A CISO Perspective on Implementing Cyber Resilience for Small to Large Law Firms


In today’s digital landscape, law firms, particularly smaller ones, are prime targets for cyber threats despite regulatory safeguards. Implementing CIS Critical Security Controls is crucial to fortify defenses and safeguard client data.

In today’s digital age, law firms face a daunting challenge: how to safeguard critical client information in the face of ever-evolving cyber threats. These firms are not only custodians of sensitive data but are also bound by stringent laws, regulations, and professional ethics that mandate confidentiality and privilege. Unfortunately, cybercriminals see law firms as lucrative targets, and the frequency of attacks, particularly against smaller firms, is on the rise. In an era where digital presence is inevitable, the legal sector finds itself increasingly targeted by cybercriminals seeking to exploit vulnerabilities in their systems.

For small law firms, the struggle to maintain a secure digital presence is compounded by the fact that most lawyers are not tech-savvy. While they understand the importance of confidentiality and attorney-client privilege, navigating the complexities of cybersecurity—such as network security, endpoint security, web application security, and incident response—can be overwhelming. Often, these firms cannot afford to hire dedicated IT personnel and rely on managed IT services, yet even this investment may not guarantee protection from cyber threats.

Dependent on managed IT services, these firms often discover that hefty contract fees fail to guarantee immunity from cyber threats. Recent incidents, such as the ransomware attack on Sacramento-based law firm Mastagni Holstedt, underscore the grim reality faced by many small firms despite investments in cybersecurity measures. Similarly, large Managed Service Providers (MSPs) like CTS in the UK have fallen victim to data breaches, leaving numerous law firms exposed. The repercussions of such breaches extend beyond financial losses, tarnishing reputations, and eroding client trust.

For small law firms, the struggle to maintain a secure digital presence is compounded by the fact that most lawyers are not tech-savvy.

Chirag Arora, Chief Information Security Officer (CISO) and Cyber Security Executive Advisor at Dorf, Nelson, and Zauderer LLP

However, despite these challenges, law firms cannot afford to operate without utilizing information technology. In this challenging landscape, adherence to cybersecurity frameworks becomes imperative. Standards like ISO 27001, NIST CSF 2.0, and the Center for Internet Security’s (CIS) 18 Critical Security Controls provide essential guidance for law firms seeking to bolster their cyber resilience. The American Bar Association and the Bar Council of the UK have also issued guidance tailored to legal professionals.

For large law firms with global reach and significant resources, a comprehensive approach, such as ISO 27001 or NIST CSF 2.0, may be appropriate. However, for smaller firms with tighter budgets and timelines, adopting a more targeted framework like CIS Critical Security Controls could be more feasible. The CIS Controls offer a focused set of 18 controls designed to provide effective protection against cyber threats. Moreover, the CIS Controls have been integrated into various state statutes in the United States, providing legal backing to their effectiveness.

In an exclusive interview with Mr. Chirag Arora, a seasoned cybersecurity expert currently serving as the Chief Information Security Officer (CISO) and Cyber Security Executive Advisor at Dorf, Nelson, and Zauderer LLP, headquartered in Rye, NY, sheds light on the importance of cybersecurity measures for law firms. Mr. Arora, a distinguished editorial panel member with the Center for Internet Security, has been an influential figure since joining the panel in 2014. He advocates for the adoption of CIS Controls, particularly among smaller law firms, emphasizing the critical role these controls play in bolstering cyber resilience in today’s digital landscape.

Mr. Arora’s impact on the cybersecurity community transcends his advisory capacities. He is the visionary behind the Controls Self-Assessment Tool, a groundbreaking resource provided by CIS free of charge. This tool, conceived to aid organizations of all sizes, facilitates the implementation of CIS controls, benchmarks performance against industry standards, and fosters collaboration within the cybersecurity realm.

Drawing from his extensive experience in the field, Mr. Arora has conducted numerous CIS control assessments for organizations spanning diverse sectors. According to Mr. Arora, small law firms can derive substantial benefits from adopting a tailored subset of CIS controls, with the CIS Controls Self-Assessment Tool serving as a valuable resource to bolster their cyber resilience.

Recognizing the distinct challenges encountered by smaller to mid-size law firms, Mr. Arora offers a personalized controls approach through his law firm. This bespoke strategy equips these firms with essential defenses to mitigate sophisticated threats, including business email compromise and ransomware attacks.

Mr. Arora’s unwavering commitment to empowering organizations of all sizes underscores his dedication to advancing cybersecurity practices on a global scale.

In conclusion, the journey towards cyber resilience begins with a proactive approach to cybersecurity. By embracing frameworks suited to their scale and needs, law firms, regardless of size, can navigate the complexities of the digital age with confidence and resilience while upholding the principles of confidentiality and attorney-client privilege.

Related posts

SANS Institute Drives Saudi Vision 2030 with SANS Summer Dunes

Enterprise IT World MEA

Tenable Now Available Through AWS Abu Dhabi Region

Enterprise IT World MEA

Nutanix Simplifies Management and Operations of Kubernetes Clusters

Enterprise IT World MEA

Leave a Comment