Vendor Security: Why Legal Ops Should Require ISO Accreditation
With the daily number of cyberattacks pushing 4,000 and at least 80 of the top 100 U.S. law firms having verified breaches since 2011, there has never been a more important time to be hyper-vigilant when it comes to technology vendors and their handling of your data.
In fact, approximately 63% of breaches are linked to third parties, according to a new Logicforce study. Bearing that in mind, it seems even more astounding that 80% of law firms in the study do not tightly control, or even closely vet, the information security policies of their chosen vendors.
Every one of the 200 law firms surveyed and assessed had been targeted for confidential client data in 2016 and 2017 with 40% completely unaware of the breach. While we may not know when a data breach may come, the days of blindly trusting your vendor to self-certify their data security processes and protocols are behind us.
Third-party accreditations like ISO 27001 have become a must-have for any technology vendor for legal departments and law firms. It gives the legal department assurances that the vendor has strong policies, training and active monitoring in place. Data encryption, patching, regular staff training, monitoring of access controls: these are all areas that are key to maintaining information security, and yet are still not common across all technology vendors.
One key thing to look for: For hosted (SaaS) software, it’s not enough to have “ISO accredited data centers.” The company’s own information security processes and controls must be accredited. As an example, it’s no good if Amazon Web Services (AWS) is ISO accredited, but the company using their data services is not.
The same advice applies to legal departments: when contracting with vendors, third-party accreditation must be part of your outside vendor checklist of best practices (and if you don’t have a checklist yet, you need to develop one). There are seemingly countless examples of data breaches that might have been prevented had due diligence prevailed during the on-boarding process.
Last month, a huge data leak at Verizon was blamed on lax security at one of its outside vendors, Nice Systems, based in Israel. The leak exposed millions of customers records. The implications of such a breach extend beyond corporate reputation to include financial losses and regulatory violations.
Looking ahead, many are now predicting that ISO certification will be so commonplace in the near future that it will be on the same level as malpractice insurance – absolutely necessary.
The emphasis is on legal departments to insist vendors provide assurances and compliance requirements during the buying process. Specific requirements and policies may need to be considered for particular kinds of data, expressly noting controlling laws and industry standards. Any vendor that is unwilling or unable to provide sufficient detail should be removed from consideration as the risks have become too great.