Vendor Management: How Law Firms can Mitigate Supply Chain Risk
In opinion / By Andy Lewis / 14 February 2020
A senior Yorkshire police chief recently warned that companies face a new cyber threat from an unlikely source: their cleaners. It transpired that organised crime bosses are seeding insiders into contracting firms so they can physically access IT systems to steal sensitive data. The warnings highlight the importance of choosing the right vendors to do business with, and the potential risks posed by modern supply chains.
With data protection regulators increasingly keen to drive accountability for the security of sensitive data, it’s time organisations took action. This will demand a rigorous, detailed and continuous process of assessment, monitoring and due diligence.
The Backbone of any Business
Few businesses could function today without their supply chains. The average medium to large-sized law firm could have hundreds, maybe even thousands, covering everything from accounting and marketing to web design, content management and much more. Technology sits at the heart of this provision, as data storage and management goes digital. Some 87% of respondents to a poll in The Lawyer last year agreed that tech investment will boost revenue because it helps law firms offer better services.
IT services are vital to the modern legal sector, offering everything from application development to back-end hosting of Office applications, mobile device management, file sharing and collaboration, managed telephony and more. Yet according to some research by HBR Consulting, just two-fifths (42%) of firms have a formal third-party risk management policy in place.
Supply Chains are Risky
Why does this matter? Because all of these IT connections in and out of the organisation offer a large target for cyber criminals to take aim at. The legal sector in particular is highly sought after for confidential client data — so much so that GCHQ’s National Cyber Security Centre (NCSC) released a dedicated 2018 report for the industry. It cited stats that 60% of law firms reported an information security incident over the previous year, and over £11 million of client money was stolen due to cybercrime during the period.
Law firms, and their counterparts in other industries, run the risk of severe reputational harm if funds and key client data go missing. But they also face potential threats from ransomware designed to maximise business disruption in order to force victims into paying up.
As the manager of the Yorkshire and Humber Regional Cyber Crime Team warned, threats to data security can come from anywhere — even “sleepers” planted inside cleaning and office contracting organisations that may have out-of-hours access to IT systems. But the reality is that you’re far more likely to encounter remote hackers operating under anonymity of the internet than rogue cleaners.
Attacks Hit Home
These are not theoretical risks. Back in 2017, PwC and BAE Systems uncovered a large-scale Chinese plot to compromise managed service providers (MSPs) and use their access to target global customers. Stepping-stone attacks like Operation Cloud Hopper may not always be as sophisticated as this, but they’re an increasingly popular tactic.
Sometimes the threat vector is not an MSP but a software provider. That’s what happened in Ukraine in 2017 when Russian hackers seeded malware into popular accounting software called M.E. Doc. The disk-wiping malware subsequently spread to disrupt countless organisations in the country and then abroad, via the VPNs of international firms with offices in the eastern European country. DLA Piper is said to have lost millions in downtime and the 15,000 hours of overtime it had to pay IT staff to help recover from the incident.
A Four-Point Plan
So, what’s the answer? It pays to check out the NCSC’s advice here, but it boils down to four key steps:
- Understand the risk
- Establish control
- Check your arrangements
- Continuous improvement
Understanding the risk means mapping your information assets and where they flow, understanding your suppliers’ security posture and where there may be deficiencies. Then it’s about gaining control by communicating your security requirements to all suppliers, setting minimum standards and building these into any contracts. It’s vital that your suppliers do the same in turn for any sub-contractors. Establishing KPIs to measure performance and mandating regular audits will help to build confidence in the supply chain and drive continuous improvement.
Open communication channels are also key here, as is a balance between allowing time for changes to be made, ensuring timescales and promises are met. This may all require a cultural and mindset change for many businesses, but the alternative is far worse.