CASE STUDY: Law Firm

The Case

The law firm is headquartered in Southeast Michigan. The firm employs 35 lawyers and is a boutique plaintiff firm.

The CFO has been with the firm for 14 years. He is responsible for various functions including financial reporting, part of human resources, legal, and IT issues. He is also a CPA and had previously worked at PWC.

Background

The firm experienced a cyber incident a year ago. While the attack was unsuccessful, it was eye-opening to the CFO and others at the firm. He said, “I really needed to get a partner who had some of the capabilities that my current tech people don’t have and skill sets that I personally don’t have. We all have areas of weakness that need to be shored up. We needed a partner with highly competent people to shore us up in those areas, and that’s how SensCy came about. “They have the skills that we need.”

The CFO knows of other law firms that had been targeted and believes hackers are focused on this industry. When his organization was attacked, he needed to make the board aware of the issue and go through a complete audit. The cyber incident triggered them to understand that they needed to pay more attention to cybersecurity and bring in more outside help. Prior to the attack, the firm already had cyber insurance, but the firm realized that this was not enough.

The Decision

The CFO discovered SensCy™ through one of the tech professionals that he works with. Once he understood the people involved with SensCy, he was instantly comfortable. He said, “You have to trust your cybersecurity people…and in this case, I do.”

He already had a competent IT Service provider and some tools in place to try to prevent attacks. While he had elements in place, he believed they still needed a qualified organization to keep an eye on things, to stay abreast of what was happening, to keep the organization up-to-date on new developments, and to advise them on issues that need to be addressed. The CFO indicated that it was one thing for him to bring up issues to his fellow lawyers, but it is a whole different game when issues are brought up by a professional cybersecurity organization.

The CFO said that organizations like his can get cyber services from a wide range of providers. “Some companies will look for a soup-to-nuts provider, and some people, like me, have a more hands-on approach.” He added, “So, I already can support the operation directly, and I contract with IT to be able to provide the support for the operation itself. That’s a cost-effective way for us to go about doing this. With SensCy, I can really shore up those areas where I’m just not going the time to obtain the assets and properly maintain skill sets needed in this fast-changing cyber environment. Fortunately, SensCy does focus on my kind of business. “I think I’m a solid player in their target market, and we work well collaboratively. Having that deep bench, I think, really helps me out.”

He believes that SensCy is a perfect fit for a medium-sized business like his. He said that SensCy’s fee is worth it. When he was looking for vendors to help him, price quotes were as high as $400,000, so SensCy was exceptionally reasonable for what they provided.

The Implementation

The SensCy implementation has gone exceptionally well for the Law Firm. They have taken their SensCy Score™ from 612 to 825. He said that SensCy’s personnel have confirmed that they were moving in the right direction. The SensCy team looked at their systems, provided guidance and training to the lawyers and other members of the firm, offered an ongoing dialog about vulnerabilities, made sure that security patches were installed on time and correctly, and other critical functions–relieving both he and his service provider of the detailed demands relating to cyber issues and cyber risk.

The CFO has also been pleased with the response from lawyers at the firm. He said that law firms are often slow to adapt to change, but in this case, the lawyers and his board quickly adapted and implemented the right procedures. He added, “It’s difficult to manage that change. But fortunately, this has made it more palatable and more receptive.”

The CFO’s favorite part of SensCy is the ongoing cyber counseling for the complex cyber challenges his law firm faces. He referred to SensCy as his “Cyber Therapist.” He said, “I particularly have enjoyed the ability to have almost like a counseling session with somebody.” He continued, “Having someone that I can bounce things off from a managerial and a process perspective, to have some team members that have those skill sets and where I can say, ‘Look, I just feel like we have to make an improvement. Do you see other mitigating factors in our current processes that allow me to buy into maybe what’s gone on?’ I’m able to brainstorm with them. And I think that, for me, the greatest value has been to sit down with them and go, ‘Look, this doesn’t play well to me.’ I have to work with some folks. I need the tools and their skill sets to help me manage what we have here, but I also want to look at what is really right. And so, it’s allowed me to have a third party say, ‘Yeah, I don’t think that’s a great idea. I think we should modify that position.’ So, it becomes us talking about it as a group and seeing what’s the best way to go. And again, internally I’m able to sell that in the organization better by doing just that.” He calls this “Cyber Therapy”.

He frequently gets positive comments from his team. He said, “People have come back and said, ‘You know what? I should be doing this at home. And I said, ‘Yes, I told you that months ago. This is something that’s not just for me. This is something for you and your house and your family.’ So, that’s been a real positive thing along the way. An actual shareholder here just sent me her certificate of completion of all the cyber awareness training. She sent me a copy of it. Just wanted me to know.”