March 9, 2021
The recent supply chain cyber attack that targeted everyone from the Washington State Auditor to Microsoft to Boston law firm Goodwin Proctor through their vendor, Accellion, was a reality check that there is no such thing as “too cautious.” Every type of organization is susceptible to data breaches. Just in the last year, it was reported that globally these breaches have cost $3.86 million and experts expect that they will become more and more frequent.
Despite these grim predictions, management still has the responsibility to protect their organizations and comply with regulations. The best way to mitigate risks and prevent a potential security breach is to invest in preparing your team for the possibility of a security breach.
Start planning ahead with these steps.
1. Assessment & Training
Start laying the groundwork by surveying your colleagues and taking the time to understand what types of information they process, what programs they use, and vulnerabilities in their processes where documents or information could be unsecured. List all of your findings in a Risk Register where you can identify, treat, and track those vulnerabilities before they turn into threats.
Equally important to monitoring data handling is prioritizing employee security education and awareness. Human error is common when it comes to data breaches and sometimes all it takes is one absent-minded mistake to have a huge impact on the whole company and its clients. It’s a great idea to do an annual training for all of your staff and employees (including vendors and contractors that have access to your network or systems).
Employees and staff at all levels should have a solid understanding of data classification, storage, transfer, access, protection, and the consequences in the chance that it is mishandled, lost, or stolen. The sensitive legal information that firm staff process makes their daily work inherently high risk, so it is important to continually monitor folders and mailboxes that are sensitive, and to report anything suspicious immediately.
2. Compliance & Notifications
There are a growing number of government regulations surrounding security compliance at the state, national, and international levels such as the California Consumer Privacy Act (CCPA), the Americans with Disabilities Act (ADA), and the GDPR. Determining which regulations apply to you and taking the time to invest in implementing the needed preventive measures to comply is quite a challenge. Not to forget legislation is constantly being revised to reflect new threats, as fast as technology evolves.
One commonality between most regulations is notification time following a breach, containment, and resolution. Taking into account response time while creating your security plan will give you a guideline to follow when the crisis happens. Keep in mind that the deadline for reporting breaches varies, so take into account what your state’s notification laws are. As for GDPR, they require companies to report the breach within 72 hours from the moment they became aware of the incident, so if you work with or are based in the EU, take that into account.
One last reminder if you’re not already convinced: the longer it takes between a data breach is discovered and fixed, the more expensive the consequences, so having a robust plan, and keeping everyone informed, will be a weight off your shoulders.
3. Verifying Vendors
After planning ahead within your organization, it is imperative that you assess your vendors for how they handle security, particularly when it comes to your information that they process and handle. Take the time to perform a due diligence assessment on any of your outside counsel, partners, and contractors/subcontractors to make sure that they have information security policies, and if possible are certified under recognized compliance standards, such as ISO 27001, PCI DSS, HIPAA and ITAR. Vendors with several accreditations reflect how they value and will prioritize your data security.
Most attacks are through smaller companies and firms, with the hopes of backdooring into legal departments, major law firms, and other big fish. Hackers know that breaking into an enterprise corporation or AM Law 100 Firm is next to impossible, but taking advantage of a vulnerability in the supply chain makes it a breeze. Knowing exactly how your vendors and partners handle sensitive data builds a stronger supply chain and protects everyone against this kind of attack. Remember, you’re only as strong as your weakest link.
Cyber criminals have gotten creative and have what feels like infinite resources to devise attacks and hacks, but what they don’t have is collaborative power. Even with major attacks, there are usually only a handful of actors that essentially got lucky with a vulnerability after countless failed attempts. If corporate legal departments and their vendors, from law firms to payroll to invoices to tech, pool their efforts and all prioritize information security, changes for a breach fall significantly.
It all starts with an assessment similar to the one you do internally to evaluate your vendors’ current security state and practices that may lead to discoveries and opportunities for improvement. But we understand that this is a no small feat to do. You will need a tool that can help your department streamline the administration of this due diligence process for vendor risk management as different regulations require different risk assessments for different vendors. Getting everyone on board, collecting, maintaining and monitoring that information quickly grows into a massive administrative effort.
With Counself Risk, an ISO 27001:2013 certified private-cloud platform, you can easily set up secure requests to collect information, evaluate your outside counsel, and optimize your assessment workflow and vendor compliance management. Counself has been designed specifically for legal with enterprise security features and integrations with SSO and leading platforms such as NetDocuments and Mitratech TeamConnect to make vendor management and monitoring as simple and secure as possible.