ABA TECHSHOW

“Guarding Your Castle: Law Firm Cybersecurity” with Managed Security Service Providers

Managed Security Service Providers

The increased recognition of cyber risk is without doubt a positive development, indicating a much-needed cultural shift for many firms. But the real challenge is in deciding on the right course of action to mitigate the risk and implement an enterprise cybersecurity program.  Effectively dealing with cyber risks requires the most valuable of resources – time, expertise, and money.

So what’s the best path forward?  For many firms, the answer may be a managed security services provider (MSSP). Today’s cyber threat environment is daunting.  The time, expense, and administrative burden of dealing with cybersecurity issues can be overwhelming.  Nevertheless, the issue is not going away any time soon and the risks to law firms, in terms of cost, reputation, business operations, and client relationships, could not be greater.

Many organizations today monitor and manage the security of other companies.  These businesses are referred to as “managed security service providers” (MSSP).  Gartner, a leading technology research and advisory firm, describes an MSSP as a company that “provides outsourced monitoring and management of security devices and systems.”

Research and Markets estimates that the global market for managed security services will grow from $14.32 billion in 2014 to $31.86 billion by 2019, at a Compound Annual Growth Rate (CAGR) of 17.3% from 2014 to 2019.  Most of that growth is expected to come from small businesses as a result of the low-cost, cloud-based deployments and advancements in technology designed by MSSPs to meet the needs of smaller organizations. When properly engaged, the utilization of an MSSP can level the playing field for smaller law firms that may need to meet the same cyber security standards as their much larger counterparts.

Among the services typically provided by an MSSP are:

  • Managed firewall
  • Intrusion detection
  • Virtual private network
  • Vulnerability scanning
  • Anti-virus services
  • Security monitoring
  • Security Information and Event Management (SIEM) (software products and services combined to provide real-time analysis of security alerts generated by applications and network hardware)
  • Security audits
  • Threat detection
  • Best practices consulting
  • Disaster recovery, business continuity, business resilience, backup support
  • Regulatory compliance
  • Risk management
  • Training and education

  • 24/7 Help desk support.

Potential Benefits of Using an MSSP

The key potential benefits of an MSSP are:

  • Up-to-Date Expertise

Like all modern businesses, today’s law firms must deal with increasingly sophisticated technological advances and networks, as well as a 24/7 workforce that is becoming more mobile.  Lawyers need to work securely and productively, regardless of whether they are in the office, at home, or at an airport.  They require around the clock access to confidential data and files, utilizing any number of devices, such as smartphones, tablets, and laptops.  Keeping up with the cyber security risks created by this dynamic environment, and providing on-demand technical support, creates tremendous challenges for in-house law firm IT teams.

An MSSP can bring up-to-date expertise to their clients.  Their dedicated security professionals usually are highly trained and in a much better position to stay abreast of the latest security trends than in-house personnel.  MSSPs often require their employees to obtain and maintain key cyber security certifications, such as CISSP, CISM and CompTIA’s Security+.  Some MSSPs also encourage team members to pursue advanced credentials to stay ahead of trends and industry best practices.

In contrast, in-house IT teams often have a variety of job responsibilities in addition to cybersecurity, creating a dynamic in which their time is split between managing IT and security issues.  As a result, cybersecurity knowledge can begin to lag.

MSSPs usually employ teams of professionals, with expertise across core areas such as perimeter and application security, vulnerability scanning, threat detection and compliance monitoring. They ideally will have years of experience in various key positions such as security analyst, security engineer, and penetration tester. When a group of professionals bring their collective years of experience to an MSSP team, the whole definitely is greater than the sum. This increases the odds that the MSSP has experience in dealing with a wide range of cyber security issues and current threats. Utilizing an MSSP also provides an opportunity for internal personnel to collaborate with teams on skilled cybersecurity professionals on a daily basis.

Utilization of an MSSP also eliminates the difficult task of hiring and retaining in-house cybersecurity personnel.  According to Cybersecurity Ventures, there will be 3.5 million unfilled positions in information security by 2021, up from roughly 1 million in 2014.  To state the obvious, competing for qualified personnel — who will stay with the firm for long haul — is an increasingly  difficult challenge for any law firm.

