Cyber security is a huge deal these days, and for good reason. Over 6.5 million records are lost or stolen every day.
When people think about the root of attacks, they tend to think that it’s due to a mistake on their end. But this isn’t always the case. Many breaches are due to the oversight of a partner with access to data.
Here are the third-party vendor security risks your law firm should be aware of and steps you can take to secure your data.
The Majority of Breaches Now Involve Third-Parties
Opus and the Ponemon Institute found that 61 percent of US companies suffered a data breach that was caused by one of their vendors or third-parties in 2018. And these numbers increased five percent from 2017 and 12 percent from 2016.
This means more than six out of every 10 data breaches will involve an external company and aren’t due to the direct mistake of the company itself. That’s a sobering fact that proves how important it is to keep tabs on who has access to your data.
So what can you do about it?
Create a Third-Party Assessment Program
“A third-party assessment is an independent evaluation of a business entity or professional practice conducted by an experienced ethics and compliance professional,” explains Vincent L. Dicianni, Esq. “Its purpose is to provide an unbiased evaluation of company operations, assess its ethics and compliance policies and anti-corruption controls, and its overall ethical culture.”
This is pound for pound one of the best ways to ensure partners and vendors are following best practices and not putting your law firm’s data at unnecessary risk. Here are some elements a third-party assessment program should include.
- What data does the vendor have access to?
- Which specific individuals within the company have access to the data?
- What will they do with the data?
- Where is it stored?
- How long will they keep it?
- Do they partner with any subcontractors (fourth-parties) who may access the data?
- Has the vendor had any data security incidents in the past?
The answers to these questions should give you a pretty good idea of how trustworthy a particular vendor is. If anything seems questionable, you’ll either want to come to an agreement where the vendor changes their methods or seek out a new vendor instead.
It’s also smart to come up with some concrete data sharing agreements. For instance, you may have a vendor agree that only certain individuals within their company will have access to your data or they’re not allowed to share it with any subcontractors.
This is a simple way to ensure that you’re on the same page right from the start. For a free template, check out this resource from Contract Standards.
A data breach doesn’t have to happen directly to your law firm for you to be affected. An oversight on anyone with access to your data can create big problems. Understanding third-party vendor security risks and taking proactive measures should help protect your data and keep it out of the wrong hands.