The rise in targeted email attacks to businesses worldwide continues to dominate the news headlines. Attacks like these are dangerous by their very nature. Not only are they increasing in frequency, but they are also becoming smarter by the day.
At the moment, we’re seeing a rise in activity related to of the Business Email Compromise (BEC) scam. This is where a cybercriminal tricks an employee into believing that they need to make a bank transfer to a known external entity but ends up sending these funds to a criminal instead.
Targeted spoofing is one of the biggest risks that firms currently face. This is not the age-old problem of SPAM emails, but something much more threatening. SPAM email involves a single email, branded as a well-known company such as a bank, sent to millions of addresses.
This ‘hit and hope’ exercise depends on a number of factors in order to be successful. The recipient must actually be a customer with that bank; the SPAM or anti-virus systems must fail to identify the email as a risk, and the recipient doesn’t recognise it as a dangerous email. As a result, the sender may not even get one bite from sending out hundreds of thousands of these emails.
Targeted email attacks are much more sophisticated – and now involve much more than just email; they merge emails, calls and sometimes physical visits to a target firm’s office– this is truly hacking for the masses. A number of hacking tools are now available for anyone to download, along with all the information they need to manipulate employees into performing actions or divulging confidential information – a key hacking term known as ‘social engineering’.
The truth is that the security systems that are needed to protect the majority of firms from the majority of hacks are probably already in place.
For the majority of law firms, documents are a critical part of day-to-day business. Hundreds of pages are scanned, copied, faxed and printed every single day. However, this doesn’t mean that document management has to be time-consuming, frustrating and expensive.
In our original blog post, we shared five benefits of managed document solutions with you, but the positives don’t stop there. With the right provider, print and document solutions can have a positive impact on all members of your firm – from Managing Partners through to administrative support staff and your IT team.
Extra benefits of managed document solutions
1. Complete Vision
With detailed reporting, you view statistics such as; who prints most often; the average size of print jobs; the number of grayscale and colour pages, and the type of print jobs. Reports can break down statistics by individual, department or office. Use this data to set effective workflow rules, such as restricting access based on cost, colour mode or size, or to set optimised print budgets to each department. Determine which devices are over or underutilised, whether cost-saving features are being used and which department should be paying the bills.
2. Make employees more efficient
Printing, scanning and copying can sometimes be a frustrating and time-consuming task – but it really doesn’t have to be. Managed document solutions simplify document handling procedures, so employees can complete once lengthy procedures in a few clicks. Devices can also be configured so employees can print from anywhere, from any device, so they can make the best use of their time.
3. Maximise billable hours
When your time is billable you can’t afford to waste a minute. Improved workflows, increased search capabilities and straightforward device interfaces help you make the most of your time. Ensuring it’s not wasted carrying out lengthy tasks. Managed print also makes cost recovery and billing easier. Solutions allow staff to easily assign costs for each job to a cost centre or matter code.
4. Consolidate hardware
An in-depth, personalised analysis of your current systems, by an experienced print and process analyst, will allow you to establish a practical ratio of device per number of employees, for typical floor action. You can reduce the total amount of hardware by finding more efficient options to meet the needs of groups of employees. For example, multifunction devices (MFD) allow printing, copying, scanning and faxing within one machine, combined with a standardised set-up.
Smart load-balancing will ensure that your devices have as long as life as possible. While traditional printer pooling simply sends the document to the first machine available and prints automatically, an intelligent solution will send the document to the server. The user can then release the document at any printer with their login details. If the user realises they actually need to print in colour, they simply need to sign out and sign back in to the correct device. The document will still be waiting in the queue ready to print.
5. Reduce waste
Think you’re being prepared by bulk-ordering toner, paper and ink? Think again. You will end up with stacks of resources gathering dusted and taking up space in the cupboard. Your toner has a use-by-date so your stock could go out of date before you even need it. Some managed solutions have an “auto-order capability” which will place an order for you when stocks start to run low. Others will also have a “phone home” capabilities which can notify an engineer when a device in need of maintenance.
Do you know how much your firm spends on printing? It’s okay, most firms don’t. Even they think they do it’s pretty much guaranteed that their actual spend is a lot higher. After all, there’s a lot of hidden costs when it comes to print, which many people don’t consider.
