LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link

Is your law firm or legal department safe from prying eyes? IT expert André Meyer offers advice on keeping up to date and safe

Security is a subject that I often discuss with lawyers considering adopting cloud computing into their working life. Most believe their computer systems and working behaviour render their current environment secure, however this is far from the truth.

IT2There is a perception that if a firm moves their data to the cloud, this would weaken their data security and increase the likelihood of being hacked. But the complete opposite is true. Security has a much wider meaning, and requires both technical and operational processes to work together. Security is not a destination – it is a journey.

Today lawyers spend time drafting documents, sending and receiving emails, and recording their time costs and disbursements to enable billing to be performed. If any of these business functions cannot be performed, it is a security risk to the business. This has nothing to do with the perception that most lawyers would have – that security is only about unauthorised access to a document or an email.

[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”1″ ihc_mb_template=”2″ ]

Another example of a security risk would be if a firm could not operate from, or gain access to, its current office premises. This would be a major risk to survival and their professional obligations, yet this point has nothing to do with hacking.

Here are some other ideas that fall under the term “security”, including areas that law firm partners and counsel should be vigilant about.

Email management

Record keeping. How have firms and legal teams managed the transition from letters and faxes to emails? How does a law firm manage email and correspondence with clients and counsel?

If a partner is responsible for the content of every email that leaves a firm, what policies does the firm have in place to protect itself when a partner no longer sees every communication before it leaves the office? Should this issue be considered an area of security risk to the firm? I believe it should.

If discovery is required, can a firm or legal team be 100% confident it can locate every single message sent or received to or from a specific company in the past three years? How long, and at what cost would it take to do this? How does a firm or legal team archive emails once an employee leaves? Do they just delete an email box?

My experience is that small and mid-sized law firms manage email very poorly. Often they use a post office protocol 3 (POP3) email server. POP3 defines the way that the server communicates with the email client on your desktop, and results in email being pulled down from the server and stored on a user’s computer, normally in Microsoft Outlook. A POP3 server is the standard that an internet service provider (ISP) may provide if they host a law firm’s email, and is common among Linux-based email.

So what happens next? The partner cannot get his email when he is not in the office, so he then forwards copies to his personal email account. So the combination of technology and behaviour renders this a quite insecure way to manage the business records of the firm.

Email will often contain many confidential attachments that are not password-protected, and as a result of carelessness leaves the information open to be intercepted as it is delivered between parties. Depending on the settings of an email server, it may be possible that staff are also pulling emails down to home computers and storing data on devices not controlled by the firm. All of this increases the security risks of the firm.

With regard to email, did you know that Outlook can edit every message in your inbox and change the content and meaning without a single indication on the message that it has been altered? Can you trust emails in a court of law as evidence if you store them on a user’s PC in Outlook?

Email backup

Law firms seldom back up a user’s PC, so the only copy of vital business records remains unprotected. This is a security risk. Would this information be more secure in the cloud? Of course. The cloud is basically a very large bank of computers located in a secure data centre somewhere in the world. The data centre would have redundant, or backup, power supplies, redundant data communications connections, environmental controls (air conditioning, fire suppression, etc.) and security devices. The facility itself would be manned around the clock, have restricted access, and offer an expected uptime or availability of over 99%. These facilities can never compare to a server sitting in the back room of your office.

Email has now become a mission critical application. To resolve issues surrounding email availability and business continuation, the mail server should be outsourced to one of the major cloud providers, such as Google or Microsoft. For businesses in China, Microsoft offers the most reliable solution, whereas in India Google’s offering has special pricing so is very attractive.

Both vendors also offer compliance-based archiving, where a blind copy of every message delivered by the server is captured and can be retained for up to 10 years. The fact that the email server is now cloud-hosted means emails are available on your smartphone, tablet or computer at home. Everything is now “in sync” between all devices, so there is no need for messages to be forwarded to personal accounts simply so you can work.

