to-implement steps you can take to increase your security posture.

Here are four things we are working to improve at Gulfstream to ensure our network and data are protected and secure. We recommend our clients make these improvements, too, and offer you some ideas on how to make them happen:

Identify Your Security Team

  • Who is a part of the team?
  • Who is the leader or responsible individual?
  • How often will the team meet?
  • What will occur during team meetings?

At Gulfstream, we’ve established a security team of four full-time staff representing their respective departments, including one outside consultant. The group will be led by an employee of Gulfstream, who will coordinate tasks, manage team communication, track and report project progress and monitor all security related incidents/traffic. We will be meeting several times a year. During those meetings, we’ll review security practices, review and recommend changes and updates to our policies and update documentation.

Create Security Forms and Policies

  • What forms and policies are needed? Required?
  • How often do forms and policies need to be reviewed?
  • Where will you store them?
  • How do employees access them?
  • How do you notify all users of any changes?
  • How to you track and manage employee acceptance?
  • How do you monitor and manage compliance?

The Gulfstream team has set up a Microsoft Teams site for all of our security forms and policies and has granted access to all employees. Employees will be required to acknowledge receipt of the documents and acceptance of all new policies no later than November 30.

Implement Security Awareness Training

  • How will you perform security awareness training?
  • What subject will you focus on during the training?
  • Do all employees receive the same training or are there select special groups with different training needs?
  • How long will employees have to complete training?
  • Will training be required on a recurring basis?

This year, Gulfstream will be contracting with a security training company that will supply an online training app to our employees. The training sessions will cover email spoofing, ransomware, strong passwords, safe web browsing and much more.

Assess Third-Party Risk

  • What will qualify a vendor as needing to complete a third-party risk assessment?
  • What vendors will complete an assessment?
  • What types of risks will you evaluate, such as data, location, people, devices, compliance and/or financial?
  • How long will you give vendors to reply?
  • How will you evaluate, grade and categorize replies?
  • What evaluation categories will be flagged for mitigation and monitoring?
  • How will you mitigate and monitor your flagged categories?
  • How often will you require vendors to complete/update a risk assessment?

Going forward, all vendors that store, touch or have access to a location where Gulfstream data is stored will be required to complete a risk assessment form. A rating system will help us standardize and evaluate responses. The security team will convene to review and grade responses, identify risk and create mitigation plans for areas deemed medium or high risk. We will assess every third-party vendor on a regular basis.

Maintaining a secure environment starts with the individual employee. Policies and training go a long way to protect against cyberattacks. Our new training plus additional cybersecurity policies provides the framework to govern our use of company technology assets and resources and those of our clients. We encourage our clients to evaluate their security practices now – before they become victim to the next cybercriminal.

Additional Resources:
The FBI’s National Cyber Investigative Joint Task Force has recommendations for protecting your data and identifying and combating cybercrime:

The National Institute of Standards and Technology has a wealth of resources on cybersecurity, including frameworks for cybersecurity, privacy and risk management:

The Cybersecurity and Infrastructure Security Agency has additional information, including incident response, training and much more:

Tech Jury cites interesting data security statistics: