You’ve all seen the headlines - big company data breaches, foreign hackers, databases stolen. You can’t make it a day anymore without the next information security headline.

It can be scary to some, difficult to understand for many, and it’s the fastest moving target in the business world today.  So, what should a firm like yours do about it considering your size, staffing levels, and overall investment?

First off, you’re not alone in not knowing the answer. So we thought it would be useful to share our experience of what we hear from firms and what are the mindsets of some of the firms we talk to today:

1. The “Reactives"

These firms are usually small to midsize firms that think they are too small to need to worry about this stuff right now. They aren’t really getting client audits right now so they “invest” in their security awareness and cybersecurity strategy only when they need to. They might say, "Partners haven’t been pressuring me (or don’t care enough) about it so I should be able to use that money elsewhere. Right?!"

It’s been our experience that if the bad guys are anything, they are opportunistic. Why spend time trying to break into a harder network or firm when the small firm has just as valuable assets and their security is more lax? The mindset of the smaller firms, since they only have 1 or 2 technical staff, is to have hardware/software solutions fix the problem. We couldn’t disagree more! In any study you come across the biggest risk to an organization's security isn’t their technology, it’s their people. That’s why a small firm should focus on bringing up the intelligence of the firm around cybersecurity and compliance practices versus thinking they can band-aid the problem with more technology. Change is much easier to do with smaller firms versus larger, more spread out larger firms.

2. The "Middle of the Roaders"

These firms aren’t necessarily larger but certainly have more awareness around security practices. With that said, it doesn’t necessarily mean they are implementing them though. These are the firms that have limped along by fighting cybersecurity fires as they come along. We spoke to a firm recently that spent 60 hours completing a client audit for a big customer. The issue with this profile is they have the knowledge but haven’t developed the overall program and processes they need to begin managing cybersecurity instead of it managing them. They need more strategic thinking and consistent communication around this topic to begin to move the needle.

3. The “Proactives"

All of these firms that fit this profile have generally been in one or both of the profiles above but someone in the organization finally had the epiphany to say enough is enough. They spent too much time in fighting fires, getting client requests they weren’t ready to handle, and required a more overarching plan of training, testing, and ongoing development to really build an effective information security program and more importantly, culture. They utilize hardware/software tools to help mitigate risk but its only a part of their security investment. They also have buy-in and awareness from the partners of the importance of the issue and how it makes the whole firm more marketable if everyone handles cybersecurity in the same way. Lastly, they have a scalable, flexible strategy that utilizes resources (both internally and externally) to keep abreast of the every changing cybersecurity landscape. 

The fact of the matter is not if but when our firms get breached. The question is what is the right strategy for your firm to be ready to respond in a timely, confident, and intelligent way when it happens?

This post was originally published for one of our partners in the legal security industry, Traveling Coaches.