By Nell Gluckman, From The Am Law Daily

Whether it’s to steal intellectual property, information on pending mergers or the credentials to bank accounts, cybersecurity consultants say that foreign governments and organized criminal groups are after the data stored inside many large law firms.

The American Bar Association estimates that 80 percent of the 100 largest firms in the U.S. have been breached, while a survey of members of the International Legal Technology Association released last week showed that for the first time ever, security management is viewed as the biggest challenge facing legal IT departments.

What should law firms be doing about this threat? Cybersecurity consultants spoke with The Am Law Daily about how the most cautious firms are protecting their clients’ data from hackers and what they’re spending.

Larry Ponemon, who runs his own research institute and consultancy on privacy and data protection, said there are four key people that firms with 500 lawyers or more should have on staff.

The first is a chief information security officer who oversees cybersecurity. This person should not report to a chief information officer, but to an executive body, Ponemon said. Security technology isn’t going to yield the kind of return on investment CIOs are looking for, so they’re likely to stop cybersecurity advocates in their tracks.

The second important staff member would be “someone who is a regulatory policy wonk,” Ponemon said. This person should understand data protection laws in all the countries a law firm works in.

The third individual is a security architect who makes sure that the technology a law firm is using to protect itself is built properly and is working according to plan.

Finally, large law firms should have a forensics expert on staff who can figure out how to stop the bleeding when a breach occurs, said Ponemon. He added that the more ambitious firms will also have someone on staff who is involved in training lawyers and staff members to operate more cautiously when dealing with data, email and their portable devices.

“Law firms have a unique role in data protection,” Ponemon said. “They have the ability to discover and collect as much information as they need to when trying a case.”

He estimated that about 10 percent of major law firms have a well-defined security program that looks something like what he recommends. He added that those firms spend between $3 million and $5 million per year on cybersecurity.

Last week, Chase Cost Management released a survey that said spending on information security at Am Law 200 firms rarely exceeds 1.9 percent of gross revenue, as noted by sibling publication LegalTech News. Half the CIOs who responded to the CCM survey said they felt their firm wasn’t spending enough.

But there are some steps that law firms can take that don’t cost anything, said Charles Carmakal, a vice president in the forensics division at FireEye, the IT security company that raised $303.6 million in an initial public offering in 2013 and remains on the hunt for acquisitions in the cybersecurity space. (LegalTech News reports that Mandiant, a division of FireEye, has found that 80 of the 100 largest U.S. firms have been hacked since 2011.)

A mistake that Carmakal sees a lot of firms make is using the same administrative password across all their systems. Another common issue is that senior attorneys often will open any attachment they receive, he said.

“Every attorney wants new business, so if they get an email from a prospective client, there’s no reason they wouldn’t click on a link,” Carmakal said. (A report released last month by Verizon showed that members of the company’s in-house legal department were most likely to click on phishing emails and links.)

Carmakal said that taking steps to limit the level of access that employees have to their own systems, while unpopular at most firms because it slows down work flow, is another way to reduce risk that costs only time. He added that there are free programs available that will prevent unauthorized applications from running.

When law firms do experience a breach, they call people such as Carmakal to respond. The costs that ensue can dwarf those that would have prevented a breach, he said.

“It’s not uncommon for it to be in the millions, and it could be in the tens of millions,” said Carmakal about the costs incurred by clients seeking to deal with an incident. “It depends on the situation.”

A handful of CIOs at Am Law 100 firms did not respond to interview requests about what their firms are doing to protect themselves from cyberthreats.

Daniel Garrie, co-head of the cybersecurity practice at New York’s Zeichner Ellman & Krause, works with law firms and banks on privacy protection. He said it’s not always the top-tier firms that have the best systems in place.

“The irony is, it’s not a matter of how good your law firm is, it’s about how strong your technology resources are,” Garrie said. Earlier this year he co-authored a cybersecurity column for sibling publication Corporate Counsel riffing on an episode of CBS’ “The Good Wife,” where a fictional law firm is faced with a cybsecurity threat ordering it to pay $50,000 or face the deletion of all its electronic client files.

IMAGE Credit: Mathias Rosenthal/Fotolia

For more on this story go to: http://www.americanlawyer.com/id=1202736310149/How-Much-Should-Firms-Pay-to-Protect-Themselves-From-Hackers#ixzz3kgcMgXBB