Luckily it’s easy to transform this environment and straightforward to get started. MDS – or Managed Document Solutions – can help to not only reduce your print budget but help you to better understand and allocate it. Along the way you’ll also be improving processes for employees, increasing efficiency and helping your firm to become more productive.
1. Reduce the number of devices
Personal printers may seem like the cheaper option but they’re probably costing you a fortune in ink. Even worse, you have no way to track who’s spending what. Reduce the number of devices by migrating users over to larger multi-function devices (MFDs), which allows printing, scanning, copying and faxing within one machine and are also durable enough to meet the needs of several users. Less equipment means fewer costs and fewer problems.
2. Create a digital environment
How many boxes of documents do you keep in your offices? What about in your offsite storage? For some firms, it’s going to be in the thousands per year. Offsite storage is an overhead which is ever increasing, plus then you have to add on the transportation costs of sending employees back and forth to collect necessary documents and the time they lose doing that. Rules-based scanning and routeing make it easy to transform your paper documents into digital ones – increasing security and search capabilities while reducing ongoing storage costs. Clients, other law firms and even courts are now accepting digital files in place of hard copies – for some a digital copy is now expected as the norm.
3. Think before you print
How many times do you print a document just to proofread it and shred it? How many times do you print an article just to read it and bin it? How often do you print a file in colour, only to realise you need it in black and white? These seem like insignificant costs individually, but if everyone follows these practices then the costs soon mount up. Detailed reports and analysis will allow you to see exactly who’s been printing what. You can break these reports down by office, department or individual to see who should be footing the bill. Some solutions can also be configured to display popup notifications when employees try to print certain documents to remind them: “do you really need to print this document?”
4. Stop printing twice
It’s a common occurrence, you finalise a document, press print and then spot a spelling mistake on the first page. They’re no way you can hand this off to a client now, but never mind because you can just print it again. Usually, when you hit print, the document is sent and printed automatically at the device linked to your computer. With a “follow-me” solution documents are held in a virtual printer queue, and are only released when a user signs in to the device and hits print. If you realise you’ve made a mistake, simply sign and delete the document. You can also configure your device to automatically delete documents in the queue after a set time period.
5. Track the paper trail
Somewhere in your office is an employee who feels the need to print everything. You don’t know why and, more importantly, you don’t know who they are (so you can’t track them down and stop them). How much is this wasteful printing practice costing your firm? When people are aware of how much their printing costs, then the amount they print usually declines. Start tracking and analysing how much each individual is spending on printing, and share these reports with individuals.
6. Prevent colour printing
Colour is sometimes necessary but it doesn’t need to be a part of everything you print. You can’t rely on users to check that grayscale box every time they print, but you can rely on colour printing rules. Deny colour printing from certain applications, like email, automatically route jobs to a lower-cost colour printing or prevent certain employees from printing in colour altogether.
7. Convenient Printing
MFD’s can be just as convenient for users as personal printers. Centralised software means that users can print from any devices on the network, as their files and documents are stored on a server and are only released once they sign in at a device. Yet the device isn’t the only thing standing in the way of convenient printing, workflows are. Custom designed workflows will allow employees to complete their most laborious or recurrent processes in a matter of clicks, improving their day-to-day activities and reducing printer-related frustration.
8. Reduce calls to the help desk
The centralised software allows for easy maintenance, by letting administrators easily see what happening on every device on the network, with the need for site visits. You can remotely schedule your devices to undergo maintenance, all at the same time, and ensure that each one is running the latest software version, helping decrease costly downtime. The virtual printer queue also ensures that at least if one device is down and unusable, then employees can simply sign in at another and print from there.
9. Recover printing costs
Do you charge your clients for printing costs? So many of the old Managed Print outfits sell ‘cost recovery’ solutions and also claim firms can profit from print. Honestly, there are not many clients who will swallow this and it will generally reflect negatively on your firm. You can, however, use the technologies for understanding where you are printing, i.e. against particular matters and clients. This is useful and can potentially aid you to address costing and identify workflow and process changes to protect your margins. You should be looking to reduce print, not profit from it.
