With significant data breaches and cyberattacks making headlines almost on a daily basis, many law firms have realized the need for more effective security measures. Any breach or attack can result in harm to clients and a firm’s reputation, and can also lead to regulatory fines, lawsuits and lost business.
Consistent with many other industries, law firms are looking for guidance when implementing a cybersecurity strategy. However, there is no single defined framework for the entire legal industry. Firms have a variety of established frameworks from which to choose from, and knowing which one to select can be a challenge.
This diversity in frameworks is necessary to an extent, as firms can vary significantly in size and have many different functions and many different types of data. Although, without fully understanding the advantages and disadvantages of each security framework, firms cannot confidently know which one is right for them.
This research paper aims to help correct the inefficiencies and vulnerabilities that often occur when law firms are choosing a cybersecurity framework. RSM surveyed law firms across the country to determine which frameworks firms are currently using and why. Specifically, the document analyzes four common security frameworks for law firms:
- International Organization for Standardization (ISO) 27001/27002
- National Institute of Standards and Technology cybersecurity framework (NIST CSF)
- Center for Internet Security (CIS)
- Payment Card Industry Data Security Standard (PCI DSS)
The data and additional insights included in this report help to determine which framework is the best for different types of firms, making the selection process easier and ultimately improving the security for law firms and clients.