(and the reports you need to give them)
Law firms should get a penetration test annually
There are 5 audiences for your pentest, and they have very different reporting needs
Have your Pentester tune their reports for your audiences
Penetration Testing (pentesting) is considered one of the best investments in cybersecurity for your law firm. Hiring an expert “ethical hacker” to identify vulnerabilities and test whether they can be exploited helps you understand what needs to be fixed first. Clients, partners, insurance companies and other stakeholders also know the benefits of regular penetration testing, which is why so many require annual penetration testing.
Penetration testing, therefore, is much more than a technical test. It is a way for your firm to prioritize gap closure and cybersecurity investments, and it provides assurance to others that you have an effective security program at a fundamental level.
Get reporting wrong and you will raise concerns. Get reporting right and your audience will move on with comfort and confidence.
Think of these reports as various forms of Executive Summary or Attestations from your independent penetration tester. The detailed report (see 5) should be kept private. But these audiences have a legitimate need to understand a level of detail that builds their confidence in you and your security program.
Keep in mind that your independent pentest is not altering their findings in any of these. If you are in dismal shape, then the report will need to say that. But, with fine tune (and remediation and retesting) you will find you can get much more leverage from your pentest.
This post highlights the 5 audiences at law firms for your penetration test, and the tone and level of detail they need to see.
1. Stakeholders (partners, shareholders, BOD)
Focus on Risk
Your partners or stakeholders care about risk. Cybersecurity is a big risk that most stakeholders only understand tangentially. They know a compromise will cost money and that small law firms frequently don’t survive a serious attack. Don’t delve into attack vectors, tools, and methods for this audience. Focus on metrics, risk mitigation, and monetary impacts.
Visual reporting elements such as graphs and charts play a pivotal role in efficiently communicating key results to these stakeholders. In addition, this penetration test report should communicate alignment with the overall law firm’s mission and goals. That reinforces the importance of your overall security program.
Principles:
First, work to understand the near-term goals of the law firm. Is it growth? Is it a new line of services? Whatever it is, you can anchor the pentest to that.
Work with your pentester to ensure they write this summary in a way that supports the firm’s goals and doesn’t conflict in any way.
You should write a cover letter to the pentest report that aligns with the firm's goals, and describes how this protects those initiatives. You may also reference industry security trends that may matter to their risk discussions.
2. Client Reports
Focus on being compelling
Many law firms are getting questions about their cybersecurity from clients. It makes sense. Law firms have extremely sensitive information, and clients expect tight security. Of course, you need to provide them with an attestation that gives them the right level of assurance.
But, with some refined language, you can be much more compelling. In fact, your pentest can be used as a sales tool. Align with their concerns and tell them the measures you are taking to protect them. We’ve even worked with marketing teams to get the messaging on point.
Principles:
Work with your pentester to write a customer-facing report that is factual but compelling.
Be ready to share this report with your clients. Speed equals confidence, and sharing this report willingly and quickly frequently handles their concerns completely.
Talk about how serious your law firm takes cybersecurity. Pentesting is just part of your overall cybersecurity.
3. Insurance Providers
Focus on Safety
Cyber insurance premiums continue to rise and the industry’s loss ratio (paid claims to premiums earned) shows no sign of slowing down. With the onslaught of ransomware, insurers offering cyber coverage were initially caught off guard, and they significantly underestimated the cyber risk landscape and expense of cyber-attacks.
That was last year. Insurance has snapped to the other end of the pendulum. Insurance for cybersecurity is not only expensive, it can also be hard to meet some of their requirements. It’s almost guaranteed that they will require annual penetration testing. A clear and concise report can provide your insurer with the comfort and reassurance they’re looking for.
Principles:
Make sure you understand clearly what your insurance company requires for pentesting.
The report should be short and factual. If you follow a best practice framework (and you should), mention it and comment that a pentest is also best practice.
Work with your pentester to write a report on their letterhead and have them offer to speak to the insurance company in the letter. This communicates confidence and transparency.
4. Compliance
Focus on the compliance facts
Depending on your law firm’s areas of practice, you may need to do a penetration test for compliance purposes. This is rather unusual in this industry, but if you have the need then keep the compliance pentest report tied strictly to the specifics of the requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) only cares about credit cards. Nothing else matters. For HIPAA, only protected healthcare data matters.
Don’t comment on other areas, even if they were tested. There is no need to raise alarms with testing that have nothing to do with the compliance requirements. Talk about the compliance requirement specifically, the test methods, and whether your law firm is currently in compliance. Any other details are superfluous and risky.
Principles:
First, make sure your pentester understands the compliance requirements. These requirements can be esoteric and complicated.
Compliance pentest reports should stick to the requirements only. Nothing extra.
5. For Your Internal Team
Focus on detailed findings and prioritized remediation
Of course, the primary purpose of a pentest is to identify gaps and prioritize remediation. This report provides details on every vulnerability, the attack methods used to exploit it, evidence of success and prioritized remediation recommendations. It is the primary purpose of penetration testing, so the more comprehensive the report can be, the better.
This is the report your IT team, whether inhouse or outsourced, will work from to shore up your cybersecurity. Of course, given the details, you would never share it with anyone other than the few people on your team that can understand it and will work on remediation. Keep it safe. Keep it private.
Principles:
All findings should be risk-ranked
Every finding should include: the gap in plain language, where it was found, severity ranking, whether it was exploited, evidence of being exploited, description and business impact, how to remediate it.
Closing Thoughts
Penetration testing will continue to prove its worth as an invaluable security tool for law firms as the threat landscape becomes even more sophisticated. If you get reporting right and begin every report by bearing your audience in mind, you will drive even more value from your pentest investment.