Best Practices for cybersecurity audits For Law Firms

by Brad Garland

From Westlaw to Word, your law firm’s digital operations help advance client interests. While you work to protect your clients in the courtroom, clients are increasingly asking whether you also protect their data in the cyber arena. Law firm data presents a lucrative target - law firms are often viewed as “one-stop shops” for attackers – with sensitive information on multiple clients. As news of the latest data breach continuously captures headlines, law firms and their clients want assurance that data protection policies and procedures exist, and more importantly are being followed. Organizations ranging from government entities to fortune 100 companies are looking to see that an independent third-party has recently completed a cybersecurity audit before engaging in legal or business transactions.  

What should my firm and my clients expect in a cybersecurity audit?

The answer partially depends on who the client is: A business client in the financial services industry? A government agency (FTC, OCR, etc.) tasked with a post-breach audit? Or a corporate legal department? Regardless of the client, law firms and clients alike can generally expect a thorough review, based off an agreed upon ruleset (ISO, NIST, FFIEC, HITECH). The desired regulation’s requirements will be compared to your firm’s existing data protection policies and procedures. Gaps, or areas where your firm does not meet the regulation’s requirements, are located and documented for further review. You can also expect pre-audit requests for various documents, which will help the auditor gain a broad understanding of your firm’s security posture.

Cybersecurity audits usually involve a self-assessment questionnaire or survey combined with interviews, either on or off-site. Questionnaires may be given in a variety of formats, including spreadsheets, PDFs, or online forms. Interviews, calls, and on-site reviews allow the auditor to gain a deeper understanding of your organization and provide additional clarification to answers from the questionnaire. It is important to alert key members of your organization for an audit, as the auditor may interview staff from different sectors, such as HR and IT. After interviews have concluded, the auditor will explain where any gaps may lie within your organization as well as any risks that increase your exposure, whether technical or regulatory.

How should I prepare my firm and my clients for a cybersecurity audit?

Preparing for an audit requires understanding both the regulations an organization is attempting to comply with and the organization’s internal operations and personnel. Organizations that understand what kind of data they possess, especially sensitive data, and where that data is stored, can better protect their data from cybersecurity threats.

Law firms can gain a broad understanding of the security landscape by tracking where audit requests are coming from and from what practice area(s). If isolated to one industry, for example, an auditor may build a due diligence program for that specific practice area. Requests appearing from multiple practice areas may be best addressed by establishing a broad-based due diligence packet, with customizable options for specific industries.

Can Vala Secure help my organization conduct cybersecurity audits?

If your firm or client needs a cybersecurity audit in an effort to comply with a specific regulatory framework, we can help. At Vala, we can setup a one-time project to locate any gaps between the regulation and your organization’s policies and procedures. We can discuss these gaps and weigh the risks these gaps represent, as it relates to your particular industry and organization. For organizations with frequent audit requests, you can leverage our Virtual Information Security Officer (VISO) service. A VISO ensures that you have someone on your side that will be able to handle all aspects of a cybersecurity audit – from filling out questionnaires to answering calls for interviews. At Vala we can guide you through a cybersecurity audit - contact us to schedule a call. We’re here to help.