How Much Should Law Firms Spend on IT Security?

If you came across an article we recently posted about the top cybersecurity threats to law firms, you may have seen some rather disconcerting results from a 2013 ILTA survey. Take a look:

  • 76% of law firms surveyed did not require two-factor identification
  • 72% did not issue encrypted USB drives
  • 64% did not automatically encrypt content-based emails
  • 56% did not encrypt laptops
  • 90% did not employ any laptop tracking technology
  • 64% had no intrusion prevention tools in place.

In the legal space, ethics dictates that client data is sacred, yet—ironically—firms are too often taking insufficient measures to actually protect this data.

So, what kind of investment is it going to take to shore up your firm’s security and to keep your data secure on an ongoing basis? This is a question we’ve gotten over and over again from our law firm clients, and while the answer is complex, it’s one we’re always happy to explore.

New call-to-action

Below we’ll work through the main factors that will affect what your firm’s overall IT security investment will look like, and what you should expect to see in the long run.

Key factors that influence the nature of your IT security spend

The amount you want to invest in your law firm’s IT security each year depends on the following factors:

  • Whether or not you’ve had a recent security audit. Before you can make any strides toward bolstering your IT systems, you have to establish a clear baseline. This takes the form of an outside provider performing an objective gap analysis that locates existing vulnerabilities in your environment, and offers a roadmap for remediation. (Put simply, if you haven’t invested in a security audit recently, you’ll need to.)
  • The size and complexity of your firm. The more nooks and crannies your technology environment has, the more effort (and likely money) it’s going to take to secure them. Not only that, but a larger size count also means investing more time in properly training your attorneys and staff on your internal security policies.
  • The state of your current hardware and software. Are your servers and workstations regularly patched and monitored for health statistics? Are any of your servers out of warranty? Are you running machines with Windows XP that is no longer supported in any capacity? Is your software patched and properly licensed? If you are working off of an aging infrastructure, you will likely have substantial up-front costs to upgrade.
  • The nature of your data. The vast majority of your firm’s data is going to consist of privileged information. Still, depending on your firm’s specific area(s) of practice, your particular data might range from moderately sensitive, to completely and utterly confidential. Ask yourself this: if your data were to get in the wrong hands, what would the repercussions be? The more tightly you need to control your data, the more you’ll need to invest.
  • Your tolerance for risk. In the end, how secure do you want your firm to be? Would even the slightest breach tarnish your reputation for good? Do you trust your attorneys and staff to follow best practices without any mandated controls in place? As you can probably guess, the lower your tolerance, the higher your costs will be.


How much should law firms spend on IT security?

As you can see from the factors above, there is an adoption curve when it comes to security. As a general rule, your placement on this curve is going to dictate the nature of your overall IT security spend.

In other words, if you are just now taking the initiative to secure your firm, you’re going to have to invest a significantly higher up-front amount than those firms that have been making security a priority and an integral part of their culture for quite some time.

A security audit on its own, for example, is going to run you between $20,000 and $30,000 on average given the complexity that is inherent to law firms.

From there, you could be looking at an investment of $10,000 to $15,000 each year to implement any necessary technology solutions, and to test and make adjustments to them on an ongoing basis.

This, of course, is only a ballpark—if your assessment uncovers $40,000 worth of vulnerabilities in your current environment, and if you value the safety of your data, you really need to spend whatever is necessary to protect your clients and your reputation.

Across the board, the consequences of a successful attack on your firm can be devastating to the point where your entire business is crippled. So if we are to offer any one piece of advice, it’s that you need to work with a trusted resource to identify the appropriate solutions and next steps for your firm, and that you need to find a way to implement and maintain them no matter what.

Can you really afford not to?

New Call-to-action

Topics: cybersecurity, budget, law firms