It is common for firms to outsource operations like payroll to third-party suppliers, but with this comes increased risks of a cyber breach. Known as “supply chain attacks”, malicious actors target third-party vendors to infiltrate their partner organisations, which are the main target.

Lately, there has been a steady increase in these types of attacks as it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.

Should a third-party vendor be attacked while in possession of your clients’ sensitive data, you are liable. Security audits of external providers and partners can help you stay on top of any vulnerabilities that may be exploited, by ensuring third-party suppliers are compliant with a globally accepted information security framework, such as NIST Cybersecurity Framework.

The impact on lawyers

A BlueVoyant report from 2020 revealed that law firms tend to be more vulnerable than other types of businesses to cyber attacks, with over 15 per cent of a global sample of law firms showing signs of compromise.

The reputational impact of data loss to a law firm following a security breach cannot be underestimated. The mandatory data breach notification rules that now apply to most law firms exacerbate the effect dramatically and may require contacting every existing and former client to advise them that a person unknown may have their information.

The remediation and reputational effect of an attack could cost even a small firm hundreds of thousands of dollars.

VIEW ALL

As the number of cyber attacks on Australian companies grows exponentially, the spotlight is now on the leaders of these organisations to act in order to mitigate their risk of exposure. For legal firms, the impact could be incredibly damaging to both firms and their clients. Therefore, it is crucial that firms keep an eye on their supply chain.

Mitigating the risks from third-party software

Many law firms rely on vendors for a variety of services, and given the value of these third-party providers, simply avoiding these partnerships to remove the risk of a cyber attack is not a solution. Instead, there are a number of things that firms can do to reduce their third-party risk significantly:

Firstly, law firms should acknowledge the existence of third-party risk and work on understanding their exposure — defining their tolerance to risk goes a long way in combating supply chain attacks.

Secondly, ensure the vendors and key stakeholders you work with understand your supply chain process and that third-party risk processes are established.

Thirdly, when your organisation identifies possible vendors to partner with, ensure that cyber security is covered in the contract. Once your organisation partners with a vendor, it is important that a process is in place to continually assess and monitor risk; for example, utilising vendor risk assessment questionnaires can help you make sure that a vendor’s internal data handling practices and procedures are secure. Understanding where your most critical assets are and who has access to them is a vital component of any cyber security strategy.

Lastly, even with all these measures in place, due to the increase in sophistication of hackers, it is important to be always prepared for a cyber attack and have an incident response plan in place to mitigate the impact a security incident can have on your organisation.

Change is needed, but it’s not always welcome

Most companies will only invest in an area when they see a need or motivation, it is enforced, or it creates a pain point.

Cyber security should not and cannot be a “wait-and-see” situation for law firms. It needs to be planned and implemented well in advance of an attack and shouldn’t merely be put in place to tick a box. Leaders and board members need to understand the vital importance of prioritising the uplift of all facets of their cyber security policies as well as ensuring their vendors do the same.

Addressing the possibility of “supply chain attacks” by malicious actors is an important step in protecting your business from becoming the next cautionary tale.

Ajay Unni is the founder of StickmanCyber. He has over three decades of IT industry experience and more than 15 years of experience as a cyber security specialist.