Flexibility Versus Security - Are The Shutters Coming Down?
In opinion / By Charles Christian / 26 March 2018
I was talking to my main contact at Nasstar earlier this month and she happened to mention that her colleagues in the sales team had picked up on a common theme when talking to customers and prospects: how to get the correct balance between a mobile/flexible workforce and security.
She added “We see firms who are so concerned about security that everything is locked down, causing frustration amongst users and restricting productivity. While at the opposite end of the spectrum, there are organisations who embrace mobile working and don’t seem to have any regard for security, having lawyers connecting to any open wifi they can find to work from wherever they are.”
This is an interesting point to raise as we do seem to be on the cusp of online security shifting from its current optimistic almost Wild West, anything goes approach, where the ideal is to be online “any time, any place, anywhere” (sometimes call the Martini Generation approach, for those of you old enough to remember to TV ads) and turning towards a more locked down “pessimistic” security model.
According to the Nasstar team, the dichotomy for law firms is very clear. You need to adopt mobile working to drive efficiency, client satisfaction, employee satisfaction, billable hours and profit. BUT, you need to keep your data safe, deliver enhanced data protection, cyber crime countermeasures, robust security processes and technology to safeguard against losing your information.
Therefore, the team have compiled a three-part series which will explore how Nasstar is leveraging technology to deliver "secure mobility" to its clients while keeping the digital gates tightly bolted. Read the first part of the series here, keep your eyes peeled for part two coming shortly!
And, of course, the looming deadline of the new GDPR compliance regime (25th May 2018 in case it has escaped your memory) and the ongoing Facebook/Cambridge Analytica data exploitation scandal are only serving to focus everyone’s attention on security. But, where do we draw the line?
There’s no denying that smartphones, iPads, laptops, mobile apps and readily accessible public wifi have transformed the productivity of lawyers. The commute to and from work is no longer dead time, and the ability to access client records in the taxi on the way to a meeting is now a specific selling point for many legal software applications.
On the other hand, just as there is no such thing as a free lunch, so there is no such thing as free public wifi in your local coffee shop. Or, as a recent Harvard Business Review blog post rather graphically put it: the dangers of using public wifi are comparable to the risks of having unprotected sex. In both cases you might get away with it but not taking the necessary precautions can lead to lasting harm.
At the very least you risk having your email slurped and being bombarded with even more spam than usual – says man who thanks to once logging on to wifi during a stopover at a Gulf airport now receives a large dollop of spam in Arabic every day! More seriously, you have no control over the security of the wifi network you are accessing. Was it installed correctly – you can be pretty certain it will lack any form of encryption. Has it been hacked? Is there a malware risk? And that’s before considering such issues as “man in the middle” (or MitM) attacks, where someone else in the coffee shop or nearby is intercepting the transmissions from your device to the network router.
But, this does not mean you have to abandon using public wifi – just ensure you take measures to protect your devices. These include using a VPN (virtual private network), only accessing SSL-protected HTTPS websites, switching off file sharing, turning off the automatic wifi connectivity feature on your device – so you are not inadvertently connected to an insecure wifi hotspot, and using some form of two factor authentication when logging into sensitive information.
All this may sound like a big deal to the individual end-user but it is something any law firm IT department or third-party tech supplier can help implement. But, this is only part of the story, for along with all the practical measures that can be taken, there is also a broader policy issue to consider – and this is something cropping up on the agendas of more and more large firms.
In the wake of the “Panama Papers” scandal, the Appleby “Paradise Papers” data leak, and the SEC prosecution of a Foley & Lardner partner for insider trading, a number of law firms – including Dentons and Bird & Bird – are shifting over to a “pessimistic” security model, so instead of information being freely accessible within a firm, staff only able to open files where they have explicit “need to know” access rights.
As Dr Mike Lynch, former founder of Autonomy and more recently Invoke Capital Partners, which has invested in next generation cybersecurity vendors, has commented: “We see law firms being attacked by nation state players (such as China and Russia – my comment) where an important person from that country or the government is involved in a case or transaction. Law firms are being attacked by the most sophisticated attackers, not bedroom hackers but really serious people. Most of the time they do it really quietly; it’s about gaining an advantage in a legal situation. But in the flick of a switch, it could bring down the firm. The same goes for security. Imagine a data breach in a law firm where someone puts all your privileged documents on the web – you’re finished. Law firms are starting to realise that, unlike other industries, a major cyber attack is not survivable.”
The Association of Corporate Counsel (ACC) has also waded into this scenario, publishing new guidelines in March 2017 which: “Outside counsel must have logical access controls designed to manage access to company confidential information and system functionality on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, two-factor or stronger authentication for its employee remote access systems (and elsewhere where appropriate).”
All of which makes a lot of sense, except… it goes completely against the grain of document management (DMS) and knowledge management (KM) systems that law firms have invested millions in over the past 25 years. Or, as Marcel Henri, the global CIO of Dentons, has “The business gets it but of course some parts of the business are resisting it because it limits your ability to share knowledge and content. Firms have invested heavily in search but what is a search if everything is locked down?”
We are then sitting on the cusp: is the golden age of access anything, from any place, at any time, on any device, going to give way to a far more security conscious environment in which even lawyers may be unable to access documents on their own firms’ systems? As with most developments in law firms, it will ultimately depend upon commercial considerations, in particular how their clients call the shots. But, in the meantime, please do invest in some online security so you can safely use your smartphones and iPads to surf the net, while you are taking advantage of the free wifi in your local coffee shop.
Charles Christian is the Editor-at-Large of the Legal IT Insider newsletter and also talks about tech, geek stuff and cybersecurity on Twitter at @ChristianUncut.
As a managed IT services provider, Nasstar is constantly reviewing its security posture based on the current and predicted threat landscape to ensure clients are protected from threats, and fortunately while criminals' capabilities have developed, so have business's means of stopping them.
Stay tuned for the next instalment of our three-part series which will explain how Nasstar is using prevention and detection technologies to stop criminals in their tracks. In the meantime read part one here!