P2P

L aw firms face unique challenges when it comes to security. Not only must they safeguard their own internal data, but they must also ensure that confidential client documents are stored securely. The risks and responsibilities regarding data management are substantial, and the penalties imposed for errors are stiff. While software solutions are essential to a firm's daily operations, technology and tech vendors can pose significant security risks. Ensuring the security of a firm's software supply chain is, therefore, a critical objective. In the 2020 SolarWinds hack, attackers compromised the technology company by inserting malicious code into their security monitoring platform. A "back door" was inserted into SolarWinds' popular monitoring suite allowing attackers to infiltrate thousands of networks in the public and private sectors, negatively impacting their customers. The SolarWinds breach serves as a cautionary tale, demonstrating that all organizations— including law firms— must be vigilant when securing their on-premise technology and software-as-a-service (SaaS) supply chain. Security for the entire legal software supply chain is more vital than ever. Firms now frequently perform IT and business functions remotely, and more firms use cloud- based solutions due to the ongoing pandemic. Because many firms have plans to move to the cloud and migrate from on- premise products to SaaS solutions in the future, they will soon have broader security considerations. A law firm's software supply chain includes all locally installed desktop and server computer software and cloud/ SaaS technology delivered over the internet. It also has an often-overlooked layer: the vendors used by the technology suppliers, who must be evaluated for risk and compliance assurance. The Cyber Supply Chain Risk Management Practices for Systems and Organizations, a publication from the US government entity NIST (National Institute of Standards and Technology), provides a strong foundation for law firms evaluating their supply chain security practices. As an additional step for law firm CIOs and IT Directors tasked with securing their legal software supply chains, the following checklist serves as a guide of best practices recommendations. The IT Checklist for Securing a Law Firm's Software Supply Chain 1. Identify and Inventory First, identify the scope of the firm's software supply chain. Take an inventory of all the software the firm is using to understand the total software footprint. Firms must have a comprehensive understanding of all devices and software they rely on for their business operations. Law firm IT staff will likely be surprised by the average number of vulnerabilities detected per device, which can total well into the thousands even after addressing the most critical vulnerabilities. Every laptop, desktop, tablet, and smartphone contains applications that must be inventoried to understand the scope of the problem. Firms may be unpleasantly surprised to find that users have downloaded, trialed, and purchased products without IT's knowledge or authorization. Making a comprehensive inventory requires IT to turn over many rocks to discover what lies beneath. Once drafted, the inventory list can be overwhelming. Because security concerns will differ, consider dividing the list into categories, perhaps separating by practice area, office location, and on-premise desktop software versus SaaS systems. Also, note which package and version numbers are used for each software product and update them when applying patches and upgrades. Create a monthly or quarterly schedule to update the inventory since it will continuously evolve. 23 I L T A N E T . O R G

• Cover