Legal IT: think security, think flexibility, think stability
ARTICLE BY LOUISE WYNN, BUSINESS MANAGER AT INSTANT ON IT
The rapid rate at which IT evolves brings with it opportunity for law firms. But, getting IT right means focusing on the right areas and creating a straightforward plan around each. We talk about why security, flexibility and stability are our top three recommendations when it comes to law firms’ IT focuses, and share some of our experience in the legal sector to help kick-start the process.
It’s easy to understand why the legal industry might be high up in the target list when it comes to cybercrime. Lawyers are entrusted with sensitive personal data on a daily basis: specific personal data such as dates of birth and addresses, medical reports, bank statements, criminal records, employment records and the list goes on. The combination of this extensive client data and intellectual property, plus an inconsistent awareness of the risks themselves, poses a very real threat to the industry. And, the threat is not isolated to the sector’s giants, given the compromised budgets and technical expertise often associated with smaller sized organisations.
With agreement now having been reached on the General Data Protection Regulation (GDPR), data protection practices will need reviewing anyway over the next couple of years if the heftier fines of 2-4% of turnover are to be avoided. Change won’t happen overnight though, so this is another reason why taking steps in the right direction now makes good sense, including reducing the likelihood of a breach in the first place, as well as considering deploying systems to alert of potential vulnerabilities, where it is feasible to do so (the GDPR specifies that data controllers – normally the customer – will have to notify breaches to the supervisory authority ‘without undue delay’ and, where feasible, within 72 hours).
There’s no denying that technology should be high on the agenda when it comes to reducing cyber risk. There is no ‘one size fits all’ but equally it needn’t be complex and it needn’t be big money. The regular audit of IT systems in place and IT processes, plays an important role for law firms, highlighting any improvements required in the configuration of systems, access controls/privilege management, firewall policy and device security for example.
Ensuring lawyers and staff also have a common base level of situational awareness, are fully aware of the available systems/policy and have an opportunity to ask security questions pertinent to their day to day working without embarrassment or fear, is equally vital. Risks associated with responding to phishing attempts, downloading malware, using unsecured wifi and device/data management are all in the hands of the individual lawyers at the end of the day. Yet, it is also the firm’s reputation at risk. Organising regular security sessions already form part of the plan to strengthen the collective defence where the more progressive law firms are concerned, and this will hopefully have a ripple effect right across the industry.
In all, with the cost of the worst breaches more than doubling year on year* and the likelihood of a breach on the increase, a tailored response, spanning process, systems and people, ranks in our top three priorities on the IT agenda for law firms.
We are ‘always on’ in our personal lives and, as the boundaries of work and personal lives continue to blur, the shift in expectations extends into the lawyer/client world as well.
Technology that enables lawyers to be effective and efficient in the delivery of services to their clients is no longer a ‘nice to have’, it is imperative. Cloud offerings, in various guises, go a long way to enabling extended hour working and removing location restraints that may have once been associated with delivering legal services to clients. When assessing your cloud choices, our advice is always to keep things flexible and make sure there is no tie-in for the longer term (contractual or hidden!).
There is no getting away from the fact that, even with industry-leading secure IT systems in place to provide the working flexibility you need, you may experience small hiccups with your day to day IT from time to time. The same is true even for employees within the largest of enterprises with the biggest of IT budgets. An issue may not be a widespread IT infrastructure problem but, if it affects one lawyer, it may hold up time-critical work on a case, impacting that lawyer’s reputation and subsequently the reputation of law firms. Where IT is not provided as an in-house function, making sure an expert is contactable, somebody who can help outside of 9am-5pm when case work is ongoing, can give lawyers and clients additional peace of mind.
Such is our reliance on IT systems these days, the quality and availability of IT services being provided can have a direct impact on the service lawyers are able to deliver to clients. Asking questions of your IT partner such as a/ how they track, measure and ensure client satisfaction and, b/ if service guarantees have been agreed, whether these are automatically tracked and any service rebates paid as a matter of course, or whether the client has to apply for such rebates, are typically good base indicators of whether a partner shares your emphasis on service excellence.
The performance of core IT infrastructure has improved across the board to the extent that it is often easy to take this for granted and perhaps await an operational outage, such as a power or hardware failure, to bring the need for IT Disaster Recovery to the forefront of IT discussions. However, such failures might have significant repercussions if recovery plans have not been given due advance consideration.
The implications of putting DR on the backburner could of course be worse still. Sadly, the not-too-distant memory of the Holborn fire and threats of terrorist activity are very real reminders of this. In the case of the Holborn fire, some businesses were without power and their primary Internet connection for days, even given the credible response by the various services. We certainly hope that this type of incident is not to be repeated but the more comprehensive DR plans consider even the less likely events.
By identifying core services and systems – typically email, case management system, diary, files and phones as a minimum in the case of law firms - we can start to think about the impact of the various possible event levels, from the most likely incident type such as extended power outages or hardware failures, to a primary Internet connection outage, to the extreme scenario of not being able to access the building or primary IT servers. With some careful consideration, a plan can be drawn up and recommendations can be prioritised in accordance with the probability of the event.
Back-ups are undoubtedly a very important part of the DR planning process but, even with offsite back-ups in place, crucial questions still need to be asked about guarantees around the recovery time of back-ups and how such back-ups would practically be accessed in case of an event.
As with other aspects discussed, technological developments mean that DR solutions can now be crafted in such a way that financial outlay for law firms needn’t be prohibitive in order to guarantee service delivery requirements, so even if you have looked at this before, the message is to revisit DR. It is absolutely possible to remove the ‘what if’ IT worry and the headache of managing client expectations and financial implications that would go hand in hand with any period of significant downtime.
When it comes to legal IT, there could be a long list of recommendations. In our experience, the IT priority list can be reduced to a vital three: security, flexibility and stability, giving law firms a firm foundation to survive and thrive as the legal landscape continues to evolve.
- 2015 Information Security Breaches Survey, conducted by PwC