  • Proactive Approach

MSSPs that use cloud-based infrastructure to deliver services have the agility, flexibility and a resilient infrastructure to cost-effectively manage hundreds or thousands of clients at once. They also have the ability to be extremely proactive on behalf of their clients.  For example, if a new zero-day threat is discovered at one client site, the MSSP can quickly apply the appropriate patches or remedies across its entire client base.  In-house teams often have to wait until the threat is publicized, which may be too late. The infrastructure utilized by many MSSPs also puts them in a better position to support firms with multiple offices in various geographical locations.

  • Unified Solution

Today’s cyber threats arise from numerous phenomena, including mobility, Bring Your Own Device (BYOD), and increased connectivity via the Internet of Things (IoT). The number and variety of threats have led many law firms to outsource the management of the related cyber security risks to specialized third-party services providers. But retaining and supervising a patchwork of vendors can be inefficient and create an ongoing administrative burden. A single MSSP, however, can provided a single, unified solution to the plethora of risks associated with modern law firm practice. The MSSP can also provide a central hub for security best practices and technology expertise.

  • Cost Savings

To be sure, cyber security is not inexpensive, whether run internally or externally. But because MSSPs are able to spread the costs associated with analysts, security appliances, applications, and facilities across their entire customer base, significant cost savings are likely to be achieved for clients.  A proactive service provided by an MSSP also may save the firm from costs arising from a cyber incident that could have been prevented. And by moving from the somewhat variable and reactive IT costs of running cyber security internally to a predictable and set monthly costs, firms may be better able to budget and plan their cyber security spend.

This does not mean, however, that all MSSP services will be contained in their monthly fee.  Additional charges may be incurred to deal with a security incident, system upgrade, or a change in the firm’s network environment, such as through the acquisition of another firm.

Utilizing an MSSP also can result in significantly reduced costs for infrastructure, operations, administration and personnel. Law firms can eliminate many up-front capital expense investments, perpetual licenses fees, and staffing costs through outsources to an MSSP.

The decision to retain an MSSP should not be based entirely on cost, but it would deny reality to imply that costs are not a significant factor to be considered when making that decision.  A carefully thought-out analysis, comparing the costs of providing cyber security services in-house, through a patchwork of internal resources and external vendors or through an MSSP, should be a mandatory part of the decision-making process.

Below, we provide a proposed worksheet that law firms can use to conduct an MSSP cost-benefit analysis. For a more valuable comparison, we recommend that firms compile costs over a two- or three-year time period.

MSSP Cost Worksheet

Infrastructure
Internal Cost
Supporting Vendor Cost
MSSP Cost
Servers
Database administration
Backup software
Anti-virus & Anti-malware tools
Power
Facilities
Operational / Administrative
Internal Costs
Supporting Vendor Costs
MSSP Cost
Network
Systems
Staffing
Internal Costs
Supporting Vendor Costs
MSSP Cost
Salaries
Staffing fees
Overhead

Selecting an MSSP

It is important to conduct thorough and rigorous due diligence when selecting an MSSP.  After all, the firm’s reputation and client relationships may well depend on how well the MSSP can do its job.  It is important to look not just for a qualified and competent MSSP; working with an MSSP is a collaborative effort with the law firm, so a good culture fit is also critical.

Here are some important issues to discuss with any MSSP under consideration:

