The legal sector is lagging financial services by a decade when it comes to cyber security, founder of the Security Awareness Special Interest Group Martin Smith MBE told delegates at this year’s Legal Leaders IT Forum.

Chairing a panel on managing supply chain risk, Smith declared that law firms are seen as the “soft underbelly” by other parties in the corporate world.

An explosion of technology vendors in recent years has exacerbated the problem, increasing the fragmentation of legal supply chains.  But law firms must recognise that they are also central to their clients’ supply chains and can be significant risk vectors themselves.

“Banks look after money but law firms look after a business’s most treasured possession, it’s data,” said Wil Rockall, cyber security partner at Deloitte.  “It is your reputation at risk and, from my perspective, cyber security isn’t the priority it should be in the legal sector.”

As head of information security and data protection, Sue Diver of Clarke Willmott has primary responsibility for establishing information security risk governance frameworks and policy and responding to cyber threats.  “It is my job to investigate breaches, inform the ICO if necessary and if the breach isn’t reported until a Friday, I am the one who works through the weekend to ensure reporting is made within GDPR requirements.  Understanding the risks posed by our supply chain is a real concern for me.”

Diver recalled an incident in one of her previous roles where an organisation with whom they shared data sold servers without data having first been wiped.  That data was published on the internet.  “The ICO investigated.  They crawled all over our counterpart’s practices and investigated our due diligence processes; and the results made the national papers,” she remembered.  “The Head of Information security at our counterpart’s organisation lost their job.”

Fellow panellist Daniel Pollick, CIO at DWF, also has direct experience of what can go wrong.  He was CIO at DLA Piper at the time it suffered the consequences of the NotPetya attack.  The attack vector, in that instance, was a piece of Ukrainian accounting software called MeDoc – the equivalent of Sage in that region.

“You have to ask yourself where do you draw the line when it comes to software that you allow on your network?  You can’t distrust everything.  You have to trust Word, for example,” said Pollick.  “But, at the same time, what risks do you expose yourself to every time you allow a new piece of software into your operating environment?”

Indeed, supply chain assurance remains a real challenge for law firms, which, like in other industries, are thwarted by a lack of any clear benchmark.  “Ideally what we need is a universal and independent rating system, similar to that available for food hygiene at your local restaurant,” says Diver.  “Until then, we are all going to struggle to keep on top of this issue.”

In the absence of a definitive benchmark, organisations undertake their own due diligence on suppliers, and accreditation, such as ISO 20000, has grown in importance as a mark of a law firm’s integrity as a supplier.

Nathan Hayes, IT director at Osborne Clark, believes that accreditation offers a useful starting point.  “It gives a firm focus,” he said.  “It is important to hire someone whose responsibility it is to deliver that accreditation and that provides discipline.”  But not everyone believes that the accreditation available provides much comfort in terms of the level of security it guarantees.

“There is a danger that it becomes about ticking boxes,” said Rockall. “There is a difference between security and compliance,” added Smith.  And Hayes conceded that existing accreditation does provide a great deal of flexibility in terms of defining scope of applicability.

“I would say accreditation is necessary but not sufficient,” he concluded.  “It is possible to be certified and still be insecure.”

By Amy Carroll