Driver looking under the car hoodI had a nagging worry that something was wrong with my car, so I finally decided to take it to the dealer.  I couldn’t exactly describe my concern, except there was an intermittent, “funny noise” coming from somewhere in the front end.  An unscrupulous dealer would have taken me down a long path of parts replacement, beginning with tires, then wheels, then tie rods, and on and on, perhaps never fixing the real problem.  Fortunately, my dealer was honest and performed diagnostics, ultimately discovering that the rack and pinion was failing.  The part was under warranty, so the repair cost me nothing and my funny noise is gone.

Was my worry constructive?  Yes.  It also went hand-in-hand with my own risk assessment.  What were the chances that the noise foretold a failure that would cause an accident?   Would I or others be hurt in the accident?  As it turned out, a failure could have been catastrophic.   In this scenario, I could prudently act on my worry because I had a basic understanding and control of the situation.  But it’s not always easy to act on worries—particularly if you don’t understand the issues or potential risks.

It’s reasonable these days for everyone, particularly lawyers, to have a nagging worry about information security.  That’s where independent risk assessment comes in.  Most lawyers know just enough about accounting and finance to help them profitably manage their firms, calling in experts when needed.  The same should be true for information security.  An independent security risk assessment not only identifies risk, it also helps to educate regarding likely threats and vulnerabilities.

What is a security risk assessment?

In the car scenario described above, randomly replacing parts to solve an undefined problem would have been expensive, inefficient, and likely ineffective.  The same is true for applying information security controls.  Randomly applying controls to fix ill-defined problems risks spending too much to fix too little, and may miss the mark entirely.  A security risk assessment clarifies your firm’s security posture by identifying threats and vulnerabilities impacting your systems, prioritizing what should be done, and providing a roadmap for improvement.

A security risk assessment begins by identifying what information requires protection (such as client and confidential firm data), and where it is stored and used.   This first step is not trivial, and the results are often surprising, as it’s easy to forget where important data may be hiding.  Threats—like media failure, hacking, and theft—are identified, and vulnerabilities unique to the firm—like ineffective policies, poor training, or unpatched systems—are assessed.  The process then gathers information regarding the physical, organizational, administrative, and technical controls that are in place.

What is the result?

The result is an actionable written report with practical advice on what controls should be implemented “yesterday,” as well as recommendations on how to prioritize future efforts and spend.  The report should align with pertinent security standards, such as HIPAA, ISO 27001, and the NIST Cybersecurity Framework, and it should provide guidance on how to achieve quick wins.  Beyond serving as written evidence of a firm’s commitment to security, the report also helps law firm partners and managers better understand information security nomenclature and the impact of their decisions.

Why do a security risk assessment?

One of the most common reasons for security risk assessment at law firms is client regulatory compliance, particularly with HIPAA and Gramm-Leach-Bliley.  Increasingly, firms are being asked to respond to client questionnaires regarding their information security practices, and in some cases to attest to the efficacy of their controls.  Perhaps most important is that law firms are trusted advisors to their clients.  They hold confidential, proprietary, and sometimes time-sensitive information on behalf of their clients—information that, if exposed, could irreparably damage not only their clients, but also the firm’s reputation.

So, before your firm spends money on more security software or spends time on untargeted security training, take a step back, look carefully under the hood, and assess where you really stand . . . and what you really need to improve your firm’s data security profile.  You’ll be glad you did.