How to pass a client security audit

Given the supply chain risks, it’s essential to audit your professional advisors. I’d go further than a ‘security’ audit though and extend this into a privacy audit as well. You need to know what data your suppliers have both about your business and your clients…:

Cyber-crime is becoming an ever more frequent and sophisticated threat to law firms. At the same time regulatory compliance is becoming tougher, the penalties for non-compliance are escalating, and clients are insisting on exceptional security standards.

A recent study by Briefing magazine showed that 72% of law firms are seeing an increase in security audit requests from both existing and new clients, indicating a huge impact on firms’ ability to win new client business if they fail to meet expected standards.

In this challenging, constantly evolving threat landscape, law firms are quite rightly seeking expert help with their data security.

Security matters more than ever for every practice area

Law firms working with corporate clients in the most sensitive and highly regulated fields need no prompting to prioritise data security – their clients insist that they demonstrate the highest standards. These law firms are now investing in security and marketing their capabilities as a competitive differentiator.

Firms dealing with high net-worth private clients also need to be increasingly security conscious, because their data is likely to be particularly sensitive and large sums of money are at stake.

Conveyancing firms need to up their security game too, because conveyancing panel managers now have to comply with stringent standards set by banks and other mortgage lenders.

Asking the right questions

A cyber-security audit used to be almost entirely focused on compliance and consisted of around 10 questions, perhaps even fewer.

Attacks are now far more sophisticated and law firms are placing more trust and, critically, more of their client data in cloud-based systems. Due to the amount of sensitive information and the large sums of money at stake, a modern audit digs much deeper to ensure security.

Clients are now better informed around how their data should be protected, meaning audit questions have become more specific and technical requirements more demanding.

To succeed a firm will have to demonstrate capabilities such as:

  • Immediate logging of security events to a central location;
  • The ability to provide user IDs, dates, times and details for each security event, as well as device identity and location, network addresses and protocols; and
  • Remediation of threats before they affect day-to-day operations.


Original article here