How can lawyers find cybersecurity solutions that work for them?
As this yearlong series has already covered, lawyers and law firms are sitting on valuable information that could be worth billions to cybercriminals. Additionally, this country loses hundreds of billions annually due to stolen intellectual property.
With so much money at stake, perhaps it’s little wonder that the cybersecurity industry is one of the fastest growing in the world. For instance, research firm MarketsandMarkets projects that the worldwide cybersecurity sector will be worth over $230 billion by 2022. Another company, Crystal Market Research, had a less optimistic projection but still forecast a $173.57 billion cybersecurity market by 2022. As for this year, Gartner Inc. predicts that spending on cybersecurity will reach $96.3 billion, an 8 percent increase from last year.
Luckily, lawyers don’t have to break the bank if they wish to be protected. But that doesn’t mean they can afford to be cheap.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
“It’s certainly worth it for everybody in a company or a firm to have the most up-to-date firewalls and anti-virus software. That’s just a cost of doing business, but cybersecurity doesn’t end there,” says Eric B. Levine, an attorney specializing in privacy issues and a shareholder at Lindabury, McCormick, Estabrook & Cooper in Westfield, New Jersey. “Every company and every law firm has to do a cost-benefit analysis about making investments in cybersecurity.”
The cost for a vulnerability assessment varies. Privacy Ref, a cybersecurity consulting company in Delray Beach, Florida, for example, will run a vulnerability assessment for about $30,000 and then, depending upon the remediation needed, will address privacy issues for either a fixed price or on an hourly basis. Levine’s law firm charges a negotiable fixed rate for overseeing and managing the vulnerability assessment. In addition, there’s a fee from the vendor performing the technical assessment.
“The more complex your computer system is, the more it’s going to cost from the technical side,” says Levine.
Law firms are increasingly getting involved in the vulnerability assessments because, as Levine puts it, the results can then be “cloaked in privilege.”
“You want to do a vulnerability assessment, but you also want to avoid having that assessment used against you in court,” says Levine. “You want to at least have the argument that the results are part of attorney-client privilege.”
Once a firm has learned its vulnerabilities, it may then use the same company or hire a different consultant or outside company to help establish a cybersecurity plan and assist with ongoing security needs, such as employee training in best practices for maintaining data protection.
Law firms are going to have to do their due diligence when it comes to finding cybersecurity services and products that meet their needs, says Jody Westby, CEO of Global Cyber Risk in Washington, D.C.
“You don’t want to pay for something that can’t give you the right service, and you don’t want to pay a company that doesn’t understand your industry and can’t meet your needs,” Westby says. “You have to take a step back and really think about what you are doing and what services and products you need and who can best provide that.”
Cybersecurity experts say law firms should take the additional step of hiring security companies to examine outside vendors for potential data security issues. In addition, firms may want to hire an outside contractor to continuously monitor the firm’s network.
“One thing to consider is what are the capabilities of your internal staff and what is the most cost-effective way to supplement them,” says Westby.
This article was published in the May 2018 issue of the ABA Journal with the title "Big Business: With so much money at stake, it’s no surprise that cybersecurity is a rapidly growing industry—so how can lawyers find what works for them?"