Cybersecurity Risk Assessments: The First Step in Securing Your Practice

by Jill Schumacher, Caldwell Boudreaux Lefler PLLC, and Adam Schumacher, CISSP, IT Operations & Security at FlightAware, LLC

To start managing your cybersecurity, perform a risk assessment. In a risk assessment, you attempt to determine the threats you face, where you are vulnerable to those threats, and the impact the threats would have on your practice or organization. Understanding your risks equips you to make informed decisions about where and how you spend your precious resources (time and money) on effective countermeasures.

Step 1: Identify assets and the impact of loss, publication, or alteration of those assets. 
First, identify the assets that need to be protected and their value to the firm or organization. Lawyers need to understand the impact if assets are lost, stolen, or damaged. In the practice of law, there are two layers to this question. First, lawyers need to assess the impact of the loss, publication, or alteration of the lawyer’s assets, including firm information and all work product. Second, lawyers need to assess the impact of the loss, publication, or alteration of a client’s assets that the client has shared with the lawyer. The impact on a client may not be obvious to the lawyer, so it may be helpful to discuss this information with client. For example, the publication of a client’s sensitive information may have no impact on an appeal, but if the client has a duty to protect that information, the client may suffer in other ways.

There are several categories of assets lawyers, firms, legal organizations, or companies might have, including:
    • Personal information: information about clients, employees, attorneys
    • Physical assets: computers, phones, cars, or buildings
    • Commercial or industrial secrets: patents/trade secrets of clients, all privileged work
    • Social/reputational: trademarks, brand, or customer confidence
    • Digital resources: storage space, processing power, network capacity, etc.
Try to think about all of these categories to get an accurate list of your assets.

Step 2: Identify threats to assets and the likelihood the threats will occur. 
After identifying a list of your assets and their value, try to enumerate the possible threats and the likelihood the threat will become actualized. Although this step can be done with the assistance of an IT or cybersecurity professional, it still requires an understanding of the broader operational context of your practice. There are a few categories of threats to consider when working through this step. 

Types of threats to assets include:
    • External, internal, human, or automated hostile attacks
    • Human error due to omission or action (e.g. forgetting to save a document or sending        confidential information to the wrong person)
    • Structural failures (e.g. hardware crash)
    • Acts of God (e.g. Hurricane Harvey)

The first, and generally most well-publicized types of threats, are the adversarial threats. Equally important, however, are individuals who have or gain access to your assets and are not trying to cause harm, but accidentally lose, publicize, or alter assets.

 Aside from threats stemming from people, there are various types of environmental and structural issues. These can range from simple hardware failure, power loss, or software glitches to large disasters like hurricanes, earthquakes, or floods.

 After identifying possible threats, to assess risk, lawyers must try to understand the likelihood that a specific threat will materialize. Determining the chances that a threat will materialize is not an exact science. Many of the threats a law firm might face relate specifically to the firm’s clients and work. The size and structure of the firm, the types of clients, and the value of the firm’s assets influence not just the sources of potential threats, but also the odds they materialize. You may have some sense about the likelihood of specific threats materializing based on information from your clients about past issues or by comparing your firm with similar firms.

 Step 3: Identify vulnerabilities and how easy they are to exploit. 
Once you have a rough sense of your assets, the range of threats you face, and your best assessment of their relative likelihood of occurring, the next step is to take stock of your vulnerabilities and how easy they are to exploit. Cybersecurity vulnerabilities can come from many places: bugs in software, configuration settings in software, business processes or practices, and even the physical environment. Pare this down by using the inventory of assets and risks to focus on the threats that seem most important and relevant to your specific practice.

There are too many vulnerabilities across all types of software for any person to be able to know about all of them, but there are a number of resources that can help. The foremost is the common vulnerabilities and exposures (CVE: https://cvs.mitre.org) database maintained by mitre. It is a publicly searchable database and one of the main sources of public cybersecurity vulnerability information in the world. The United States Computer Emergency Readiness Team (US-CERT: https://www.us-cert.gov) provides resources about current security incidents, threats, and vulnerabilities as well as a few publications aimed at individuals who are not already cybersecurity experts.

Not all vulnerabilities are created equal. Some may require sophistication and dedication to exploit while others may be mitigated by some other protection. When you are enumerating vulnerabilities, it is also important to assess and understand the impact the vulnerability may have to you or your organization. For example, losing a cell phone may not be catastrophic if the data it contains is encrypted and locked behind a secure password. The national vulnerability database (NVD: https://nvd.nist.gov), maintained by the National Institute of Standards and Technology (NIST) takes the published CVE information and adds a score indicating their assessment of the impact based on a number of standardized criteria. These scores are based on an analysis of the publicly available information at the time the vulnerability is published and may change somewhat as new details emerge. Though they provide a good foundation for assessing the severity of a vulnerability, these scores obviously do not consider any mitigating (or exacerbating) circumstance that may apply to you.

 Step 4: Calculate your risk. 
 To get a sense for your risk level, consider the importance of the asset, versus the ease of exploitation, versus the likelihood of exploitation. To build a risk scorecard, use the following formula: Risk equals the relative value of asset multiplied by the severity of vulnerability multiplied by the likelihood of threat. Once you have a sense of which assets face the most risk, you can prioritize the places to increase protection and direct your energy to mitigating the vulnerabilities that will have the greatest impact.

 Step 5: Rinse and Repeat. 
 Risks constantly evolve, so you will want to periodically go through this process to ensure you are taking the most prudent steps in securing your cyber assets.

If you are interested in learning more about performing risk assessments, a number of organizations have developed their own processes and resources for formalized risk management and assessment. The National Institute of Standards and Technology (NIST) has its Special Publication SP800-30: Guide for Conducting Risk Assessments (https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final) that is available for free online. Though it is geared toward large governmental organizations, it provides an excellent reference for anyone. The International Standards Organization (ISO/IEC) also publishes a number of documents focused on risk management practices (ISO 3100:2018) and risk assessment (ISO 31010:2009), as well as the ISO 27000 series which focuses on information security management, though these resources require a paid license from ISO.

 After you complete a risk assessment, you have the information you need to take the next steps in improving your cybersecurity defenses. You should have an understanding of what assets are most at risk, the threats they face, and where they are weak against those threats. Depending on the value of your assets and your willingness to accept risk, you can start taking steps to mitigate, eliminate, or simply accept the risk in the vulnerabilities you’ve identified.