Comment 8: Of Weak Links and Due Diligence
For probably about as long as people have moved from one place to another it has been necessary to transport goods. Trade routes were important to the growth of settlements which, in turn, led to the growth of civilizations. A saying attributed to many generals is that ‘an army marches on its stomach,’ which isn’t true because they are probably using their feet. What these generals were alluding to was the importance of supply lines during military operations: both in maintaining their own as well as disrupting their enemy’s. Manufacturing and trade have become increasingly complex that led to the creation of a highly complex global supply chain. What does this have to do with anything? It’s the importance of interconnection.
Your practice digitally interconnects with other businesses multiple times per day. These connections are rarely direct, they often involve Internet Service Providers (ISPs); various Web Applications (i.e. Outlook, Google Doc); Software as a Service providers (SaaS); and Managed Service Providers (MSPs). Each of these interconnects increase your attack surface. The attack surface can be thought of as all the various ways that a criminal can attack you based on how you do your work. You can think of it as weak links in a chain or how the more you drive increases the likelihood you’ll get into an accident.
Cyber criminals prefer to attack weak links for two reasons:
- Indirect attacks can make it more difficult to attribute the crime.
- Successful attacks against organizations like SaaS and MSPs can lead to huge data amounts of data and credentials for multiple businesses.
This can make your business life that much more complicated. Not only do you have to protect your devices but you also need to worry about whether all the business and services that help you work are as diligent. But what can you do about somebody else’s business?
- Make a list of the various providers you use for your business. This inventory should include things like your email provider, any cloud services (i.e. document handling), and MSPs like IT support.
- See if these businesses have a history of cyberattacks. This can be done by searching the internet, checking government websites (i.e. FBI, CISA) or, for publicly traded companies, you can see if they have filed an 8k with the SEC.
- Try reaching out to the businesses you work with. Some, like Google and Microsoft, may be difficult to reach but other like MSPs should be receptive to communications. As them questions about their security policies and what they do to protect your business. It’s unlikely that they’ll tell you everything, but they should be able to address your questions and concerns competently.
- If you feel the risk of continuing any relationships with the companies you spoke with is too great, you should seek out alternative service providers.
This may all seem a little daunting but being proactive in protecting your business is priceless for both yourself and your clients.
—
The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.