But what happens if your phone is lost or stolen? Google and Microsoft support remote wipe. There is also a free service available from Cisco Meraki for laptops and mobile phones allowing remote wipe. Visit http://meraki.cisco.com/products/systems-manager to sign up.

Document security

Documents are the next big area of management for law firms. There is always a risk if documents are lost, or costs associated with recreating a document for a second time. Often only a secretary may know where the document has been saved, creating delays when that person is not available.

In the past document management systems have been expensive to adopt for a small law firm or in-house counsel, however cloud computing enables even one lawyer in a firm to adopt a system from as little as US$20 per month. Microsoft offer Sharepoint but I would recommend NetDocuments, which is designed specifically for the legal industry. Lawyers can just sign up and start managing documents and filing emails from Outlook against each matter they are working on.

Some of the reasons firms and legal teams should consider cloud document management include:

  • Documents are stored in a much more secure computer environment than a Windows server or PC in your office;
  • The system provides a single location for all documents, emails and precedents to be stored, allowing around the clock access from anywhere in the world and from any device;
  • Document version control, access management and history audit trails enhance overall document integrity;
  • Conflict of interest searches are easy to perform as all documents are fully indexed. Simply search the document manager for the keywords in question;
  • A shared workspace allows documents to be shared in a secure way with counsel, without the need to be emailing sensitive documents out of the office;
  • Email-secure URL links to documents removes the need to send copies of documents across the internet;
  • The need for secretaries and lawyers to remember how documents should be filed is removed – simply complete a document profile and the system files the document automatically
  • A means of knowledge management and knowledge sharing among peers is provided;
  • Copies of all documents in the cloud can be sent back to the office in real-time, so there is an automated backup offsite and a secondary copy onsite.

Metadata and other risks

Whenever a document is created, opened or saved in Microsoft Word, the document may store information that the lawyer concerned had no intention of including or disclosing. Metadata, which is information generated in the process of using technology, are used for a variety of legitimate purposes, and add functionality to the editing, viewing, filing and retrieving capabilities of Microsoft Office.

However, if some of this information is passed on to inappropriate parties, that disclosure can create adverse consequences for a law firm and its client. To avoid this, make yourself familiar with the types of metadata contained in your documents and take steps to remove them whenever necessary.

Some metadata are readily accessible through the user interface of each Office program. Other metadata are only accessible through extraordinary means, such as opening a document in a low-level, binary file editor.

Some examples of metadata that may be stored in your documents are:

  • The writer’s name and initials;
  • The law firm or company name;
  • The name of your computer;
  • The name of the network server or hard disk where you saved the document;
  • Other file properties and summary information;
  • Non-visible portions of objects that link and embed (OLEs);
  • The names of previous document authors;
  • Document revisions and versions;
  • Template information;
  • Hidden text or cells;
  • Personalised views.

Microsoft Document Inspector is built into Word 2013. Use this to clean a copy of your original document, because it is not always possible to restore the data that the Document Inspector removes. I also recommend products called iScrub for metadata cleaning and metadata policy enforcement, and Workshare Protect Server, which can integrate with a Microsoft Exchange Email Server to clean all attachments that leave an organisation.

PDF files can be password-protected or configured to block the ability to print or copy-and-paste text from the document. PDF files provide various formats including PDF/A (PDF for Archive), which is a format for long-term document preservation. So, consider the correct format of PDF when creating and sharing information. PDF tools are available from various vendors in addition to Adobe. PDF-Xchange is another tool recommended.

On a side note, Adobe Acrobat offers great functionality for law firms including document portfolios and Bates numbering. Document portfolios are great for creating a document bundle and then automating the numbering, and/or referencing every page in the bundle.

Network security

The computer network of an inhouse team or law firm has many areas that can be compromised. Often networks grow without much of a plan, or appropriate equipment.

The first area to secure is the connection between the network and the internet. A “business-class” firewall should be installed to allow the traffic to be managed that can enter and exit the office. For example, a law firm may wish to block access to Facebook or Hotmail, or block FTP (file transfer protocol) services to ensure files cannot be uploaded to servers over the internet.

