Are You Audit Ready? Strategies, Tools, and Tactics to Address Compliance Concerns in the Legal Industry
While formal audits are pretty rare, every client is concerned about the security of their law firms.
What is a cybersecurity audit anyway?
If you’ve read the headlines, you know that this has been a banner year for security breaches targeting law firms. The trends in 2016 are up and to the right, and they don’t look like they’re abating. Even the FBI has notified law firms that they’re being targeted and their information security processes need to be tight.
Clients recognize this as well and are increasingly holding firms accountable. As the American Bar Association reports, “Previously, some clients wanted to see law firm security policies. Some have allowed law firms to effectively audit themselves. Today, clients want to see if security policies and plans are actually being followed. And they want independent third-party audits, sometimes including penetration testing.”
Audits can take a variety of forms, and they’re rarely consistent. There is no single format or framework for client requests. They can take the form of a simple questionnaire or a formal assessment validated by a third party. But each client will have their own version, and without a thorough and structured set of materials, responding to requests can be costly and time consuming.
Use a standard framework for preparing your response
There isn’t an ISO standard for client requests, so be prepared to deal with varying types of information requests. But there are useful frameworks that can help a firm create a comprehensive set of practices and prepare response materials. The National Institute of Standards and Technology (NIST) publishes a number of tools for designing and maintaining your policies. Effective cybersecurity is a daunting challenge, but the NIST framework helps you categorize your approach into categories: Identify, Predict, Detect, Respond, and Recover. Each category is broken into sub-categories that cover a wide spectrum of potential vulnerabilities from employee use policies to risk assessment procedures.
Streamline your response with cloud-delivered services
In addition to the leverage gained from a standard framework, firms have access to a wide range of solutions to help them manage their infrastructure. Many of these solutions can be delivered via the cloud, freeing firms from the increased burden of customer-premise equipment.
Managing compliance to stated policies, assessing gaps and generating reports requires dedicated tools. Governance, Risk Management, and Compliance (GRC) software can help consolidate an organization’s approach to a cohesive cybersecurity state by automating the data collection process. Several vendors deliver cloud-based GRC suites which improve collaboration, data consolidation, versioning, and long term storage.
Understanding the state of your compute environment typically requires strict inventory and change management procedures. Even with tight processes, machines can fall out of currency, miss patches, or be open to targeted vulnerabilities. Invest in an IT Risk Assessment Platform to track IT assets, monitor change, and identify poorly configured or vulnerable devices. Many of these services can integrate threat feeds and identify gaps in your infrastructure that are vulnerable to specific exploits.
Cloud-based penetration testing services started out with a cyber security focus. They’ve evolved now to provide a suite of compliance-oriented reporting services that can provide oversight on what classes of data can enter or exit your network. Cloud-based testing frameworks can conduct outside-in assessments on a recurring basis and alert teams to issues without having to dedicate firm IT resources to running the tests.
Employee education and competence testing can be outsourced as well. Vendors provide cyber security awareness content, user testing, even live fire hacking scenarios that ensure firm personnel are as secure as the firm’s infrastructure.
Reduce your exposure by outsourcing your attack surface area
Now that you’ve prepared for the audit and you’ve streamlined your responses, turn your attention to reducing your exposure. One low-hanging fruit opportunity is your organization’s most vulnerable application: the browser on the user’s desktop.
Every time a user views a page, the browser downloads a wide range of static and active code in order to render the page. As long as this arbitrary code enters your environment and executes locally, your resources are at risk. Firms struggle to keep firewalls, content filtering solutions, and end point security up to date against the latest threats. But market data suggests that the exploits are increasing.
Consider running the browser on a remote, virtual infrastructure which isolates third-party code from your network without exposing your environment. These solutions, often referred to as “remote browsers,” are different from browsers that run locally because they prevent any webcode from entering your network in the first place. Instead, remote browsers execute all webcode externally and offer some sort of remote display or filtered content. They can also improve employee productivity by allowing access to sites that audits may otherwise restrict, such as social media, personal email, and some work-related websites.
Editor's Note: Scott Petry is the co-founder and CEO of Authentic8, a service designed to insulate users’ computers from all forms of web-borne threats.