  • The MSSP should provide the full suite of cyber security services desired by the firm. (It’s important for the law firm to identify these in advance.) In addition, look for an MSSP with a deep and well-credentialed bench and 24/7 support.  And since some MSSPs partner with other companies to provide a more comprehensive set of service offerings, firms should inquire as to how those partners were vetted and ensure that ultimate responsibility rests with the MSSP itself.
  • Delve into their real-world experience. In addition to looking for an MSSP with deep expertise in all things cyber, we recommend seeking an MSSP that has substantial experience working specifically with law firms. In order to provide the most appropriate solutions, the MSSP must fully understand the law firm business model. Be sure to dive deeply into to the work the MSSP has done in the legal sector and to ask for — and check — references. Inquire not only about the MSSP’s competence, but also ask about its responsiveness, employee turnover, ability to stay within budget, etc.  We also encourage firms to proactively seek MSSP recommendations from other law firms.
  • The MSSP also should have a thorough knowledge of data privacy and security regulations of concern to the law firm. Some MSSPs have cloud offerings that are PCI and HIPAA compliant. The MSSP should be able to assist with analyzing security needs for data retention, disclosure and access, as well as reviewing the surrounding infrastructure and employee practices. The MSSP should collaborate with the firm to implement appropriate controls to safeguard protected information in a compliant fashion.
  • Question how the MSSP will work with the law firm’s existing systems. Firms should not find out after-the-fact that the MSSP does not have the expertise to provide support to those systems.
  • Ask if the MSSP is willing to sign a service level agreement (SLA) with a seamless exit strategy?  Will they agree to purchase cyber insurance that protects the law firm?
  • Review their policies and procedures to ensure that they’re well documented, organized, and clear.
  • Discuss what type of reporting will be provided to the firm.  How often will reports be received (e.g.,monthly vs. quarterly) and what information will be included?  Are the reports customizable to the needs and desires of the law firm?
  • Ask about the MSSP’s flexibility to cut back on services that prove to be underutilized and to scale up in the event of a change in the law firm environment, such as through an acquisition.
  • Inquire as to how incidents are handled.  Does the firm prefer initial handling by low-level personnel or by senior managers?
  • Ask for copies of third-party evaluations, risk assessments, and audits. Consider touring their facilities.
  • To avoid conflict issues, ensure that that MSSP is vendor-neutral.
  • Ask if the MSSP runs background checks on their employees?  This is important because the MSSP likely will be entrusted with highly confidential and protected information.
  • How long are system log files maintained?  How much log file storage is offered?
  • Ask for a time estimate to be up and running if you decide to retain the MSSP.
  • What services are included in the monthly fee?  What are the fees associated with additional services?
  • What contract lengths are offered?  Are there discounts associated with any particular contract lengths?
  • What is the dispute resolution process?
  • Does the MSSP appoint a single account manager who is responsible for its relationship with the law firm?  This can be especially important if the MSSP partners with other vendors to service the law firm account.
  • Will the MSSP contractually agree to provide timely notice of a security incident?

HELPFUL RESOURCES

Resources that may be particularly useful include:

Jill D. Rhodes and Robert S. Litt, eds., The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition,https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=280127783.

Sharon D. Nelson & John W. Simek, “Finding a Good Cybersecurity Company,” Law Practice, Nov.-Dec. 2016 at 24-25, http://www.mazdigital.com/webreader/43952?page=26.

Sharon D. Nelson, David G. Ries, & John W. Simek, Locked Down: Information Security for Lawyers,American Bar Assn.,  Sept. 2012. https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=238368703

Sharon D. Nelson & John W. Simek, “Technology: 25 Tips to Prevent Law Firm Data Breaches,” Wisconsin Lawyer, Vol. 85, No. 11, Nov. 2012, http://www.wisbar.org/NewsPublications/WisconsinLawyer/Pages/Article.aspx?Volume=85&Issue=11&ArticleID=10212.

Judy Selby

I bring 25 years of insurance coverage litigation experience on behalf of insurers and corporate policyholders to my insurance consulting work. I have a particular expertise in cyber insurance and coverage under various policy forms for today’s emerging risks. I provide coverage evaluation, policy negotiation, gap analysis, and SOC audit support services to companies across multiple industries, bringing greater clarity and certainty to their insurance programs.I also provide expert witness and litigation consulting services in coverage disputes, insurance due diligence, private equity advisory services, and data protection and privacy regulatory compliance consulting.

 

Jody R. Westby

Ms. Westby is CEO of Global Cyber Risk and provides consulting services in the areas of privacy, security, cybercrime, and cyber governance. She is a professional blogger for Forbes and also serves as Adjunct Professor at Georgia Institute of Technology’s School of Computer Science. She authors a regular column for Leader’s Edge magazine, published by the Council of Insurance Agents and Brokers. Ms. Westby co-chairs the American Bar Association’s Privacy & Computer Crime Committee and its Cybercrime Committee. Her firm is a strategic partner of leading insurance brokerages and law firms. Ms. Westby performs risk assessments of cybersecurity programs, develops robust incident response plans, advises boards and senior executives on the governance of cybersecurity, and performs data mapping and digital asset inventories. Ms. Westby speaks globally and is the author of several books and articles on cybersecurity, cyber conflict, and enterprise security programs. She graduated magna cum laude from Georgetown University Law School and is a member of the Order of the Coif, American Bar Foundation, and Cosmos Club.