The firewall should also offer a VPN (virtual private network) service. This allows a user from outside the office to create a secure connection into the office. This connection would be an encrypted tunnel between your home computer or laptop and the office network. This is the recommended way to access network resources from outside the office.

Many firewalls also offer web security modules that inspect and clean all web pages that are visited by staff for malware and viruses before they are delivered to a browser. This is a worthwhile option that reduces risk.

WiFi networks should also be managed by the same firewall security as the network. Often, businesses buy a WiFi device designed for home use and instal it in their office without any ability to control the access rights of a user once they are connected. This can open up the network to devices that can copy documents out, or have viruses installed back onto the network. This is a security risk.

WiFi access points should be integrated into the network and controlled. Mobile phones should not have access to the network, but be directed out to the internet for email or browsing. Guests who need access should be treated in the same manner, without the ability to access network resources. If notebooks are registered with the firm, then they can be allowed network access, whereas unregistered notebooks should not be able to access network servers and resources.

Other products that carry security risks are solutions like Dropbox and Logmein. Solutions from these companies allow files to be synchronised from a user’s PC to any computer outside of your office, possibly to opposing parties. You simply do not know. Logmein offers a shared printer solution that could allow a user to print to a home printer, or even a printer in another law firm. These solutions offer risks that are very difficult to control without tight IT policies.

WiFi and firewall management products are available from companies such as Sophos and Cisco Meraki. Sophos also includes end-point management, which covers anti-virus for the desktop and USB device control. This allows files to be transferred between computers within the office via registered USB sticks, but if removed from the office the files will remain encrypted and cannot be copied off.

Not allowing any unauthorised software of any kind to be installed on any office PC will reduce data security. IT policies should include keeping Windows and all business applications patched and up to date. Ensure the most up to date browsers are used from either Google or Microsoft.

Reliable backups are required for all businesses. In the past, a tape drive would run once a night to take a snapshot of all files as they were at 10:30pm each night. Today, however, continuous backup solutions protect your data every minute of the day. As soon as any file is created or changed, a copy can be sent offsite to a cloud backup server. Workstations and laptops can also be included.

This is a great solution for laptops as you do not need to be in the office to have a backup performed, and if you need to restore data it can be done from anywhere in the world. Cloud backup is now the cost-effective way to protect your data. Pricing for these solutions are between US$0.40 and US$0.50 per gigabyte per month.

Some vendors offer cloud-to-cloud backup. For example, if you were using Google Apps for Business as your email platform, vendors such as Backupify offer daily backups of your Google Cloud systems to an Amazon Cloud storage server managed by their software.

Time and billing

Firms that under-utilise technology lose valuable time, are less productive, tend to be more error-prone, and are at greater risk. Adopting computer-based time recording and billing systems ensures accurate records are kept, enabling timely billing and increasing the chances of prompt payment and positive cash collections each month.

To ensure cost recovery is accurate, consider the integration of cost-recovery systems into your time and billing to ensure accurate data is always available. Staff can concentrate on billing and cash collection and not entering photocopier charges everyday. Time and billing databases can be hosted in the office or in the cloud.

Enhancing your brand

The type of technology implemented by an in-house legal team or law firm says a lot about a company or firm. Having a secure and well managed computer network can be leveraged when attracting new clients, as your firm uses the latest technology to ensure you are as efficient as possible. This provides an appropriate image in the minds of clients, and is also an important image when trying to attract and retain staff.

If computer systems are 10 years old, timesheets are on paper and email is never reliable, then attracting and retaining the young staff required to help grow a business will be a challenge. Providing lawyers with the best tools to do their work will ensure they are profitable and productive, and may make them think twice before moving.

Security has a wide meaning, and by following some basic rules you should be able to provide a secure working environment for everyone involved.

[/ihc-hide-content]

André Meyer is managing director of Cloud Solutions and has worked with law firms and counsel in Hong Kong and China for over 20 years, helping to develop their IT systems

LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link