Five Reasons to Build Your Law Firm’s IT Security Framework on NIST Standards


Law firms are daily targets for cybercrime and targeted data breaches. Criminals are keenly aware that
law firms can be a “back door” to valuable confidential data, such as trade secrets, intellectual property
and financial information related to potential business deals. In fact, 23 percent of law firms reported
that they have been the victim of a data breach at some point, according to the ABA’s 2018 Legal
Technology Survey Report. Meanwhile, corporate clients are ramping up due diligence efforts to ensure their outside law firms are protecting their information with comprehensive information security controls. They also want to be assured their firms can quickly and easily respond to all possible compliance items or requests.

This two-pronged challenge — the need to protect the firm’s IT systems from cybercriminals and the
need to respond to client demands for information security — is a daily battle for any law firm CIO
or CISO. There are a number of compliance standards and data security certifications available to help law firm CIOs develop their IT security posture. These standards, such as ISO 27001 or COBIT, provide
important frameworks for guiding your firm’s IT workflow and instilling confidence in your IT systems
— but they are not as robust or granular regarding overall sound information security. And since each
law firm has its own culture, size, personnel, scope of work and organizational complexity, most firms
typically want to modify their IT processes to meet their unique needs, rather than forcing themselves
into “one size fits all” workflows.

This white paper discusses several reasons why law firms should consider building their IT security
program on the framework laid out in the National Institute of Standards and Technology (NIST)
Cybersecurity Framework. The NIST framework provides law firms with a valuable paradigm for building their IT systems and developing their unique approach to information security.