According to new findings in the 2017 ALM Intelligence General Counsel Up-at-Night survey, when it comes to data privacy and security, most organizations’ general counsel spend less time managing risks than their importance warrants.

Because outside law firms serve as a valued partner of the corporate legal department at almost every company, firms typically have access to some of a company’s most sensitive data. So, while an organization’s general counsel may have more responsibility for incident response than for cybersecurity guidelines, he or she also needs to be aware of, and prepared to manage, the innate risks that accompany legal work.

From my experience talking with general counsel and in-house attorneys, I am aware that it’s often the resource gap that presents the biggest issue in managing compliance with cybersecurity guidelines. Knowing where to begin addressing this issue can be overwhelming, but can be made less so by starting with a few simple steps.

First, using a tiered approach to manage risk can help you concentrate your efforts on the law firms that have a majority of your sensitive data. Once you prioritize the risk associated with your firms, you can next require them to self-assess their compliance using your guidelines. This allows you to focus your limited resources on the greatest risks and potentially identify some you may not have considered previously.