Last year, lawyers at a Chicago-based law firm and officials within the Indonesian government found themselves caught up in a global surveillance scandal when it was discovered that communications between the two were being intercepted by an Australian intelligence agency. The most distressing thing about the surveillance isn’t that it happened – every government engages in spying, to one degree or another.
It’s that the law firm apparently had no measures in place to protect itself.
It’s a sad irony, really – the involvement of legal services organizations in data and security breaches is a common thread. Decision-makers within said organizations thus possess a unique level of insight into both the costs and risks associated with poor security. Yet even with this insight, too many firms are still distressingly lax with their own security measures.
That needs to change – and soon.
Legal Organizations “A Perfect Target”
As reported by Bloomberg, security experts have labeled law firms the ideal target for corporate espionage. The legal services sector is being targeted with alarming frequency, and according to Digital Guardian COO Peter Tyrell, around 80% of the largest firms in the states have suffered some sort of breach.
Said breaches come in many forms. Some are simply the work of black hats looking to buy and sell intellectual property. Others, however, have a far more insidious origin – cyberspies in nations such as China and Russia are also frequent perpetrators of corporate data theft.
“Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies, and intellectual property,” writes Matthew Goldstein of The New York Times. “But attacks on law firms often go unreported because the firms are private and not subject to the same kind of data-breach reporting requirements as public companies that handle sensitive consumer information.”
It’s another irony – the data handled by law firms is extremely valuable to clients, likely even more so than consumer details, yet it’s subject to fewer protections than the latter. Should that information wind up in the wrong hands due to a firm’s negligence, then that firm has failed to protect client-attorney privileged information. This can cause immeasurable damage to the client’s business – and if word gets out that the legal services firm was responsible, it can also destroy the firm’s reputation.
Corporate clients are, for their part, largely aware of the looming threat represented by the legal industry’s lack of security. As a result, law firms have in recent years come under increasing scrutiny, and many enterprises now refuse to work with any that don’t implement top-tier practices.
“Some financial institutions are asking law firms to fill out lengthy 60-page questionnaires detailing their cybersecurity measures, while others are doing on-site inspections,” continues Goldstein, citing several corporate sources. “Others are asking law firms to stop putting files on portable thumb drives, emailing them to nonsecure iPads or working on computers linked to a shared network in countries like China and Russia where hacking is prevalent.”
Regulatory agencies have also taken note, calling for change in how the legal profession handles security, in addition to tightening requirements in other regulated industries. These regulators see law firms as a secondary point of access for criminals and spies, and contend that their potential vulnerability to cyberattacks is too great to ignore. They’re right.
The Culture of Convenience in Law
The real problem facing legal organizations isn’t that they don’t have access to the necessary security tools. It’s that all too often the IT and security teams are unwilling to make use of them, thanks to pressure from employees. Legal services staff – lawyers in particular – demand a completely seamless user experience; one which leaves little room for security.
In other words, they expect nothing but the highest level of convenience, without a thought as to what that entails.
“Security and convenience are inversely related,” writes Harvard Business Review’s Carl S. Young, echoing the logic of many upper-level legal professionals. “The greater the security provided by a control, the less convenient it is for affected individuals. An organization’s willingness to tolerate inconvenience has a profound effect on the security of its information.”
“Importantly, it’s the most senior employees, the leaders who define and shape the organization’s culture, that often have the lowest tolerance for inconvenience,” he continues. “An extreme example I encountered was a prestigious law firm where the senior partners refused to use passwords!”
This culture of convenience puts IT security in an incredibly difficult position, forced to deal with the unrealistic expectations of legal teams whilst still attempting to secure organizational data in an environment of never ending and escalating cyber hacks and breaches. Mobile technology only further complicates the situation. But it’s also central to modern law.
According to a 2014 survey by the American Bar Association, 91% of lawyers use a smartphone in their practice, and nearly 50% use tablets.
This makes sense – law is a high-energy, high-stress profession, and lawyers are often on the go. Anything that makes a lawyer more efficient and productive is a godsend. Unfortunately, many of them use personal devices and third-party applications, significantly increasing the risk of data loss, targeted attacks, and malware – the latter of which is more common at law firms than encryption.
But what can be done about all this?
What Needs To Change
The first thing decision-makers need to do is adjust their own expectations. Traditionally, security technology such as work containers and two factor authentication was cumbersome to use. Although it kept sensitive data safe, it also hindered the employees using it.
As a result, many in legal IT still hold the perception that security always involves dramatic trade-offs in convenience.
This is no longer the case. Security technology – containerization in particular – has come a long way towards optimization of the user experience. Well-designed and carefully integrated user interfaces do their jobs with minimal impact on the user, and often provide features that enhance both workflow and productivity.
In other words, the trade-off between security and convenience is now minimal, perhaps even trivial. All that remains is for employees to realize this. A good analogy to consider is the reaction to seatbelt laws when they were first mandated – people complained that seatbelts were both uncomfortable and time consuming.
In hindsight, these arguments were foolish, particularly given the number of lives seatbelts have saved.
The parallel to security should be clear. Much as we’ve shed the notion of seatbelts being inconvenient, it’s time law firms shed the notion of security being a hindrance. Security teams in legal services need to ensure control of sensitive assets and adopt top-tier security practices.
This involves implementation of the following:
- Containerization: To mitigate data loss and malware attacks related to personal use, employees must be provided with a secure work environment separate from their personal one. Secure Work Space allows IT to fully secure all work related data, applications and uses cases, while delivering a consumer-grade experience. It includes a full suite of integrated work productivity tools and apps that function seamlessly together for a secure and productive mobile work environment, and also supports transparent certificated-based authentication, something that many enterprise clients require for protecting their sensitive data.
- Secure Voice: As has already been demonstrated, eavesdropping is a significant concern for overseas legal teams. When a host government also owns the national telecoms infrastructure, it’s easy for third parties to listen in on sensitive discussions, putting trade secrets at risk. The most advanced secure voice solutions, such as SecuSUITE for BlackBerry 10, are both simple to use and offer crystal-clear conversation.
- Secure File Sharing: Finally, to prevent the theft and misuse of confidential documents and files, IT needs to equip legal teams with a secure file sharing solution. Designed for a cross-platform mobile environment, Watchdox’s built-in Digital Rights Management (DRM) security controls follow the sensitive documents wherever they go: in-house, partners, or other third parties. Recently recognized for the second year in a row by Gartner in its 2015 Critical Capabilities for Enterprise File Synchronization and Sharing report, WatchDox prevents unauthorized viewing, saving, copying, forwarding, and cut & pasting, allowing documents to be kept secure no matter who is viewing them.
It’s ironic that an industry with a direct window in to the impact of poor security should take such a short-sighted approach with its own practices. Unfortunately, thanks to misconceptions about the nature of security technology and a convenience-obsessed culture, many firms are lagging well behind their clients. This needs to change, as the risks and consequences associated with data loss have never been greater.
The first step is to reset user expectations. From there, IT must implement top tier security practices and solutions that both protect sensitive information and keep employees productive with a minimal impact on user experience. Should they fail to accomplish both, their firm will ultimately be unable to protect its assets.
And a firm that’s unable to protect its assets cannot by any means remain in business for long.