When law firms think about how they can optimise their IT environment, it’s doubtful they consider the impact printing has on their business. After all, it’s a basic, everyday task and it can be difficult to see how changing it will benefit the firm in any way?
Yet in a document-intensive business like law print is a likely area where you’re burning through your crucial resources of time, money and manpower. So how can using document solutions help prevent this, and what benefits does it bring?
5 ways document solutions can benefit your law firm
1. Lower IT spend
How often do you print something just to proof-read it and throw it away? What about printing a document in colour, only to realise you really needed it in black and white and having to print again? These may seem like small costs individually, but if everyone in the firm is doing this on a daily basis then it soon mounts up. Even if you think you know your costs, your actual spend is likely to be more. MPS providers will be able to identify several areas your firm will be able to optimise the budget, from eliminating unnecessary hardware to ongoing monitoring of the print environment and making more efficient use of resources. Centralised, web-based administration software provides you with a comprehensive view of your entire print fleet and surrounding processes, removing the need for time-consuming site visits to configure each device. You can remotely schedule maintenance and update software versions for all devices whenever you need to.
2. Greater document and data security
Documents left lying about on the printer represent huge potential for a data leak. Just imagine if they contained highly sensitive client data and were picked up by the wrong person? Solutions like “Follow-Me” printing will prevent this. Instead of documents printing automatically, users will have to sign in to the device to release their documents. Users won’t be able to access the print queue of anyone else. Also as only one individual can log into one machine at a time, it prevents print jobs from overlapping and documents mix-ups. These solutions are simple to implement and can utilise existing methods of building security. If employees already use a fob for building access, this can be configured as their printer access key. Additionally, the centralised software allows approved system administrators to view previously printed material in the printer log to check who’s been printing what.
3. Improved workflows
There are a vast amount of solutions which can make printing, scanning, copying and fax quicker and easier. The right provider will learn end-user trends to help you develop workflows and rules that really meet their needs. This will help them to complete day-to-day tasks in a more simple way. With rule-based systems you can automatically send documents to be stored in the right place, providing quick and user-friendly access. Printing rules can be configured based on document size, type or volume. Larger jobs, like court bundles, can automatically be sent to the most cost-effective machine. Automate time-consuming recurrent processes to free up your employees’ time and prevent annoying mistakes.
4. A manageable environment
A new firm-wide, software solution roll-out doesn’t have to cause frustration and ongoing problems for your employees. If handled correctly, the impact of installation on day-to-day management should be insignificant. Having a consistent, user-friendly interface across all devices not only reduces training time but means it will be unlikely that you will need to retrain employees if you bring in a new device or upgrade a current model. It also increases the end-user adoption rate as they don’t have to set aside time to understand a new system, improving the overall cohesion of the office.
5. Reduced storage costs
The majority of law firms will not only have documents in-house but will also have offsite storage as well. Imagine how much employees waste searching through boxes of files for that one important memo? Then add on the cost of transporting that employee back and forth between your offsite storage facility and the office. It’s not going to be a one-off occurrence, and time and money soon add up. Rules-based routeing and scanning allow you to easily convert your paper documents into digital files. This increases search capabilities, saves time, improves security and greatly reduces ongoing storage costs. With an intelligent managed solution you can scan bundles direct to court, reducing costly paper files transportation.
At the end of the day, these are just a fraction of the benefits documents solutions can deliver. An optimised solution, from the right provider, will bring true operational enhancement and positively impact your bottom line.
Flexible working is slowly becoming more common in the legal sector, with numerous firms announcing plans to implement the practice in the last few months or, at the very least, exploring the idea.
This increase is a response to numerous issues affecting law firms, whether it’s improving work/life balance for employees, the challenge of having global teams in different time zones, or in response to escalating rental costs – a particular concern for London-based firms, many of whom are starting to move out of the city.
We are also seeing a good number of start-up and boutique firms using quite advanced technologies to work from home or hot desk, giving them much better profit margins than their larger competitors. There’s no real reason why firms cannot increase the availability of flexible working.
The Benefits of Flexible Working
Flexible working can take many forms – part-time working, term-time working, home-working, compressed work, flexitime or hot-desking are all possibilities to explore. The practice can bring many benefits to a firm, among them including:
1. The ability to hold on to valuable staff
For example, those who need to work part-time in order to balance work and family life.
