This article was originally written and posted on Law.com by Chuck Davis on February 20, 2019.
The practice of law dates to ancient Greece and Rome. While there have been many changes over the course of the years, never in history have regulations been as mandated as they are now with the use of technology. While at their core the primary duties of today’s attorney are to draft legal documents and communicate with clients, this workflow touches many systems, and work product is accessed across a wide variety of repositories and devices.
Over three decades we have witnessed the introduction of email, document management and, of late, the cloud. While the objective has always been to make the modern attorney more efficient, with great technology comes greater responsibility. Today, the fact that a firm invests in IT brings with it the duty to protect information and reduce risk to the firm. It wasn’t long ago that the industry was abuzz over HIPAA. Now we’re focused on regulations from clients, states and foreign governments. Many of the Am Law 200 have invested in obtaining certifications such as SOC 2 and ISO 27001.
Regardless of size, what are the best practices a firm should follow? The first order of business is to comprehend that security is an essential component, much like technology itself. Furthermore, firms must understand that no single security component is 100 percent effective. When thinking about security, firms must accept that layers offer the most protection in this ever-changing landscape.
Before discussing which layers are important, we must get firm leadership to agree that security must be contemplated at the business, operations and technology levels. From a business standpoint, partners must designate security as a keystone focus of the legal practice. This includes making the decision to invest in the people, process and products necessary for security and to mandate that security is required to practice at the firm. Just this philosophy will shift the paradigm from a reactive to a proactive security methodology.
Next comes operations. At this level leadership must be committed to implementing and enforcing security processes, controls and solutions. While this does introduce change management concerns, building security into the firm’s workflow makes it simpler to respond to compliance audits and easier to attract and maintain clients with the most profitable matters. Of course, no security strategy would be complete without introducing the solutions themselves.
Using a visual representation of a layered cake, we begin at the bottom and work our way up. Below we’ll outline the layers of security comprising the baseline plan for legal technology.
Layer One: Secure Sign-On. Gone are the days when changing your password frequently was good enough. Here to stay are 2FA (two-factor authentication) and SSO (single sign-on). 2FA combines the elements of something you know (e.g., your password) and something you have (i.e., your mobile phone) to enhance login identification. SSO is employed when a user wants to sign in once and then seamlessly pass that identification to several systems, for example, Office 365 and a cloud-based DMS provider. It’s a lot like TSA Precheck: Once you’re validated, you’re good to go! Given that a login is required to gain access to network resources, these identity providers must be at the top of your security plan.
Layer Two: Data Encryption. Work product is stored in various repositories and on numerous devices. To remain compliant, data at rest must be encrypted on computer hard drives, on server disks and by your cloud providers. Data must also be secure when traversing the internet. Most modern applications talk using HTTPS, which may eliminate the need for virtual private networks often requiring extra steps to establish connectivity. Data cached on computer hard drives can be encrypted for free using BitLocker, which is built into Windows 10. When speaking with cloud providers, be sure to discuss how data is encrypted within their systems. Many of the leading vendors now offer CMEK—customer-managed encryption keys. While this option is often provided at an additional cost, the added layer permits a firm to control who has access to its data. For example, if the cloud provider hands over data to a third party, the information is still inaccessible without the customer’s managed key.
Layer Three: Enhanced Email Security. It’s no longer good enough to just scan emails for viruses and spam. Modern email security options such as Mimecast incorporate targeted threat protection, including sandboxing, where attachments are detonated in the cloud to check for malware. They also include hyperlink rewriting, where providers validate hyperlinks before rendering them to users. Finally, anti-spoofing can mitigate the risk of phishing attacks. In our practice we’ve found that the most common and detrimental attacks are ransomware. These outbreaks often infiltrate a firm via email and must be guarded against to prevent a firm-ending disaster.
Layer Four: Secure File Transfer. Emails which are too large or too sensitive should never be sent as attachments. Leading DM and email security vendors offer built-in secure file transfer utilities to encrypt and package attachments. Firms should check with their providers about these options as often this functionally is available and can eliminate the need to purchase additional products.
Layer Five: Mobile Device Management. The progressive attorney works using three or more devices. Endpoints include laptops, smartphones, tablets and Mac platforms. The challenge is how best to manage this plethora of hardware and prevent unwanted devices from joining the network and storing data on local devices. Enter mobile device management. Solutions such as Microsoft Intune control and broker which devices can join networks and manage the data saved on endpoints. For example, should an attorney leave the firm, MDM can unenroll devices and wipe only firm-specific accounts and data.
Layer Six: Policy Management and Behavioral Analysis. These platforms are beginning to gain momentum as firms consider need-to-know models for client/matter data access. Products such as Security Policy Manager and Threat Manager from iManage build on top of its Work DM platform to establish additional layers. With SPM firms can implement and manage ethical walls and need-to-know security where, for example, members of litigation are the only people who have access to that content. Additionally, Threat Manager leverages existing DM history to establish baseline user behavior and alert management should a sudden change develop. Put into context, the change could be a lawyer planning to leave the firm or a bad actor who’s compromised an attorney’s credentials.
Layer Seven: Get Your Head Out of Your Infrastructure! Think cloud for core and secondary systems. Email is quickly migrating to Office 365, and vendors have built secure “zero trust” DMS platforms, which are ready, secure and highly available. Positioning technology with best of breed cloud providers permits IT managers to focus less on infrastructure and more on security and strategy.
While all layers of security are important, remember that there is no substitute for the essentials including traditional anti-virus software and daily backups. When you are thinking about backups, keep in mind that these must be encrypted, and best practices include keeping a disconnected copy to protect against ransomware. Security has changed the world in which attorneys work. Implementing security in the business, operations and technical layers of your firm will provide the most protection and help differentiate your firm as a leader in the industry.