You want to protect your firm and your client data from cyberattacks. An ounce of prevention, as they say, is worth a pound of cure. But prevention is only one part of a full cybersecurity plan.
Detection is just as important. After all, if you can't tell when someone's gotten through your defenses, you can't properly respond to a cyberattack. And for many organizations, detection is a serious weakness. Most companies don't recognize that their data has been breached until months after the event.
Prevention, Detection, Reaction
Being able to detect cybersecurity events is a crucial part of any robust security plan. Mark Lanterman, CTO with Computer Forensic Services, gives a fitting analogy over at Lawyerist. Consider your firm's network like your house. Your preventative measures, such as your firewall, are the fence. Your ability to detect intruders is represented by your door. And your home alarm system is how you react to intrusions. If this was your house, you wouldn't focus on prevention alone, building a giant fence but leaving your door ajar.
The reason the detection layer is similar to a house's front door is that its effectiveness largely depends on individuals. Once an attack has gotten past the fence, it takes IT departments and employees to spot something wrong. You can have the most secure front door, but if someone leaves it open or forgets to lock it (or doesn't know how), it is virtually worthless.
But most organizations aren't very good when it comes to locking their doors or detecting intrusions. Financial firms take an average of 98 days to detect a data breach, according to a 2015 cybersecurity report by the Ponemon Institute. Retailers were worse, taking 197 days. The data didn't cover law firms, but from what we know about some law firms' cybersecurity, the legal industry probably isn't winning any awards for quick detection.
A Quick Intro to Detecting Cybersecurity Incidents
So, you know you need to be able to detect intrusions, but how do you actually go about it? Your particular methods for detecting cybersecurity events will depend on your internal security system, but the webinar below, from F-Secure, provides a helpful, general intro.