Every week seems to bring another story of email theft. The attacks are relentless, striking corporations, government agencies and political groups.
Fortune recently reported that a series of break-ins at top U.S. firms was much wider than originally thought and linked to the Chinese government. According to Fortune, the attackers stole tens of gigabytes of data from one firm alone, possibly amounting to hundreds of thousands of emails. The article added, “The hackers returned repeatedly in search of new information.” No wonder. Law firms, with their troves of confidential client data, make tempting targets for criminals bent on insider trading, blackmail or industrial espionage.
The lesson for firms is clear: If you’re not paying attention to security, you’re not paying attention.
Attorneys Sharon Nelson, David Ries and John Simek are among the alert. Their guide to legal cybsersecurity, “Locked Down: Practical Information Security for Lawyers,” has lessons for RIAs. It details ethical, common law and statutory obligations to protect client information, along with their contractual obligations to protect client data. They acknowledge security is harder and more complicated than it was in the days of paper documents. But as they point out, it’s also more urgent. They cite a report showing that 80% of the 100 largest law firms by revenue were hacked between 2011 and 2015, leaving little doubt that technology buyers need to put security front and center.
The question is how. Vendors don’t always make it easy. Some try to pass off their suppliers’ security practices as their own and, to be fair, those practices are important. Most SaaS vendors rely on cloud service providers such as AWS and Azure for their cloud infrastructure. Buyers need to understand how they manage and protect data. But they also need to realize their data will probably move through the vendor’s own IT infrastructure as well. Confidential information such as contracts, NDAs and emails may be stored on local servers or employee laptops. For this reason, your team needs to evaluate the vendor’s security and compliance policies and procedures.
One simple way to do this is through a questionnaire. A questionnaire can facilitate a conversation between the vendor and the client team about security certifications, data encryption and ongoing risk assessment and how these will be handled once the client data is turned over to the vendor. Some questions to consider:
1. What are the vendor’s policies and procedures on information security? Does the vendor perform security risk assessments to identify and measure risks and, if so, how often?
2. Does the vendor have a dedicated role for information security and compliance?
3. Does the vendor enforce use of strong multifactor authentication (MFA/2FA) for all elevated or privileged administrator accounts?