2. Reduced levels of sick leave
Employees will feel less run down due to a better work/life balance. Alternatively, they will no longer have to take sick leave in order to meet other personal commitments.
3. Increased employee morale, engagement and commitment to the firm
Staff will feel taken care of and have the flexibility to meet personal obligations and life responsibilities.
4. Improved productivity
Staff can work when they feel they can accomplish most and feel freshest – depending on the flexible work schedule adopted.
5. Greater talent pool to recruit from
It develops an image as an employer of choice, e.g. family-friendly, modern etc. Many workers these days, particularly graduates, have higher expectations and view flexible working as the norm.
6. Faster response time
Business decisions today can be made or lost in a matter of minutes. Having employees who can work from anywhere, at any times, means firms can be more responsive.
7. Reduced overheads
Flexible working initiatives like hot-desking have the potential to save money in terms of office space. For some firms, it’s unnecessary for every member of staff to have a fixed desk, and it’s a waste to pay for an empty desk.
Some firms implementing or exploring flexible working:
Herbert Smith Freehills
The firm has had a flexible working agreement since 2012, but in August announced plans to implement agile working across all its London based practice groups following a successful three-month trial. A number of partners and fee-earners were invited to work from home up to one day per week. The majority of those involved gave positive feedback; 89% reported improved work-life balance; 75% said flexible working improved their productivity and only 3% experienced negative responses.
Foot Anstey
The firm launched a “warm-desking” pilot in August, which is set to run for two months. The move is partly a response to a need to look for new premises in the city within the next three years.
BLM
In February, the firm announced that it was offering a flexible working program for all its London staff as it consolidates its two offices into one. BLM said they have invested heavily in technology to make flexible working simple and achievable.
The key to achieving the benefits of flexible working is implementation. Technology, of course, is important but also easy. Any IT department should be able to enable employees to work in the same manner, whether they’re in the office or not, without effort. A vast array of technologies and readily available Internet connectivity make it easy to collaborate in and out of the firm.
There are however also other softer elements to consider. Personality types, organisation and culture can all determine whether flexible working is a possibility for your firm. Overall you should focus on the business requirements first and foremost.
Data leak prevention (DLP) is a subject that comes up again and again. “How do I stop data leaks from occurring?” and “How do I know if a data leak has happened?” are two questions that legal firms want answers to.
The premise of DLP is to stop intellectual property, client details or other sensitive data from passing into the unprotected Internet. Something that sounds easy, but isn’t. Leaks can happen via email, internet browsing or a breached cloud platform.
You may realise that those are three of the biggest things your firm uses every day and that’s where the difficulty comes in. Setting up a full DLP system is usually difficult and takes a lot of time, technologies and planning. But before you can even start to make a plan you need to understand the fundamentals.
What are the types of data leak?
In transit
Being intercepted whilst travelling over the wire, i.e. email, web chat, web traffic, etc.
At rest
From areas such as a file share, a database or from a desktop or laptop.
In use
From screen captures, clipboard, a printer, USB disk, CD, etc.
Your firm should break down each of these areas, understanding when data is in each vector and how it could leak via the vector. Once you understand what you have and what risks you face on each classification you can start to think about controls and policies. For instance:
What is your policy on staff plugging in USB sticks?
What controls will you have to stop sensitive details lying in the printer?
What is your policy on sharing information via social media?
The controls will vary significantly by but here are 10 areas to consider when contemplating how to keep your sensitive data secure from an accidental or malicious leak.
How can you make data secure?
1. Portable encryption
You should encrypt any sensitive data which leaves the secure confines of your firm’s network. You’ll need software systems to control this as you cannot typically rely on employees to do it. It only takes a lost USB disk, laptop or phone to deliver a severe or critical blow to a firm.
2. Endpoint protection
The data endpoint is typically a computing device, i.e. desktop, laptop, mobile, server, etc. It’s on these devices that IP and confidential data resides or passes through. DLP endpoint protection solutions can protect data inside and outside of the network by controlling functions, such as print, copy, and data transfer to USB devices or a cloud storage platform, such as DropBox.
