6 important questions law firms should ask their prospective suppliers of new software – Legal Futures

Access LegalBy Legal Futures Associate Access Legal

When bringing on board new practice management software partners, or any new technology partners, there are many cyber security-related questions we’d highly recommend law firms should ask.

You cannot delve too deeply into a new suppliers’ cyber security credentials. As we keep reiterating throughout this blog, these measures probably apply to law firms more than most other business, purely because of the highly sensitive nature of the information they hold on behalf of clients.

This, coupled with high levels of cybercrime affecting the profession today, probably makes information security one of the most important aspects of any law firm check-list when signing up with a new IT / software partner.

The top 6 security questions we believe a law firm should ask of any prospective software or IT services provider are:

  1. How secure is their data centre for SaaS?

    For firms going with a cloud solution can your supplier prove they operate their SaaS solution (i.e. for cloud hosting) within an ISO 27001 certified datacentre?  ISO 27001 is the international standard that stipulates best practice for an information security management system.

  2. How seriously does the prospective supplier take information security?

    Can your supplier prove THEY themselves are also ISO 27001 certified? Certification to ISO 27001 demonstrates that an organisation is following robust information security best practices. Some suppliers say they have ISO 27001 certification when in fact it is only specifically their third-party data centre that has it. For belt and braces information security management your supplier themselves should have it too.

  3. Ask for a penetration test report

    Can your supplier present a recent penetration test report? Penetration testing (often referred to as pen testing) is the practice of testing a computer system, network or web application in order to find any vulnerabilities that could be exploited by a cybercriminal.

  4. Can you see an audit trail?

    Do you have access to an audit trail within your practice management software? i.e. are you able to see if users are accessing areas they shouldn’t?

  5. Ask about security patching

    Can your supplier demonstrate a robust security patching process within their SaaS infrastructure? i.e. for keeping up-to-date with Microsoft database security standards?

  6. Ask about cyber essentials accreditation

    Can your supplier prove they are Cyber Essentials accredited? Cyber Essentials is a government-backed cyber security certification scheme that sets out a good baseline of cyber security for organisations. The scheme is designed to prevent cyber-attacks.

More Cyber Security Resources from Access Legal