A feeling of security

With the rise in web-based legal transactions, law firms are becoming increasingly conscious of online security. Fenella Quinn reports on the concerns and the latest developments in e-security

If you or I contemplated the idea of some unpleasant youth hacking into our personal email, we would probably dismiss the notion without too much concern, knowing that the unfortunate hacker would get only a modicum of enjoyment at our expense. If, however, you were responsible for highly sensitive, web-based corporate information that could send share prices soaring or plummeting, you might feel a little more anxious.

Several law firms have implemented web-based information systems whereby clients can find out how their case is going, how much they owe and what is in the last meeting notes. So far, only two have gone the extra mile and set up "virtual deal rooms", where whole corporate deals can be transacted online. But with industrial espionage always a threat, and fears over internet security a nagging constant in all our lives, how do these rooms measure up against today's widespread paranoia?

In January, Clifford Chance and Allen & Overy announced their own "virtual deal rooms". Clifford Chance's version, "Fruit Net" was established to execute a deal named "Project Fruit", a CVC Capital Partners-led euro825m (£519m) buyout covering 19 jurisdictions. A&O's "newchange" deal room system is a similar concept, where parties to the given deal, wherever they are in the world, have access to the appropriate corners of the virtual room, thus making the dissemination of drafts far easier than by traditional methods.

Each room – there are currently 250 "occupied" by A&O – is administered by a lawyer. Jayne Cox, professional support lawyer with special responsibility for e-business, explains that when a document is ready to go into the room, the administrator simply ticks the boxes next to the users he or she wants to see the document, is then prompted to make sure they have the right boxes checked, and off it goes. This in turn triggers automatic email notification to all relevant parties.

The firm claims that by adopting a modular approach, so that each clause is drafted to be independent of but integrated with all the other clauses, the newchange system allows lawyers to redraft clauses without incurring all the usual and laborious consequential changes. While many see virtual rooms as ideal for the more cut-throat deals which need to be executed swiftly and with ruthless precision, Cox says that they are also being used for long projects such as syndicated financing deals.

User access is effected by allocating each person an individual ID and generic password, which must be changed by the user before being allowed into the site. It is the individual's responsibility to keep passwords safe. But, as Seamus Reilly, senior manager in Ernst & Young UK's information systems assurance and advisory service says: "People tend to write passwords down, or share them."

A more effective way of policing entry, which Reilly believes will become increasingly popular, is the use of digital certificates. "It's called two factor authentication," he says. "It operates on the basis of something you own and something you know."

The digital certificate is a small, encrypted file that is unique to its owner and is given out by the site administrators, preferably in person. Every time the user goes into the site, the administrator can check that they have this unique file, and therefore know that they are the right user. While A&O does not have this process for users, it does have a similar security blanket in place to ensure that anyone posting information on the site knows that they are in the right place.

Reilly's team at Ernst & Young is an "attack and penetration team", also known as a "Tiger Team", which takes on the role of malicious hackers who crack open clients' sites to see where security holes might lay. From his own experience, he stresses the importance of looking at the prospect of "inside jobs".

"People tend to concentrate on external security, but they have to consider both sides. Many major security incidents come from internal sources. Some deals could be worth hundreds of millions or billions and could be share sensitive. If information in these deal rooms is time critical and valuable, there may be people willing to pay a lot of money for it," he warns.

Deri Jones, security manager of NTA Monitors, an internet security testing firm, is called in at the design stage of secure rooms to consult on security issues, or alternatively after the event, in a testing and auditing context. He says: "We test on a black box basis, so we don't know the ins and outs of the site, we have no information about passwords or anything. We flow traffic into the network and see what comes out the other side. This way we can tell the type of server it is and therefore what type of problems that server has."

According to the editor of News/400.uk magazine Seamus Quinn, the type of server supporting virtual rooms is crucial to security. "In many ways security in any e-business environment depends on the quality of security implemented on the servers that run the virtual arena in question. While high-end mid-range systems such as the AS/400 are unknown in many respects to the hacking community, NT/Windows 2000 is ubiquitous. More people know how it works and there have been a number of reported cases of the back door being quite easily opened by those with enough knowledge."

Quinn adds that there are thousands of Microsoft training courses which can easily give potential intruders the wherewithal to interfere with unsuspecting companies' systems. "Unix is a better bet, but Apache [a Linux-based server package which runs on Unix machines], is now very common. AS/400s are more secure because they have a proprietary operating system which people outside the AS/400 community do not know enough about. And IBM has been incredibly careful – it's the Fort Knox of servers," he says.

Quite apart from the inherent security of the servers themselves, and also how secure the hardware is against theft, there are many levels of security available to protect internet sites, and all office systems.

Jones says: "Firewalls are still a vital part of security infrastructure, but they are not enough on their own. Organisations should also have a virus checker round their perimeter." Installing advanced virus checking within virtual deal rooms neatly solves the problem of numerous files whizzing around the world by email, which could each carry different viruses and therefore embarrassingly infect clients' or colleagues' networks. Another level of security is a URL filter, whereby staff and users have access to certain databases but can be blocked from indulging in pastimes such as cybersex, gambling, football or even the delights of handbag.com.

While A&O would not divulge the nature of its server, it does reveal that it has installed the market standard, SSL (secure sockets layer) perimeter security ring fencing the newchange site. However, this is a Microsoft product and although widely used by banks, may be prone to too many people knowing about it.

But, as Jones says: "Is there ever such a thing as 100 per cent secure? The short answer is no.

"Look at faxes lying about in offices. What are the cleaners doing with their James Bond cameras hidden in their Hoover handles?" he quips, demonstrating how paranoia can go too far. But there are enormous liability questions that are largely untested. "If you follow best practice, you can minimalise the risk," he says, advocating the use of third party testers who can then become expert witnesses in court should the need arise. "It's people who try to cut corners that have problems. You've got to take the car for a test drive, and then you find out the problems."

Reilly stresses that it is vital to strike a balance between tight security and allowing enough flexibility to give access to the correct people. "Also," he says, "it's not worth doing all this security if you haven't thought about the security of the physical box that's running it all."


Business to business (B2B)

The latest buzz phrase to throw into a business plan. Venture capitalists have decided that sites offering business services or information to other companies have the best chance of making money.


The large transmission line that carries data gathered from smaller lines that interconnect with it. On the internet a backbone is the set of lines that internet service providers (ISPs) connect to route traffic over long distances.


What everyone says needs to be done, some say has been done and everyone complains about when it hasn't been done.


The base two number system that underlies the whole computer revolution. Computers use ones and zeros to represent data. This is important because it means that any digital information can be reproduced exactly without degradation, unlike analogue information which is based on a continuum.


A new standard that enables mobile phones, computers and personal digital assistants (PDAs) to connect with each other and with phones and computers using a short-range wireless connection over a maximum range of 10 metres. This offers the potential of a truly wireless high-speed (one megabyte per second) network in home and office.


High-speed internet access – the holy grail for interactive services and a whole range of entertainment start-ups.

Burn rate

The rate at which a new company is spending its capital while waiting for profitable operation. Currently keeping venture capitalists awake at night.