Six Key Questions to Ask Outside Counsel About Their Cybersecurity Posture
When you think of your outside counsel, you may think about their legal advisory and the value that brings to your firm, but what you may not be thinking about is the large amount of sensitive data these firms hold and how that makes them an attractive target to hackers and others. When assessing third-party vendors, many organizations exempt outside counsel from traditional due diligence processes. This practice should change, as outside counsel faces the same challenges as other third-party vendors. In fact, 72% of law firms have not conducted a full cybersecurity assessment, leaving themselves open to and unaware of significant risks.
Data breaches come with investigations, public relations inquiries and fines. Fortunately, there are ways to work with your outside counsel (and other vendors with access to sensitive data) to minimize the likelihood of such a nightmare scenario. Improving the cybersecurity posture of your outside counsel will require you to clearly communicate what you need them to do and why do you need them to do it. This conversation should be honest and founded in a clear understanding of the shared mission to jointly secure the sensitive data you are entrusting them with.
If you are managing many different outside counsel and other legal service vendors, you will quickly discover that while organizations vary in their level of cybersecurity maturity, there are many common stumbling blocks. The CyberClarity360 team has been working with corporate legal departments and legal operations professionals from the largest companies in the world to help them identify, manage and ultimately remediate many cybersecurity risks presented by outside counsel relationships. We have completed cybersecurity assessments on hundreds and hundreds of law firms, including the majority of the AmLaw Top 200. In doing this analysis, we identified the following as common challenges or recurring remediation activities:
- Adequate policies
- Accountable leadership
- Risk assessments
- Hardware and software inventory
- User authentication
- Data encryption
Each of these categories has a role to play in securing sensitive data and systems. As you discuss improving the cybersecurity of your firm, it is important to highlight how critical it is to address potential security gaps, how outside counsel is not alone in facing these concerns and what your expectation is for improvement. Below, you will find a quick primer for how to begin a conversation on these potentially sensitive areas with your outside counsel. Each conversation will open with a question, provide you some helpful context and give you some direct approaches to utilize.
Do they have… adequate policies?
An information security policy is the heart of any good security program. This policy helps guide the organization and ensure consistency. The lack of such a policy significantly increases the likelihood of poor security practices and in many ways effectively weakens any security controls that may be in place because it makes it nearly impossible to consistently apply those controls. A simple analogy would be a car built without any designs. It may look like a car throughout the process, but the minute an issue arises, it will be nearly impossible to figure out what went wrong and respond.
- How broad is this issue? In our practice, we have seen up to 80% of firms maintain a formal information security policy. Unfortunately, many of these policies are limited in scope and have not evolved to face changing security concerns. For example, over 50% of assessed firms lack anything as it relates to more specific cybersecurity and governance areas such as having a policy for third parties or other suppliers.
- How do you talk about this? Having a policy, as stated before, is critical. When a legal vendor lacks this, it is worth putting serious thought into the data you share with them. Make it clear that a policy is a requirement and then direct them to resources such as the SANS Institute as a starting point.
Do they have… accountable leadership?
Identifying an accountable individual allows an organization to successfully anchor an information security program and increases the likelihood that key activities will occur. The lack of a single point of accountability opens the organization to the challenge of a responsibility becoming everyone’s, which in practice means that it is no one’s.
- How broad is this issue? We’ve identified that 58% of organizations do not have a dedicated full-time Chief Information Security Officer (CISO). Of those, 4% admitted that no one in leadership is focused on cyber risk. In the broader economy, this is not an uncommon posture—many small to medium businesses also lack someone focused specifically on cyber risk. Recent regulations, however, have emphasized the value of this role, including the New York State Department of Financial Services Cyber Security regulations, which requires regulated entities to have someone in this role.
- How do you talk about this? Regardless of the size of the firm, there must be someone taking the lead on cybersecurity matters who is ultimately responsible for the overall cybersecurity program. If the firm is lacking this, challenge the attorney you primarily deal with to take on the responsibility for 60 days and to report back on the state of their information security program. In most cases, at the end of the 60 days, they will report that they have designated someone with more technical skills as the lead person and are aggressively looking for a CISO to take a permanent leadership role. Much like human resources, engineering or even counsel, you need a specialist who knows what needs to be done and a seat at the executive table to ensure that it gets done.
Have they done … a risk assessment?
A risk assessment considers the likely threats to an organization, the vulnerabilities the organization may have and the impact if those vulnerabilities were to be exploited by those threats, balanced by any controls an organization may have in place to mitigate or transfer that risk. This thought process should drive every information security program to address risk in as prioritized and prudent a manner as possible.
- How broad is this issue? Risk assessments support policies and leadership; they guide leadership in validating if the policy in place makes sense and if the controls they have are enough. Unfortunately, many firms struggle to formally implement risk assessments. In our work with law firms, only 62% have established a risk management process that is signed off by senior leadership.(1) A formal risk management process allows for continual improvement and reduces the likelihood of error. When it is informal, ad-hoc or (as is the case in 5% of firms) missing, less visible but still significant risks may be missed.
- How do you talk about this? Ask questions about your counsel’s risk management process. How often do they review risks? What processes do they have to prioritize new information such as vulnerability scan data? Are they consuming intelligence about threats from external sources? Risk assessments may be periodic, but they are not static. If the last time they did a risk assessment was more than one year ago, encourage them to consider doing another and if they have not built a formal process, encourage them to develop their next assessment into a formal process. You may also be able to leverage your own internal enterprise security resources to assist in this conversation, as they can share some lessons learned from their own risk assessment process and pass along good sources of external threat information. Cybersecurity is one of the few business areas where sharing aspects of threat data is not only allowed but encouraged as the way a benefit to all involved.
