But the National Institute of Standards and Technology (NIST) has small business standards that can amount to self-certification, Simek said. It allows firms to, “assess their infrastructure, and whether they have any weaknesses and whether the assistance of a third-party is needed.”
8. Have clear, effective restrictions on remote access and mobile devices
This can be complicated, Parker said, because, “different practice areas at the same firm sometimes can operate as discrete businesses and it can be hard to mitigate cyber risk. Partners also may opt out of certain cybersecurity protocols.”
This is an area where it is crucial to have a CIO or other executive who oversees and enforces data security, privacy and information governance, including remote access and BYOD.
9. Set systems to capture log data, for forensic purposes if a breach occurs
Simek said the biggest problem in responding to a breach is a lack of log data. “Nobody had the foresight to configure their devices or their systems to capture information on an ongoing basis. That’s a killer for the investigations.
10. Share threat information
According to the Journal, law firms last year formed an information-sharing group to exchange information about cyberthreats and other vulnerabilities. It is modeled after a similar organization for financial institutions.
Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, which oversees the legal group, said 75 firms have joined the group so far.
Sign up for CIO Asia eNewsletters.