It is essential for law firms to maintain high standards of e-security in a fragmented, remote-working environment
What are the main issues raised by lawyers working in an increasingly fragmented market?
Richard Kemp, founder, Kemp IT Law: It’s about balancing flexibility and security. It is increasingly mainstream for lawyers to expect: flexibility – to choose the devices they use; mobility – to work at home, in the office or on the road; and convenience – to keep personal, client and firm data on the same machine.
But law firm management has to balance the trend towards greater flexibility with the trend towards better law firm information security (IS), where regulatory, client (contractual) and market pressure is also increasing. Add the fact that law firms are engaging more types of staff, such as contract or temporary staff for more roles (not just lawyers) and in more geographies, then achieving the right balance between flexibility and security gets complicated.
Janet Day, director of technology and infrastructure services, Berwin Leighton Paisner: A lot of the issues are around internationalisation, geographic pressures and information access balanced by the need to maintain security. The lawyers need to get at what they want when they want it from whatever device available, while obeying imposed or required security parameters. As so many functions become easier technically, there is something of a conflict between ease of access and security.
Stuart Walters, IT director, Taylor Wessing: Today’s lawyers require access to all information at any time, from any location and on any device. Their concern is not purely about the delivery of this information securely but also the necessary support that inevitably comes with its delivery.
In which ways can a firm’s IT operations team help facilitate bring-your-own-device (BYOD)?
RK: This is tricky, as supporting large numbers of indeterminate environments carries significant cost and risk for a firm’s IS. It is a big issue not only for law firms. In May, Google bought Divide, a start-up that lets smartphones and tablets segregate work and personal data. But firms’ IT operations are increasingly looking at this and there are a growing number of options on the market, for example: using a completely remote environment such as Citrix, although this only works when a device is online so is no good for, say, access during flights; using an environment such as Mobileiron or Acronis, where a range of applications or devices can be managed securely through the provider’s software, although this may involve a level of corporate IT control or access that individuals are unhappy with.
SW: The IT operations need to fully understand the implications of BYOD, both from a policy and technology perspective, and ensure they are managing both these aspects with any solution or service that is put into place.
JD: In a way this is an extension of the previous question – accessing information wherever you are, from whatever device you have available. IT teams need to think about being the custodians of the data and the providers of various gateways of access, rather than the dictators of the mechanism and methodology of access. BYOD has advantages – if the lawyer selects the device it is hard for them to complain about that device. If the lawyer selects how they want to work they will probably harness their intellect to make that method work. So it creates a win-win environment: users with equipment they want, like and therefore probably know, and IT teams with information held within their own environment and viewed only from these devices, not moved to them. Virtualisation creates the opportunity for this style of access.
How concerned should clients be about the security of their matters?
SW: Client data security and client confidentiality has always been paramount and the introduction of new technology has not changed this, so clients should not be any more concerned than they have been in the past.
Technology potentially makes security more difficult to control, but this is something that most law firms fully understand and are able to address. There is an extent to which it is the client’s responsibility to consider how they are communicating with their legal advisers and to ensure they do so in the most appropriately secure way.
RK: Clients always have relied on lawyers’ confidentiality. As an increasing amount of legal work goes online and the risks of IS breaches grow, we are seeing clients placing firms’ IS capability alongside legal expertise when running selection processes. Client IS requirements can be detailed, involving penetration testing and audit requirements, for example, as well as contractual commitments to follow the client’s own IS policies and requirements. Law firms, however, should expect that their clients in turn maintain a high standard of IS and do not just transfer to the law firm an IS responsibility that is really the client’s.
JD: You would hope that clients have sufficient confidence that their professional advisers are doing their jobs properly. The real reason for the concern is not about IT services as such but more about the increasing opportunity for data loss and data leakage by lawyers travelling, working under pressure in different time zones and sometimes not being aware of what breadcrumb trails they leave behind them. Many clients now perform security audits – these look at the backdrop of the IT operations and ensure that the lawyers are guided on how to access and limit access to information. Clients and legal advisers should work together to agree the preferred route on these matters.
What steps can firms take to ensure that security is maintained if they are working in a disaggregated manner?
JD: Security operations should transcend geographic and operational boundaries – security needs to be set at a high level and maintained at that level throughout. Firms should take advantage of the software that is on the market to help build internal security barriers and ensure that teams understand the use of these boundaries. Disaggregation by itself does not need to create a greater security risk.
SW: Firms need to keep up with the latest security news and awareness. It is the responsibility of any law firm to ensure that it has all the necessary technology solutions in place, but also that policy, communication and security awareness are being considered on an ongoing basis.
RK: This is the trade-off between flexibility and security. It depends on the requirements (both statutory/regulatory and elective) of a firm’s client base and work types undertaken, and how this aligns with the regulatory and elective needs of the firm itself, including the lifestyle requirements of its lawyers. This need for balance should inform the choice of options, or even rule out BYOD altogether if that prevents the firm working for particular key clients or in particular work areas.
What are the main dos and don’ts when managing data security in a multinational firm or on multijurisdictional matters?
JD: Security should be set at a global level. Cyber risk transcends boundaries. So it is about setting your standards and imposing them on the enterprise, not on a country or a business unit. It is also about ensuring everyone understands why these boundaries are set and realises they have a personal responsibility to ensure rules are followed. IT teams, working closely with risk teams, need to ensure this awareness is made available in a consumable and comprehensible manner.
RK: Do: get general buy-in to the need for a structured, proactive approach to IS; conduct a structured risk assessment of the firm’s or project’s IS risks; assemble a working party of all IS stakeholders (management, IT, HR, geographies, user representatives) tasked with developing the firm’s IS policy statement; carry out awareness training throughout the organisation; link the firm’s approach to IS to the firm’s approach to data protection.
Don’t: Forget the 80:20 rule and that the most obvious breaches can still have the biggest impact – are thumb drives barred, for example? Can devices be wiped remotely – for when the laptop gets left in a taxi?; stop half way through the process – you have to resource it and keep going; have the policy and only to not then follow it; think it’s all over when you have the policy statement agreed – IS is not going to go away, the policy is just the start.