Recent reports indicate that 193 law firms have suffered a data breach related to an unsecured database.
It is reported that the exposed database contained information related to the staff of legal firms and sensitive data relating to authentication on behalf of clients as well as usernames, IDs, hashed passwords, names of organisations, and details of platform administrators.
For some of the firms, potentially sensitive information like names, addresses, phone numbers, birth towns, passport numbers, NI numbers, eye colour, mother’s maiden names and father’s first names were compromised.
Information like company type, company name, contact name, contact number and company authentication code were also stored in the exposed database. Extensive details of transactions, payment terms and client agreements are believed to be a part of the database as well.
You can’t secure your data if you don’t know where it is
There are three really important questions for law firms:
- Do you have sufficient visibility around the extent to which third party suppliers, who hold their data, are protected against cyber breaches?
- Do you understand what data third party suppliers manage and the extent of the resulting risk?
- Are you ready to respond if there is a cyber breach affecting one of their third party suppliers?
Crowe’s solution to protect your firm
Law firms commonly use multiple third party suppliers to deliver on their objectives. The suppliers can be ‘points for entry’ for information and cyber security incidents with resulting reputational, financial and legal damage. An organisation is only as secure as its weakest supplier.
Crowe can help law firms to avoid these vulnerabilities in three ways:
- Assessing third party suppliers
Crowe helps law firms to prioritise third party suppliers and assess supplier information concerning security and cyber security controls. Prioritising third party suppliers enables a law firm to employ proportionate and risk-based counter measures. The prioritisation considers the extent to which a firm depends on the service provided by a supplier, and the nature of the data shared with a supplier. The output of the work is the categorisation of suppliers into priority groups and a framework for assessing the adequacy of information and cyber security measures. We make sure that you can ask suppliers the right questions.
- Data Mapping and Information Security Risk Assessment
Ensuring compliance with legal and regulatory obligations regarding information security and data protection requires that firms know what organisations are handling what data.
Crowe helps organisations to:
(a) Document the extent of the flow of information within an organisation and between an organisation and its suppliers. The output includes a graphical representation to provide an overview of information flows across an organisation’s ecosystem of connected parties.
(b) Understand the detail of the information flowing within an organisation and between an organisation and its suppliers. A comprehensive and accessible description of the information flows and how the information is passed between parties.
(c) Undertake a risk assessment of each information flow and recommend improvements where necessary. An assessment of the risk of each information flow including the method of transfer, including a comparison with good practice. We help you to understand where you data is and how it is moved.
- Preparing an Incident Response Plan
Organisations should have an incident response plan to enable a quick and effective response to major incidents, including but not limited to a data breach and other cyber security attack, for example, a ransomware attack on a priority supplier.
Crowe helps organisations to:
(a) Produce an incident response plan and supporting documents.
Step-by-step technical and management guidelines for specific incident types, including workflows, roles of key personnel and actions plans. Include pre-prepared statements for release to the press, and communications that would be sent to regulators and other interested parties.
(b) Undertake walkthrough exercises to test a response team’s understanding of a plan in different scenarios.
(c) Facilitate crisis simulation to rehearse the Scheme’s response to a scenario.