Supply Chain Weaknesses in Law firms

Recently, British Airways suffered a high-profile data breach. Upon investigation of the causes of the breach, British Airways web platform was found to be secure and it was confirmed that the data leakage had been caused by a 3rd party forming part of the British Airways supply chain.

At a recent meeting with a company who supply IT services to law firms, I asked how often law firms ask for security accreditations during the buying process, which ones do you give?  what other checks do they do on your security arrangements? I was shocked and horrified to hear that this supplier had only on a handful of occasions been asked any questions about its information security arrangements.

With Law firms increasingly choosing to outsource many of their IT and office management functions, the risks that these 3rd party suppliers can pose to your firm’s sensitive data should not be underestimated. There is no point in having the most robust internal security processes and impenetrable systems if you don’t expect the same of your supplier. The saying ‘The chain is only as strong as its weakest link’ certainly applies here. So how should you secure your supply chain?

  1. Be upfront. Tell vendors that you will need to assess their security arrangements. Those with robust arrangements will be open to this
  2. Keep an up to date list of suppliers and review them regularly
  3. Ask them to provide accreditations. As a bare minimum, they should have Cyber Essentials Plus. This is the minimum standard of cyber hygiene recommended by the UK Government. Companies who really take information security seriously will also have ISO27001
  4. Vendors should be willing to make their policies and procedures available to you. In particular, you should ask to see their Breech Management and Business Continuity policies which inform you how they will deal with any data breach affecting your data and how they will guarantee service to you in the event of a disaster
  5. Ask them to provide their most recent Penetration Test Report. These should be done on web applications every 6 months. Ensure that and remedial work on high risk vulnerabilities has been completed
  6. Ask where their data is physically located. Ideally, it should be UK based. You should definitely avoid suppliers who hold your data outside of the EU or in known crime hotspots

Why do you think that law firms aren’t always asking these questions?