May 31, 2022//Isa Jones
Third party risk is not new. After all, over half of organizations (51%) were the victim of a third-party data breach in the past year. Third parties are opaque, transient, and harder to govern and limit access to. But as the analog goes digital and the cubicle turns into the laptop operating everywhere and anywhere, third-party vendors are becoming more and more critical to an organization’s operations. Law firms, which many may think of as the most analog, in-office kind of organization, are no exception, and law firms are seeing the same risks and, unfortunately, breaches as other industries.
The answer for why the legal industry is subject to breaches is the same as many other industries: valuable, private information. Law firms deal with clients’ sensitive and confidential information every single day for every single case — and hackers want that information. With ransomware and other cyberattacks on the rise, it’s no surprise that law firms are finding themselves on the target board. In 2020, a third of law firms experienced a security breach. Clearly attackers are finding a way in and finding a way to that valuable information. Which brings us to the necessary but infamous third-party access point.
Third-party platforms are ubiquitous in today’s digital age, and law firms are certainly no exception — From accounting software to data software to software that connects law firms to major corporate client networks to even document software that helps a lawyer approve contracts or edit briefs. All that valuable information mentioned above lives within a lawyer’s hard drive, and all a hacker needs to do is breach a third-party program used by that unsuspecting lawyer, tunnel into the law firm’s network through that third-party access point and the files appear, ready for the taking. Call it the digital version of breaking into an office and looking through a file cabinet with a flashlight. It continues to happen with greater frequency and third-parties are unwitting participants.
Third-party risk will always be there, and unfortunately, legal organizations aren’t taking the steps to mitigate it. According to the 2020 American Bar Association Report, only 43% of respondents employ data encryption and less than 40% use two-factor authentication and intrusion prevention. In addition, the consequences for a breach on a legal organization can be massive: Fines, damages, ransomware payments, and even class-action lawsuits by clients whose data has been compromised. Talk about a legal nightmare.
You don’t need a J.D. to understand the answer: secure your access points, especially third-party access points and access points to critical data, assets, and systems. Law firms are as decentralized as a healthcare organization or a supply chain, and they need to view their cybersecurity the same way.