3. Email content control
Email is a common source of a data leak, as employees use it to send confidential information and documents. Content filtering uses deep content inspection technology to scan the text, images, and attachments of an email, to flag up any potential threats and can alert you if a user tries to send sensitive information.
4. Intelligent firewalls
Data leakage often arises from email, IM or internet use. Firewalls can protect individual computers and whole networks from security threats and can take automatic action against potential data leaks, unauthorised access or malicious behaviour, either by notifying the administrator or by blocking the action.
5. Device control
Endpoint solutions allow administrators to control what devices are in use. They can also see when they have been used, who by and what information was copied, managing the threat of portable storage devices. You should also have effective security policies for your devices, as users typically store email and other sensitive documents on their smartphones and tablets. For example, some required could include the use of complex passwords or to set devices to automatically lock when not in use.
6. Evaluating security permissions
Many users may have access to sensitive data, but do they really need it? Allowing access on a “need-to-know” basis can dramatically reduce your chances of a data leak, accidental or otherwise.
7. Controlling print
Multi-Function printers (MFP) are typically unmonitored and can have a high level of data leak potential. Requiring users to ‘sign in’ before use can reduce this, as they will only have access to certain functions and documents. It also prevents users from leaving sensitive information on the printer, as the document only prints once the correct user has signed in at the MFP.
8. Securing back-ups
Many firms rightly have back-ups of their most important information, but these can be vulnerable too, either from an attack or due to loss. Just like the original data you should encrypt these files, which is a function of most backup software.
9. Image text analysis
Images can be sensitive data in themselves, plus camera-enabled devices like smartphones make it very easy to capture sensitive data. DLP solutions have the ability to analyse text within images, preventing data exposure.
10. Education
Businesses often assume employees know what information is confidential and what they cannot share. Yet, sometimes a data leak is accidental and can be something as simple as an email to the wrong client. A good security policy is well-defined and easy to understand. Helping users perform important functions with reduced risk and increasing the adoption rate of the policy.
I was asked this question the other day and had an enjoyable discussion about it so I thought I’d jot down my thoughts.
In this blog, I’m talking in general terms outside of the ‘Magic Circle’. Technology turns off most business people, partners included, in the main. I don’t understand why so many technology firms in the legal sector fail to grasp this concept.
Even when you turn up and say “this product’s going to make your super effective because of XYZ” they’ll often switch off. They’ve heard it all before and been burnt by expensive and bad solutions in the past. Or because they are just confused by the numerous options. This is why there is so much of a ‘herd mentality’ in legal. I always find it a little strange that so many plod together, but I can tell you this will change, and rapidly, as the space comes truly competitive- basically like every other sector. Change is going to come so fast, but it’s not the technology that needs to lead it. The processes and models need to drive the change.
If I hear cloud, big data and AI many more times I’m going to explode. It’s boring for me, let alone lawyers having tech rammed down their throat in every email and publication. You are just talking about tools, and who cares about tools? Nobody except techs care about tools. I don’t care that my plumber has a new wrench with better grip, so why should ‘business leaders’ in law firms? Yes, these technologies may add value to a firm but many won’t until they are mature or integrated into a wider ‘business solution’ driven by a defined business strategy. Sure you may attract a partner’s attention with a fancy new mobile device, but often that’ll be the wrong device to really support a mid/long-term strategy.
Many firms will not truly engage technology until they have up-skilled general business improvement. Be that ISO, Lean Six Sigma, intelligent outsourcing etc. Technology is easy in general. Yes, there are exceptions, but generally, it’s easy when the business case and requirements are clear and championed by leadership. This needs to happen before the technology can really add its value. It’s surprising how many firms don’t have standard operating procedures. Or they don’t really review and develop them. This is pretty scandalous when most operations in legal are process driven.
In short, my message is that technology is not relevant without leadership, evaluation and analysis. You’ll see a rise, very quickly, and also many new entrants now the sector is opening. It should be led by increased efficiency (as stated) as margins are going to erode. I know that I don’t really pay any more per hour for legal services than I paid 10 years ago!
Any device where data is downloaded or stored is at risk of being accessed by a third party once it is no longer in your possession. Devices at risk range from the obvious hard disks, right through to printers.
