When bringing on board new technology partners you cannot delve too deeply into their cyber security credentials. This probably applies to law firms more than most because of the highly sensitive nature of the information firms hold on behalf of clients.
This, coupled with high levels of cyber crime affecting the profession today, as highlighted by recent Law Society Gazette articles (Beware of the phish / Managing The Risk: protecting your clients), probably makes information security one of the most important aspects of any law firm check-list when signing up with a new IT / software partner.
The top 6 security questions a law firm should ask any prospective software or IT services supplier are:
- For firms going with a cloud solution can your supplier prove they operate their SaaS solution (i.e. for cloud hosting) within an ISO 27001 certified datacentre? ISO 27001 is the international standard that stipulates best practice for an information security management system
- Can your supplier prove THEY themselves are also ISO 27001 certified?
Certification to ISO 27001 demonstrates that an organisation is following robust information security best practices. Some suppliers say they have ISO 27001 certification when in fact it is only specifically their third-party datacentre that has it. For belt and braces information security management your supplier themselves should have it too.
- Can your supplier present a recent penetration test report?
Penetration testing (often referred to as pen testing) is the practice of testing a computer system, network or web application in order to find any vulnerabilities that could be exploited by a cyber criminal.
- Do you have access to an audit trail within your practice management software?
i.e. are you able to see if users are accessing areas they shouldn’t?
- Can your supplier demonstrate a robust security patching process within their SaaS infrastructure?
i.e. for keeping up-to-date with Microsoft database security standards?
- Can your supplier prove they are Cyber Essentials accredited?
Cyber Essentials is a government-backed cyber security certification scheme that sets out a good baseline of cyber security for organisations. The scheme is designed to prevent cyber attacks.
Today’s cryber criminals are progressing significantly in terms of sophistication. It is getting harder and harder to protect your business from attacks. A 2016 BT-KPMG report talks about the ‘industrialisation of cybercrime’ having seen clear evidence that today’s cybercriminal works for complex operations akin to businesses with human resources departments and budgets for research and development. They mean business. Firms must not only be sure that they themselves are doing all they can to protect their data, but also that their trusted technology partners and suppliers are too. In 2017 BT-KPMG produced a report warning that businesses are aware of a sharp increase in risk from cybercrime, but awareness has not translated into effective action.
For more information about Select Legal Systems Limited, suppliers of LAWFUSION, the popular suite of Legal Practice Management Software for law firms, please call 01482 567601. For enquiries outside of normal office hours please feel free to use our online form at any time of the day or night.
For more key questions for your check-list if you are looking to appoint a new software / IT services partner – please read our recent blog “The Ten ‘Legal Software’ Commandments”.