top of page

LAW FIRM

Lawyer reviewing case law

BUSINESS PROBLEM

Law presents a unique challenge in the field of information security. The legal profession operates under strict ethical guidelines, and attorneys are acutely aware that violating these rules could end their careers, making the risk of an attacker selling information to opposing counsel relatively low. However, lawyers also have a sworn duty of care to protect their clients’ information, and opposing counsel is not the only party that might have an interest in such data.


Enter our client, an attorney who identified a critical need among peers in case preparation and built a business to address it. While the Law Firm excels in case law, they acknowledge their limitations in information security and understand the risks of neglecting it—risks they’ve seen highlighted in high-profile security breaches affecting law firms.

​

SCALESOLOGY IN ACTION​

The Scalesology team collaborated with the client to conduct a comprehensive risk assessment. This process involved identifying the client’s valuable assets, potential threat actors, the threats arising from the interaction of these two factors, the risks based on the likelihood and impact of these threats, and a set of controls to mitigate them.


The firm, having recently lost their part-time IT administrator, a key-person risk that had already materialized, was uncertain about the likelihood of several technical risks and even the identification of some of their assets. Anticipating that a penetration test would be a critical control, we expanded the scope of work to include this testing. The penetration test involved reconnaissance, surface determination, probing, and non-destructive attacks conducted on both the external and internal infrastructure, providing valuable insights to inform the overall risk assessment.

​

RESULT

While the penetration test extended the overall assessment by about a week, its results were highly revealing. Notably, it uncovered several virtual servers running internally that management was unaware of, yet these servers were critical to several key applications. Additionally, the test highlighted that some of the firm’s primary risks stemmed from insiders. These findings significantly informed the risk assessment and security strategy, enabling the firm to prioritize stronger internal controls. Furthermore, the detailed reports proved invaluable as the firm onboarded a new managed service provider.


 

SERVICE REFERENCE


 

Commentaires


bottom of page