The basic principle is: if data is written it can be retrieved unless it’s encrypted. Therefore, if you’re in an industry where your clients’ data is sensitive (which is to say, every industry), if you can encrypt the data you should always do it. Of course, you need to factor in performance overheads in relation to encryption but that is becoming less of an issue now with the entry of technologies such as solid-state disks and self-encrypting storage arrays. Encrypting data effectively removes a lot of the concerns around the disposal and/or loss of a device.
If you do have to dispose of a device then it is usually best to have it done by a third party specialist data destruction firm. However, you need to be aware that by choosing to outsource this function, you are not outsourcing all responsibility. If a client’s data were to be stolen from one of your disposed machines, it’s your brand that will be tarnished, therefore you have to do your due diligence. Assess the data destruction firm and assess your risks. Do not simply settle for a van turning up to remove the worry.
Once you identify the risks you should have them signed off at partner level and agree on a strategy to apply suitable control to minimise them. If you can follow these steps you can be pretty sure that your clients’ data and your firm’s reputation will remain safe.
Don’t think that PCs are the only source of data that can unintentionally (or maliciously) disclosed to a third party though. You should also have security and disposal policies covering the following:
PCs, laptops, tablets
Mobile phones
Printers
USB storage devices
CDs/DVDs
Servers
Hard disks
Backup tapes
Cloud storage
Again, all of these items can be encrypted and, arguably, they all should be if your data could cause your firm or a client embarrassment.
Risk of extortion
Never think that your information is not of interest to a third party. A large proportion of data and security breaches are now focused on blackmail and extortion. Hackers hack for money now, not simply for fun. A hacker doesn’t have to come in over the wire, getting hold of a physical device littered with information will give them extortion material and valuable clues on how to breach network defences at a later date.
Your key considerations
So, what are the key things to consider in relation to ensuring data is destroyed after its useful life? In this article, ‘destruction’ refers to physical destruction (shredding) and ‘wiping’ to cleaning the data off securely, to retain some resale value to the firm or a third party.
1. Control access
As you can imagine, it’s possible that, if you leave a pile of hard disks or USB keys in an uncontrolled area, once could go missing. And if this happened it would be open to all risks. When you have set aside equipment for disposal then secure it away from general access.
2. Control / document assets
Make sure your asset lists are up to date so when you wish to ensure any data is destroyed you don’t miss anything. If you aren’t controlling your assets then you aren’t truly controlling the risks. When you do dispose of an asset, ensure the information is logged, including the device, serial code, how it was sanitised, by whom, when, where it went, etc. If you go to a third party it should provide you with a certification of destruction.
3. Destroy the data
If you just format or delete the data on a device it’s relatively simple to pull it back. If you want to ensure the data is irretrievable then you can use specialist tools to do so. You can start by looking at tools such as Kroll Ontrack and Blancco if you want to do it yourself. If you want to go belts and braces, encrypt the device storing the data and then run the secure erase tools. You then, of course, need to factor in the time required to undertake this work. It all comes down to how sensitive your data is.
4. Destroy the device
In some circumstances, the data is so sensitive that the entire device should be destroyed, shredded in fact. Generally, you would outsource this, but you can also buy the specialist equipment to do it yourself. Typically memory and hard disks are shredded, and other parts of the device sold on to retrieve precious metals. There are strict environmental guidelines on disposal of equipment so be sure to familiarise yourself with the current regulatory requirements if you do it yourself.
5. Destroy it quickly
Once you have identified equipment to be disposed of or wiped, then do it quickly. The longer devices hang around, the more chance they will fall out of control or go missing. You would typically expect to have a periodic destruction cycle or pick-up if using a third party.
6. Have a process
Ensure you have a documented process for the destruction of data and devices as required. If you don’t have a rigid structure, things can and will slip through. Generally, legal firms can’t risk that happening so controls and processes must be put in place and followed. Failure to follow procedures must have tough disciplinary repercussions.
7. Check third parties
If you are outsourcing the destruction of data and devices to a third party then ensure that you are careful in your choice. There have been press reports of devices turning up on sites like eBay with very sensitive data on, even on a printer’s internal flash disks. So, when choosing a service provider, you should be looking for companies with ISO 27001 and ISO 14001 certification as a bare minimum. Also, it helps if they are certified to destroy MOD equipment, e.g. CESG and MOD approved. The higher-end secure destructions firms will also have the equipment they can bring to your premises or premises you can visit to witness the destruction of your data devices.
