The realities of the pandemic not only forced the legal industry to work from home, it forced the annual conference of the International Legal Technology Association (ILTA) — the traditionally much-anticipated ILTACON — to go virtual as well, transforming the event into ILTA>ON. That change also re-focused much of the event on the current challenges the legal industry faces.
Indeed, many of the sessions discussed navigating and prospering in remote work environments, ranging in topics from maximizing the opportunities and innovations remote work can yield, to tips on how to be your best self on the other side of a Zoom screen. But an old problem is now more threatening than ever: the problem of security.
The panel It Takes a Village, moderated by Karen Campbell, Director of Global IT Operations at Simpson Thacher & Bartlett, attempted to tackle this problem.
The It Takes a Village initiative (ITAV) series has been a component of ILTA’s LegalSec community, which addresses core security issues collaboratively. Originally, ITAV began by addressing five legacy technologies that posed security risks, such as Flash and Internet Explorer, before morphing into a webinar series for the legal industry.
After introducing ITAV to attendees, the panel dove in on security threats and whether the remote work world we see now was going to be transformative. Panelist James McKenna, CIO at Fenwick & West, said the days of looking at security as an “option” are over, and security must not only be incorporated into design, it must be foundational to products and legal services delivery. McKenna made clear that it has never been easier for well-intentioned people to make mistakes, magnifying the need for security to be a top consideration for law firms and legal industry vendors.
Remote work still exacerbates the job of securing the people and technology of a given firm.
Panelist Dean Leung, Chief Customer Success Officer at iManage, noted this gradual, yet continual security attention has already happened in mobile apps that deliver consistent updates that improve app security. This approach is ripe for the tech lawyers use, Leung added, and both he and McKenna noted that security is part of the culture now at many law firms.
Another panelist, David Forrestall, Managing Partner at SecurIT360, said his company has given security assessments at the practice-area-level of law firms and has observed improvement by virtue of good partnerships. He notes law firms are infusing security with management and extending it to their internal and external security partners, as well as leaning on security vendors for better security tools.
However, remote work still exacerbates the job of securing the people and technology of a given firm. It’s one thing to secure the in-office machines, but another matter entirely to control the environment of a remote worker, McKenna explained, adding that, for example, home wifi firmware, if not updated, opens a remote worker to security risks.
Out with the old and embracing the cloud
Yet, security improvements and updates to a company computer are not the only sufficient steps to take. Leung recommends the bitter pill of a breach plan. Breaches do happen, he argues and the legal industry is not a top performer on security scorecards. If it comes to that, he added, security professionals within the firm should have a plan in place and be able to communicate that plan nontechnically to general counsel, risk personnel, and law firm leadership.
In this spirit, McKenna noted he is pro-cloud and strongly dislikes the life support law firms still give to old unsupported tech. By embracing the cloud, firms can remove themselves from the position of having to keep older tech alive and keep trying to secure a 20-year-old product. Further, the security tradeoffs of online services outvalue sustaining these legacy applications even if an attorney may be more comfortable using them. For those older products, the panel suggested that it should be put on the network, and firms also should decide whether the older application needs to access internet, or can be housed on a guest wireless or nonfarm network so that any problems can be isolated.
Addressing these questions will allow the firm to hedge against security vulnerabilities in older technology which the firm feels it may still have to run, Forrestall said, adding that even in those cases, attorneys should be educated as to the risk of using those products.
Looking at threats on the horizon, Forrestall identifies ransomware and business email being compromised as the biggest future threats to firms today. One new ransomware issue he discussed is exfiltrating data, where a firm is threatened by having stolen client data exposed to the public. This ups the ante on protecting client information in the remote environment as well, especially for non-cloud users, he said.
Demonstrating how easy it is to become a victim of ransomware, Forrestall explained that if firm attorneys emails documents to themselves to work on at home, their local machine is a vulnerability bad actors can capitalize on. Criminal hackers may only get a few documents or samples, but they may claim they infiltrated the entire firm. Is the criminal bluffing? It is difficult to determine, especially for a firm that isn’t great on information governance and knowing where all its information is housed.
In summation, Leung described security as a journey — it is ongoing, and the stakes are raised every year. Firms should focus on the low-hanging fruit and do the doable, such as home network components, he added.
All the panelists agreed that today’s remote work environment would continue for the foreseeable future, and savvy law firms will prioritize security health to persevere in the pandemic and beyond.