2011 has been a busy year for hackers. In March, marketing giant, Epsilon, saw details of 2,500 customers on its database fall into unauthorised hands, affecting at least 19 of its client companies. Also in March, a security service and product supplier, RSA, was the subject of a so-called Advanced Persistent Threat attack.

This was followed in May by a major online attack against high-tech defence contractor, Lockheed Martin, allegedly making use of the RSA data. In the same month, a Chinese hacker gained access to hundreds of Gmail accounts, including those of senior US government officials, military personnel, Chinese political activists and journalists.

These hacks have not just affected the businesses and their direct clients. As a result of the Epsilon attack alone, customers from companies including Marks & Spencer, Capital One, JP Morgan and Citibank were put at risk, and had to be warned of the potential consequences of Epsilon’s security weaknesses. The fallout has not only damaged the reputation of Epsilon itself, but also those of some of the most respected brands in the world.

Despite a rapid increase in the volume of web-based attacks in recent years, with a 93 per cent rise between 2009 and 2010, the security of third parties is often overlooked. For this reason, many hackers are turning their attention to third parties to access personal data rather than targeting companies directly.

The recently published report by McAfee on Operation Shady RAT highlights this with several accountancy firms and other advisors being targeted for key information by the hackers. With the inexorable move towards cloud-based services, there will be an even greater reliance on supply chains for IT security. This means that law firms must ensure comprehensive security audits are carried out when outsourcing work - particularly given the vital importance of confidentiality in the work they do - and implement all necessary measures to avoid costly damage to both finances and reputation.

Insisting on a comprehensive IT security policy at the very beginning of working with the company is a good start - it should be a given that all reasonable technical safeguards have been put in place to protect the customer’s data - unfortunately policies are usually more an expression of intent than a measure of security effectiveness.

Our experience is that policies often fall well short of these good intentions. Policies need to be backed by evidence that security practices on the ground are effective.

Historically, such policies have been requested by procurement as part of a tender response. However, even the policies that seem the most secure do not go far enough on their own. There needs to be independent evidence that these policies have been implemented and are effective.

In many cases the issues are with companies further down the chain - such as email list providers, secure disposal providers, systems and equipment maintainers and advisors. In many cases there is little or no assessment done of these suppliers beyond a paper-based check. Standards such as ISO27001 (with certification) can help and should be insisted upon wherever possible. However, it is worth mapping out where any critical data is likely to be processed in the supply chain to get a clear view of who should be assessed and to what extent.

No matter how sophisticated the antivirus and no matter how secure the firewall, the vulnerability no company can patch is the people working within it. This means that today’s big security issue is likely to come as a result of the actions or omissions of those within the organisations in the supply chain.

Serious and determined attackers will always identify and target this weakest link, which means that, for the foreseeable future, social engineering will be one big reason we are losing the security arms race. It is well nigh impossible to get people not to open an email, or not to click on a link, if they have no concept of the potential consequences - it is embarrassingly easy for intruders to gain access by playing on people’s trust or curiosity.

We conducted an experiment a few years ago in which 42 per cent of FTSE 500 finance directors plugged in a memory stick we sent to them anonymously. I am not convinced if we ran it again that we wouldn’t get an even higher proportion.

Determined attackers are patient and creative. They will use social networks to research their targets and send a well-crafted email with custom malware to gain initial entry to a trusted third party. Then it is often simply a case of harvesting the information from the network.

Strong controls to prevent exfiltration of data at the perimeter are critical in mitigating these risks. Most companies already restrict internet usage, and, as a rule, law firms themselves are particularly cautious when it comes to maintaining confidentiality. However, this sense of rigour must be transferred to all of third-party suppliers and their employees where a security breach could have major reputational implication, from finance to PR – any business that has access to confidential information should be expected to adhere to the same strict protocols as the business itself.

Clients are in a strong position to push for change among their suppliers by insisting that they provide evidence of independent and regular tests and audits of their security - especially of internet facing systems and perimeter controls. First, however, they need to understand the gravity of the situation and get their own houses in order.

The lesson for law firms is that suppliers must be independently checked for their security before they are awarded the brief. Lawyers and their clients need to be sure that their data is safe with any business that is entrusted with it, and it is vital not to rely on baseless statements made in an initial pitch. The world of hacking is changing rapidly and dramatically – and almost any organisation could be the next target.

Paul Vlissidis is technical director at NGS Secure