8. Communicate and review
Once you have a process and policies in place to relation to wiping and destruction of data and devices then ensure that it’s communicated and clearly understood. Make sure all relevant areas of the company understand their roles. Also once created don’t just forget about the policies and processes, review them at least annually. Your assets will change, as will the risks. Ensure that you review them regularly and know what they are
Security is changing
As we look back over this tiny area of IT security, the case for ISO 27001 is becoming more and more important in law firms. The risk of a security breach of any kind can have serious implications more so now than ever before. ISO 27001 will give a firm a framework to identify all risks and assign appropriate controls to mitigate them. It will also give your firm a continual improvement methodology that will deliver gains year on year. It should also be noted that many clients are now demanding ISO 27001 certification as a standard before instruction.
As a final note, just do remember that your data is of interest to many people. Don’t take risks, or at least don’t take them without informed sign-off from your firm’s partners.
The IT security landscape and the threats faced by law firms have changed little in the last 20 years. The nature of these threats, however, has changed drastically and many firms are yet to catch up.
While the old hackers typically hacked for fun, interest and challenge – the main driver for the modern hacker is now money. Particularly around extortion and blackmail. This trend has brought attacks to the gates of every single firm, no matter their size. Your information is valuable and when hackers gain access to it, they can deal huge damage to your brand or extort money. And for law firms where trust and respect of the client and protection of their highly sensitive information is paramount, you cannot afford a breach.
Legal firms may think they’re not at risk from an IT security breach, or believe they’re doing enough to protect their sensitive data, yet here are eight common mistakes I see firms making time and time again when it comes to IT security.
What are the IT security threats for law firms?
1. No two-factor authentication
Many firms are still only using passwords to access IT platforms, both within the office and whilst working remotely. Passwords are simply not secure on their own. The number of passwords every member of staff needs to remember this day and age is too vast, and the threat landscape is too big to solely rely on them.
The solution which many sectors have adopted already is two-factor authentication, for example, a password and a token. Many banks insist on this, and for a good reason.
2. No disaster recovery and continuity plans
A tried and tested business continuity plan is essential for any firm. However, many will not have one and those which do will not really test is regularly or earnestly enough. This is one of the biggest and most worrying lapses in security. Not having a plan to recover and operate after a significant event is negligent, verging on criminal. Try explaining to your insurance firm after a disaster why you can’t show them your recovery plans.
3. Device control
Most legal firms have mobile devices such as laptops, iPads, mobile phones and the like, but few are controlled by the firm. For example, some firms will allow employees to pick up work email on a personal device. This is completely negligent unless you have secure controls in place. It’s also concerning to see that a number of firms are still not encrypting every mobile device containing sensitive data. If you believe your information is not of use to a third-party, you are very wrong.
How would a partner explain to a key client that their sensitive information had been stolen or leaked to a third-party? What if that third party was the press, keen to highlight how legal firms like yours still aren’t taking client data security seriously? A breach like this could permanently damage or even end your business.
4. No asset list or risk register
Most firms haven’t really evaluated what their risks are. You simply cannot protect what you haven’t assessed. Firms need to evaluate every asset and service within their business, not simply IT hardware and systems. They should also be looking at their other assets, e.g. their brand, their people, etc.
Once these are identified, you must assess the risks associated with that asset and how it could impact the firm. With this information, the controls for those risks should be documented. You can’t be comfortable with the security of your firm if you haven’t been through this process.
5. No patch management
This is something that still doesn’t happen to the level that it should. Many firms still have no formal patch management strategy. I know that it’s painful for an IT department to do, but it is so important to get critical updates on machines as soon as possible. A significant percentage of hackers, viruses and Trojans use vulnerabilities in software to gain control over a device, so it needs to be done.
6. No staff training
The largest weakness of a firm’s security is its people. It’s imperative that people understand the risk they pose and how to be more aware of the threats. You’d be surprised how many firms I could breach within minutes by simply calling up, pretending to be a new member of the IT team and directing them to a web page to allow myself access. The risks around staff are huge and educating them is essential.
