eDiscovery Daily Blog
This Study Says Two-Thirds of Law Firms Still Have No Staff Devoted to Information Security: eDiscovery Trends
Not surprisingly, a major “hot” topic at ILTACON earlier this month was cybersecurity. Stories about data hacks are abundant, with recent notable hacks including this one and this one, and you may not even know if the law firm holding your data has ever suffered a breach. A new study, introduced at ILTACON earlier this month, aims to shed light on security assessment practices of legal organizations in North America.
The 2015 Study of the Legal Industry’s Information Security Assessment Practices was developed by Digital Defense Inc. (DDI), in collaboration with ILTA’s LegalSEC Steering Committee. It aims to help law firms evaluate their individual information security practices, as well as to examine the state of security in the legal profession as a whole.
There were over 150 participants in the study, with Chief Information Officers and IT Managers collectively accounting for 63% of those participants. Of the firms that participated, 83% identified the top area of practice as Litigation, followed closely by Corporate, Labor & Employment, and Real Estate, all over 70%.
Some key findings of the report include:
- 66% of organizations surveyed have no staff devoted to Information Security;
- Employee Negligence and Phishing/Vishing Attacks rank as the highest information security concerns within firms;
- Many organizations are performing services to combat employee negligence, with 78% performing Information Security training for employees;
- Approximately 70% of respondents conduct Vulnerability Scanning assessments and Penetration tests, a significant increase (15-20%) from 2014;
- However, 63% of respondents do not have a Vendor Management Evaluation process in place.
The 24-page study includes: 1) a breakdown of participants (in terms of title, practice areas, firm size and geographic representation), 2) information on firms’ information security programs (including strategy, budget allocations and resource management), 3) information security concerns and products/services used to address those concerns, 4) information security standards, policies and training programs and even 5) a glossary of terms (do you know what “vishing” is? I didn’t).
So, what do you think? Are you surprised by any of the study results? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
CloudNine empowers legal, information technology, and business professionals with eDiscovery automation software and professional services that simplify litigation, investigations, and audits for law firms and corporations.