Small Family Law Firm concerned about Privacy Breaches
Industry: Family Law
Location: Toronto, Ontario, Canada
Size: 30 employees
Reason: Client wants to ensure their due -diligence with regard to Privacy and Cyber Security
Effort: Ongoing 2-4 hours / week
The Story:
The founder of this Family Law Firm has been watching the news over the past several years and has seen many businesses fall prey to Cyber Breaches and Ransomware events. Many of these small companies never recovered from their losses, either financially or reputationally.
Being technically aware, even at their mature age, the founder made the decision to bring a 3rd party Cyber Security practitioner in to assess their ability to protect their clients, employees, and partners critical data.
The First 30 days:
As this was a relatively small company, both in number of employees, and in the Single physical location, the entire Review and assessment phase was completed inside of two weeks.
We conducted an ISO27002 maturity assessment to identify what security controls, infrastructure, and practices were currently in place, who was managing them, and what gaps there were, even for this size of business.
We conducted an internal Network Vulnerability Assessment to identify all network attached assets, their patch status, as well as if there were any software / operating systems at or beyond end of life.
We conducted a quick Network Penetration test on their Internet facing presense, as well as a Web Applciation scan against the corporate wedsite.
Also see: Why Hackers Target Law Firms!
The Next 60 days:
Aside for the required Privacy Policy on the Website, there was no Cyber Security Policy Framework developed for the company. (As is common in companies of this size)
We created a series of short policy and standards documents to provide guidance to their team, and published them on their Intranet (Sharepoint) where they were quite visible.
We created a series of short Security Awareness Articles, and also published them on the Intranet, as well as periodically mailing them out to the employees.
We brought in lunch for the employees, and delivered a fun Security Awareness training workshop.
We started a regular patch management / vulnerability scanning practice.
We also started replacing End of Life Operating Systems and software. (You'd be amazed at how much Windows XP still exists in small business!)
Beyond the 90 days:
TeamCISO continues to monitor the Law Firms corporate network (a flat class C), and provide patching and scanning of the infrastructure on an ongoing basis. We conduct quarterly Security Awareness training, and are on retainer for ad-hoc Cyber Security advice as needed.
Benefit to Client:
Previous Case Studies in this Series:
Case Study #1 - Cellular Communications Provider in Merger & Acquisition
Case Study #2 - Fintech Service Provider requires Interim CISO
Case Study #3 - Software Startup requires Governance on a Budget
Case Study #4 - Wealth Management Firm with Poor MSSP contract
https://fortune.com/2017/06/29/dla-piper-cyber-attack/
https://www.korbitec.ca/2019/11/03/law-firm-data-breaches-part-1/
https://www.caymancompass.com/2017/10/24/appleby-confirms-data-breach/