Do The Work

Third-Party Law Practice Management Applications Could Increase Your Risk of A Breach

Your security is only as strong as your weakest link. Due diligence could protect from security breach.

If you’re working with or are considering a law practice management software provider that uses multiple third-party applications, you better pay attention to what caused the Target breach in November, 2013.

In summary, an employee at one of Target’s HVAC vendors – a minor player in the scope of Target’s operations – opened a phishing email. Because this vendor apparently only had a free version of anti-malware software¹, the email was able to release malware that allowed hackers access to Target’s customer data. Two months later, the personal and financial information of 110 million Target credit card customers was in their hands.²

This scenario isn’t as unusual as you may think, says Tera Vitale, Director of Vendor Strategy for Thomson Reuters.

“It’s safe to say that 50 to 60% of breaches have a third-party element,” she points out. “This may be because it’s too easy to overlook the security of organizations that you only work with occasionally.”

It’s why an important part of Vitale’s job is to analyze the security of any vendor that touches Thomson Reuters.

“But I’m not a huge corporation!” you may argue. Neither was the regional HVAC company, but they did have what hackers wanted – access to one.

“Even though you don’t have millions of customers, you do have highly confidential information that any hacker would value – whether that’s social security numbers or the details of a merger,” notes Vitale.

If you want to keep this information confidential (and your professional reputation untarnished), it is of the utmost importance that you carefully vet the security of:

  • Your law practice management vendor
  • Any third-party applications that they share your data with
  • Any vendors that the third-party application uses to serve you

This is more important than ever. Because law firms haven’t traditionally been diligent about security, they’ve become prime hacking targets, notes Andrew Burns, Associate Information Security Architect for Thomson Reuters. Proving his point is a 2016 report by Logicforce, an IT consulting company. They compiled findings from a survey of more than 200 law firms, anonymous system-monitoring data, and results from their on-site assessments. These revealed:

  • Small firms have the same risk of being hacked as large firms.
  • 40% of firms were breached without knowing it in 2016.
  • An average of 10,000 intrusions happen daily.

“Your security is only as strong as your weakest link. Even if the smallest link, in an otherwise strong chain, is exposed, you’re at risk,” warns Burns. “Of course, the more links in your chain, the greater your risk for exposure.”

He offers two options to mitigate your risk:

  1. Know every single vendor that could have access to your data. Once that’s clear, make sure each and every one has:
  • Third-party security certifications from reputable organizations such as a big-four accounting firm.
  • Passed the test of third-party vendors, like Veracode, that attempt to hack their systems.
  1. Reduce your security chain to only two links – just you and a practice management vendor that:
  • Provides the features you need (and continually expands and updates them) without depending on third-party applications.
  • Has the same third-party security certifications as the world’s leading financial institutions.
  • Encrypts all data in transit and storage.
  • Stores your data on servers with 24/7 multizoned, multilevel controls and monitors supported by industry-leading certifications.

References:

[1] Krebs, Brian. “Email Attack on Vendor Set Up Breach at Target.” Krebs On Security, February, 2014.
[2] Kassner, Michael. “Anatomy of the Target Data Breach.” ZDNet, Feb. 22, 2015.


***

Amy Larson is a Director in Small Law Firm Customer Marketing and Firm Central at Thomson Reuters. She has over 17 years of experience in technology marketing with extensive focus on learning how technology can meet the needs of attorneys. Amy has been involved in numerous product launches throughout her tenure, public relations efforts, interviewing customers and telling their stories, and often writes and distributes information on legal practice management.

Shares0


Shares0