Key cyber and data security questions to ask a legal IT provider

---

Posted by Legal Futures Associate Access Legal

Cyber attacks: Are you ready?

One of the growing priorities that law firms face when considering a legal technology provider is cyber and data security. In Access Legal’s ‘IT Clinic’ webinar, key concerns from law firms regarding legal tech providers were addressed.

The top concerns included IT technology provider responsibilities, cyber incident management and Cyber Essentials compliance.

Industry experts interviewed were James Hood from LCF Law and Kirsty Stridfeldt, Chris Morris and Jon Cuthbert from Access Managed Services.

Can you provide recommendations and best practices on what I should look for in my legal IT provider?

Kirsty Stridfeldt advised firms to prioritise legal cloud services aligned with their specific needs, although, typically, you would expect IT providers to safeguard and encrypt assets and offer proactive monitoring of network security, vulnerability scanning and penetration testing. This means looking for IT Providers with tier-three SOC engineers who proactively hunt for threats.

However, IT providers have limitations, requiring specialised skills for comprehensive security. You should also consider:

• Industry expertise i.e. is your IT provider aware of the regulations that you as a firm have to abide by?;
• Customer testimonials – they can have all the accreditations but getting feedback from existing customers to back up what the provider can deliver and can do what they say they do is also important; and
• 24/7 support matching your operational hours.

Strive for a balance between provider specialisation and independence, acknowledging the evolving need for robust security measures in light of recent market incidents.

What would you expect your IT provider to do to prevent the risk of a potential cyber breach?

Chris Morris addressed the misconception that providers wre solely responsible for security incidents, emphasising the shared responsibility among all users. It is down to firms understanding whether their staff know they have a responsibility and whether that has been clearly communicated to them. When it comes to mitigating a cyber breach, firms should be asking themselves:

• Have I invested in training?
• Am I running security awareness campaigns frequently? And, are they randomised so that not everybody receives the same email?
• What are the next steps for those who failed the training?
• What does my user policy say if they repeatedly fail – what action do I take?

Aside from the human element, cyber hygiene is equally as important. This includes implementing tools like:

• Ensuring devices are kept updated;
• Employing intrusion detection;
• Web security solutions (for those malicious email attacks);
• Network access controls (to ensure people can only log in from certain areas as a lot of attacks are engineered from foreign countries so need the functionality to block certain countries); and
• Having a disaster recovery business continuity plan that is regularly tested.

James Hood emphasised that IT providers should not only advise on defence technology but also provide internal training and user awareness. In the event of a security breach, providers should possess the skills to collaborate with cyber insurers and analyse log files for a comprehensive response.

Overall, everyone plays a role in mitigating cyber-attacks. Striking the perfect balance involves implementing robust defence technology, educating your team and ensuring your IT provider has the industry expertise and in-house skills to effectively handle any potential attack.

What are the best practices when building a cyber-incident response strategy?

Jon Cuthbert stated that, according to the government, only 21% of businesses have a response strategy, highlighting a concerning gap in preparedness. This increases to 47% for medium-sized businesses and 64% for large enterprises – so even a significant portion of large businesses lacks a response strategy.

He outlined four key aspects of a comprehensive response strategy.

1. Defining the purpose and scope of the plan is crucial, outlining the type of incidents, parts of the system and what data is covered. So, in different types of systems, the plan might be different. For example, if you’ve got an on-premises solution where an IT provider looks after a certain part of the solution, the plan is going to be different to one that’s in a full cloud environment, all managed by a single provider.
2. Threat scenarios (type of incidents that may be affected). Threats can range from malicious or phishing emails to a full-blown system hack, so your response strategy needs to cover all bases.
3. Designate key people for reporting and communication. Outline who should be taking action and who should be communicating to the customer. Also, consider the incident response process and create a step-by-step guide on how to respond to a given incident. This is where your provider can assist you.
4. Involving your IT provider in your cyber-response strategy is crucial to ensuring a seamless partnership in the event of an attack. It ensures alignment between your internal capabilities as a law firm and the provider’s capabilities.

Confidence in the response plan is crucial. Clear processes and communication channels ensure peace of mind when addressing suspicious emails or breaches. Encourage staff to report suspicious activities, fostering a culture of vigilance.

How do I know if we have been attacked and someone is scanning or information gathering on our laptops\365 tenant\network? What tools (apart from AV and Malware bytes) can I use to find this out?

Using AV and Malware bytes is a good way to start but we’d recommend leveraging the Microsoft 365 suite to correlate data from devices, applications and data feeds, said Chris Morris.

For a proactive approach, you’d expect your provider to use Security Information Event Management (SIEM) systems. For example, we can set it so that if you see this, take this action or if you see this account log on from these countries, ask for an additional MFA (multi-factor authentication) step and/or block the account depending on the risk profile.

To reinforce that, Jon Cuthbert said, regulators have increased expectations for law firms to proactively assess their security landscape, signalling a shift towards Managed Detection and Response (MDR) solutions. The key thing is defining what ‘normal’ looks like in your environment to identify and respond to potential threats effectively.

Why is it important to have Cyber Essentials and achieve the standards?

James Hood highlighted how achieving Cyber Essentials reassures stakeholders, insurers, regulators, and clients that the firm prioritises cybersecurity.

Kirsty Stridfeldt echoed the sentiment, emphasising Cyber Essentials Basic as a crucial first step for firms to achieve and apply policies seriously, giving clients peace of mind that their data is secure. She also touched on the growing trend of firms moving towards Cyber Essentials Plus for a more audited approach, aligning with insurer requirements.

One of the biggest benefits for non-IT people or less tech-savvy people is that it helps you gauge your overall cybersecurity status and understand your security posture. It has the potential to uncover surprises, even for IT professionals, revealing issues that may have gone unnoticed.

Addressing these problems becomes crucial once identified; for example, there may be a device with a default password or an outdated network device that you didn’t even know about.

Key takeaways

To sum up, the key consideration when selecting a legal IT provider is to ensure the alignment with your firm’s needs. Think of it as choosing a trusted ally rather than just a service provider. Typically you’d expect an IT provider to safeguard and encrypt assets and offer proactive monitoring of network security, vulnerability scanning, and penetration testing.

The expert panel stressed that cybersecurity was a shared responsibility, advising firms to invest in training, awareness campaigns and cyber hygiene to foster a culture of individual vigilance. At the same time, a collective, joined-up approach with the IT provider is as important, especially when it comes to your cyber-response plans and ensuring they are tested regularly.

Ultimately, it’s not just about finding an IT provider; it’s about building a partnership that ensures your digital strategy is robust, responsive and ready for whatever the cyber world throws your way.

Ready to level up your IT Infrastructure with a strategic technology partner? Book a FREE IT consultation