Cyber security risks associated with the use of third-party suppliers by law firms have been highlighted as a major concern by the UK National Cyber Security Centre. The recent NCSC Cyber Threat Assessment for the UK Legal Sector report confirms that supply chain compromises have increased by as much as 200% in 2017.
Improved services but increased cyber risks
All law firms rely on suppliers to deliver products, systems, and services. While essential to running their businesses, each of these supplier relationships could create cyber security issues unless they are checked and managed on a regular basis. Professional service companies are increasingly using cloud-based applications such as Outlook 365, CRM and dedicated case management systems. By far the greatest threat comes from a supplier failing to adequately secure the databases that hold confidential and sensitive client data.
Supply chains can be complex
Modern supply chains can be large and complex, often involving multiple suppliers who transmit confidential data from one location to another. The effectiveness of their cyber security measures will vary, and vulnerabilities can be inherent or introduced at any point in the supply chain. Fundamental questions such as, ‘Where is the data stored and how secure is it?’ can be difficult to answer for many suppliers.
Law firms are also suppliers
Law firms are also a supplier in their client’s supply chain. Cyber criminals can observe the process of a transaction and strike when money is about to be transferred. State actors can also target a law firm as a vector to gain access to corporate clients and their information.
To help law firms mitigate the impact of cyber crime associated with suppliers, the National Cyber Security Centre has recommended the following cyber security management principles:
Understand the risks and benefits
It is essential to understand the value of the information assets that suppliers hold and the impact of the loss or theft of this data on the clients of the law firm. All the suppliers in a supply chain must be identified and the maturity and effectiveness of their cyber security measures must be evaluated.
Law firms must proactively gain ‘cyber security’ control of their supply chains. Suppliers should be made aware of a minimum set of cyber security requirements that are justified, proportionate and achievable. Suppliers who continually fail to meet these requirements should not be used again and an over-reliance on a single supplier should be avoided.
Check the arrangements
Suppliers should be monitored and checked for compliance with the agreed minimum cyber security requirements. If possible, build ‘the right to audit’ into all supply contracts, particularly where the supplier handles very sensitive data assets. Formal assurance requirements associated with Cyber Essentials, PCI DSS or ISO 27001 can be used to provide a standard approach to monitoring the cyber security of suppliers
Suppliers should be encouraged to continue to improve their security arrangements, emphasising how this might enable them to compete for and win future contracts with the law firm. Every effort should be made to build strategic supplier relationships through trust and effective communication.
Future expansion of outsourced services
Chief Information Security Officers in the NCSC Industry 100 group of law partners have indicated there will be a significant expansion of outsourcing services to external suppliers either partially or entirely. They have also confirmed the trend for the disaggregation of delivering legal services i.e. multi-faceted retainers across multiple firms who specialise but need to work together for clients. These supplier trends combined with the increased use of automation are driving the imperative need for proactive management of the cyber security measures employed by all suppliers.
About Wizard Cyber
Wizard Cyber is dedicated to helping law firms mitigate the risks associated with malicious or accidental cyber attack. We are a trusted supplier to many UK law firms and deliver 24/7 outsourced cyber security via our flagship range of CYBERSHIELD-MDR services.