Do they have… hardware and software inventories?
Fundamentally, if you do not know what you have, how can you protect it? The number of devices on each network and the software each device uses has grown exponentially in the last two decades. This information could change on a minute-by-minute basis as equipment is turned on, software programs change and users download new apps. The recent increase in the number of law firm mergers and acquisitions only muddies this further. This change in the legal sector opens new risks as devices and software could be overlooked or forgotten in the merger process but remain connected to the broader network.
- How broad is this problem? Most major security best practices recommend performing an inventory as either the first or second step in building a formal information security program. It is also often one of the most difficult steps, as it may require special tools, dedicated staff and it may open new problems as systems are “discovered” that will divert resources away from other priorities. It is no surprise that over 50% of firms that we have assessed either do not do inventory assessments, do them sometimes or do them manually (which is less effective than using an automated tool). Similarly, only half of firms have any automated tools in place to track software.
- How do you talk about this? Not knowing where their data was being stored played a role in a data breach impacting 440 million records tied to one data company in 2018. They had no idea that one of their databases was on the web and available to anyone who could find it, putting many at risk and earning bad publicity for a fast-growing start-up. While the process of performing an inventory may be challenging, you need to ensure that your outside counsel is taking steps to improve their knowledge of their own networks. If you feel they are not trying to improve, you should consider taking steps to limit their access to your data or restrict them to portals and domains that you control. While this may inconvenience your outside counsel, it will impress upon them how important this step really is.
Do they have… user authentication?
Cybersecurity, it has been said, is the art of validating if computer A should be talking to computer B, and access control is a key part of that process. Access controls extend beyond the systems themselves, however, and must extend to users, sensitive data, servers, mobile devices and other areas of an organization’s extended network. How they allow or restrict access, including how it is granted and revoked, should be a well-thought-out process with adequate controls in place relative to the impact of inappropriate access. It is especially important that firms implement controls beyond just a password, or single factor, for any account that may have access to sensitive data or remote access.
- How broad is this problem? Studies show that over 80% of all data breaches are related to either weak (non-complex) or stolen passwords. Attackers can easily crack (or guess) passwords, especially if they are simple passwords like “password,” “abc123,” or “!23456,” all of which have been identified on millions of accounts. A simple password is often not enough, and even a strong password can be cracked by a motivated attacker. To combat that issue, firms should put in place “multi-factor” solutions, which often require sending a message to the user’s smartphone, or the use of a token or some other method that makes it far more challenging for attackers to compromise. Unfortunately, less than 50% of firms we have assessed have implemented multi-factor solutions for all accounts. Even more concerning is that 35% of firms overall have no multi-factor solution in place at all!
- How do you talk about this? Like inventory, robust, risk-based authentication practices are something that your outside counsel needs to see as important. Multi-factor solutions are easy to implement for sensitive accounts and can be rolled out across most networks for all accounts in a matter of days. The challenge of implementing it is often one of inconvenience more than technology, or even cost—the price for these types of solutions has steadily dropped since their launch several years ago. Multi-factor is so important to security that the FBI, U.S. Department of Homeland Security and other federal agencies recommend it for securing sensitive data and resources. Share with your outside counsel any concerns about their authentication practices and highlight how the broader industry is moving towards requiring this important authentication step. If they still resist, you may be forced to limit their access to data or restrict access to portals or locations you control that you can require multi-factor to access.
Do they have… data encryption?
Encryption is the process of taking data and making it unreadable without the proper “key,” often a password so that it would be rendered useless if it were to fall into the wrong hands. Encryption, when done properly, can potentially mean that when data is accessed inappropriately, it may not be considered a data breach if it was encrypted. Encryption can delay unauthorized access to data in some cases and may require planning regarding how data is managed when “at-rest” (such as on servers and devices) and “in-transit” (such as when emailed or moved in the network).
- How broad is this problem? Encryption has been around since the dawn of computers, so its usage is fairly widespread. However, as the number of devices and places that hold data increases, commensurate efforts to appropriately encrypt sensitive data have not kept pace. While we have been heartened to see that 71% of the firms we have worked with encrypt all portable IT assets (such as laptops and thumb drives) that still leaves 29% that have failed to encrypt some or all of their portable assets. These types of devices are prone to get lost or stolen and, if they are not encrypted, they could unintentionally expose sensitive data or result in a breach.
- How do you talk about it? Encryption is your last line of defence. If the attacker can find a forgotten device and gain access, encryption is your only hope of avoiding a data breach. If your outside counsel and other third parties do not have an encryption policy or do not practice it consistently, you should let them know that this will seriously impact the data you share with them. As information from a secure portal can be easily copied to an unsecured thumb drive, it is imperative that they have an encryption policy that includes all portable IT assets before sharing any data.
Your outside counsels are supposed to be your outside strengths in confronting complex legal and policy challenges. Cybersecurity is one of those challenges, but your outside counsels could be a hidden weakness unless you fully understand their security posture. Talking about this issue can be challenging, but by sharing how broad the challenge is, your legal vendors will not feel singled out when discussing your expectations for improvement. Everyone has room for improvement on cybersecurity, and as our work with leading law firms has shown, this industry is no different. It is in communicating expectations, sharing the real-world consequences of not meeting those expectations and recognizing the positive steps to good cybersecurity, that we can collectively move forward and continue to be good stewards of sensitive data. For additional guidance and consideration, see the Legal Vendor Cyber Risk Management Guide.
- – Based on internal data gathered with permission from CyberClarity360 users