7. Device disposal
We are all aware of the risk of disposing of PCs, laptops and similar devices properly to ensure that no data is left on them. However legal firms scan and print large amounts of data and this also poses a risk. The information is sent to a printer’s internal disk before it is printed, be mindful that these disks will hold sensitive data, so ensure they are wiped or destroyed before you dispose of them.
8. Being lax
If you don’t take IT security seriously then you will suffer at some point. How badly you are affected is a game of chance. Do not think for a second that you are not at risk, or IT security can simply be seen as an IT department problem and leave your team to it. You need to take responsibility for IT security as you are most certainly accountable.
There are many more risks than this out there, but you need to shut the doors and windows before you start sealing the cracks.
Rapid change within the legal sector nationally and internationally has made many firms look to the cloud for solutions. In times of turbulence, legal firms and, in fact, other businesses look for change, to get an edge over the competition, to pick up that golden chalice dangled in front of their noses by a smart salesperson. However, when you are hungriest, you need to be doubly careful with decisions. Don’t take risks. Be informed. Take your time.
The cloud is a very large playing field, so I’m going to talk in general terms and at a ‘high-level’. After delivering and consulting on cloud systems for more than a decade, we’ve seen and heard pretty much everything, so this blog post is just a summary.
So many IT service providers are pumping cloud services as the only ‘real’ IT solution for the modern legal firm. This is simply false and negligent – the cloud isn’t always the right solution. Whilst there are many areas where cloud services can deliver a business gain – you should just throw everything into the cloud without consideration.
Cloud is a tool, no different from a new server or piece of software. For example, if you’ve bought your marketing department Apple Macs, should you now roll them out throughout your firm? No. It’s the same with cloud services. They have their uses but you need to apply clear business rationale to any decision – think of now and the longer-term.
It’s important to remember that cloud isn’t some brand new technology – it’s mainly just hype. Hype causes issues and clouds judgement. It creates a sense of urgency and a fear of missing out. The herd mentality within the legal sector only exacerbates this further.
The cloud gold rush has got every man and his dog trying to provide and resell cloud services to fill a demand. You even have phone system companies and printing machine companies trying to resell IT services on a cloud model into the legal sector. This is just insane, IT isn’t simple – true business-enhancement comes from careful analysis, effective tailoring and solid integration of numerous different technologies and systems. Legal firms need to be evaluating and analysing their business models, workflow and general operations, looking for improvement and identifying the right technologies and systems to support that change. Technology should not be leading change, merely supporting it.
So, what needs to be covered when speaking to Mr Provider about the shiny new cloud solution? I’ve created a list of ‘high level’, not exhaustive, questions legal firms should consider.
Ask yourself:
Has our firm, and its operations, been analysed in suitable depth by the provider, and a clear business case made for the change?
Will they stand by and guarantee any claims made in their proposals?
Are there any changes to the firm in the foreseeable future that could impact our chosen solution?
Do we have options, both in and out of the cloud?
Do we clearly understand the benefits and drawbacks of the different options?
What are the true costs of the options over the term of the contract or life of the solution?
Do we need to factor other costs into the project, i.e. do we need additional network connections, training, resource allocation, etc.?
If this doesn’t work – how are we going to fall back?
Does the solution meet our regulatory requirements?
Ask the provider:
What is the financial status of the provider?
How long have they been delivering cloud services?
What certifications and accreditations do they hold?
What are their Service Level Agreements and what happens if they don’t meet them?
How will you exit the cloud service should you wish to or need to?
Do they have control of their infrastructure and services, or are they reselling someone else’s?
How can they assist with your migration into the cloud – and vice versa?
What can impact the service they are delivering to you, and how can those risks/effectors be mitigated?
How are they securing your data from external threats? Can they Certificate testing?
What levels of resilience have you built into your infrastructure? If a server fails what happens? A network connection? A disk storage system? Power?
How will the billing model change if you ramp the firm up or down?
Don’t steer away from the cloud. As with any IT system, when it’s been chosen through careful analysis and tailored to a business’s operations the results can be impressive and game-changing. Just have your eyes open and take the time to breathe.
