Security challenges for the legal sector
Third party information security – a challenge for the legal sector
In common with all industries, the legal sector faces significant and growing cyber risk. The large sums of money, high-level commercial transactions and privileged information handled by law firms makes them a very desirable target for cybercriminals – including nation state-sponsored actors – who wage relentless campaigns designed to extract money or valuable data. The impact of breaches is considerable – the SRA reported that £11m of client funds was stolen in 2017, and that is just the direct loss of money, the damage caused to reputation and productivity is less tangible but no less important.
The NCSC identifies the top four risks to legal firms as phishing; data breaches; ransomware and supply chain compromise. While strategies to mitigate risk in the first three are under the control of the firm itself, through user training, email protection and strong anti-virus cybersecurity, mitigating risk in the supply chain is a more complex challenge.
The situation is complicated by the increasing digitisation of legal firms and rising client expectations around digital services and communications. In a drive to improve efficiency and gain competitive advantage, firms are adopting cloud-based software and systems and granting network access to larger numbers of third-party suppliers than ever before. This creates a much bigger digital ecosystem that, while offering those efficiency and productivity gains, also offers a far larger attack surface for cybercriminals to target. It means that a firm’s cybersecurity is only as strong as its weakest link, and that link may exist outside the firm’s control in a third-party supplier.
Island hopping and allocating cyber- responsibility in supply chains
As is typically the case, cybercriminals are ahead of the game when it comes to exploiting firms’ digital ecosystems. They have realised that the large firms with high value data who manage lucrative financial transactions usually have stronger defences. Instead they opt to infiltrate the networks of the suppliers of those firms, then exploit the authorised connections between the supplier firm and the target, which are less rigorously scrutinised. Examples of suppliers that could fall victim to this are IT managed service providers, cloud providers or software suppliers. This tactic is called “island hopping” and it’s now a regular feature of cyberattacks, with security experts spotting it in around 50% of breach attempts.
Breaches caused through indirect supply chain attacks raise a conundrum when it comes to responsibility. Clearly there has been a security failure at the supplier company, which must accept its liability, but how far is the law firm responsible for the failings of the third parties it uses?
The regulatory trend across sectors from finance to healthcare shows a clear move towards laying significant responsibility for using suppliers with insufficient security standards at the target organisation’s door. Recent guidelines issued by the European Banking Authority require that businesses put in place risk-mitigating measures and ensure they are effective when outsourcing key functions and data to third party suppliers such as cloud service providers.
This covers general procedural weaknesses as well as malicious cyberattack. Therefore, if a third-party supplier fails to adequately secure client records and these are breached, the law firm that employs that supplier would find itself in breach of regulations such as the GDPR.
Vendor risk management
So, while looking for efficiencies and competitive advantages third party technologies can offer, law firms must also be conscious of the potential security risks partnering with suppliers could introduce – from both a security and regulatory perspective. Firms need to be satisfied that potential suppliers have strong and effective security measures in place and can prove compliance.
It’s important to note that this isn’t just a point-in-time exercise. Both the cyberthreat environment and the regulatory landscape are constantly evolving ; what was secure and compliant one week may not be the next. Vendor risk management needs to be considered strategically as an evolving issue that is regularly assessed and reported to the board.
So what can law firms do to manage third party risk?
- Specify that suppliers are compliant with relevant security regulations and accredited to information security standards such as ISO27001, plus those relevant to the industries in which the firm operates, such as HIPAA for healthcare, for example, during the procurement process.
- Conduct regular compliance audit checks with suppliers, encourage an open dialogue around security and compliance actions and risks.
- Explore ongoing real-time vendor risk management solutions in recognition that what is secure today may not be tomorrow as the cyberthreat environment evolves.
Firms in the legal sector, and those that supply them with infrastructure, systems and software, need to recognise the shared responsibility for maintaining rigorous and continuously improving security standards to protect businesses and clients from the ever-evolving threats posed by cybercriminals.
WebTMS is certified ISO27001 compliant and has rigorous security information management governance in place to protect its clients from cyber risk. To find out more please contact us on [email protected]