LAWTECH The Law Technology Magazine
Issue 3 | May 2015
Insights from Law + Tech experts Minimise your dataâ€™s promiscuity
Safe collaboration in the cloud
Social media for better business
e v a H you heard? Proclaim® is the only Practice Management Software solution Endorsed by the Law Society. It speaks volumes that Proclaim, Eclipse’s market-leading system, is the solution of choice for 22,000 legal professionals in 800 organisations. Proclaim encompasses practice, case and matter management, and is now the only system to be endorsed by the Law Society.
From new start-ups to industry heavyweights, Proclaim is the system of choice for forward-thinking law firms. • • • • •
Fully integrated Practice Management Software solution SAR-compliant legal accounting End-to-end case and matter management workflow processes Ready-to-go workflows for specific practice areas Fast to implement, easy to use
stration – see the P tact us for a demon
CALL 01274 704 100 www.eclipselegal.co.uk/lawsociety firstname.lastname@example.org
REGULARS 4 Editorial – “Every company is a media company” 5 News – The team’s choice from our news blog BETTERBUSINESS 12 Cut the cost of eDiscovery 22 Why we need human firewalls 28 Social media for better business? 34 More effective client relationships CASESTUDY 18 How Osborne Clarke maximises its performance 40 Howells’ experience with voice-recognition ITSYSTEMS 10 Protecting data in end-of-life equipment 42 Disaster recovery LEGALTECHNOLOGY 8 Manage your referrals 26 Help your users to protect you 32 What next for legal technology? 38 Five steps to client data safety OPINION 16 Will barristers move to the cloud? 24 Secure and efficient cloud collaboration 30 Communications monitoring is key to data security LAWTECH May 2015
MD/Publisher: Partha Goswami email@example.com Editor: David Tebbutt firstname.lastname@example.org Advertising Sales: Robert Handley email@example.com Design: Dominic Kershaw firstname.lastname@example.org The views expressed in the articles and technical papers are those of the authors and are not endorsed by the publishers. The author and publisher, and its officers and employees, do not accept any liability for any errors that may have occurred, or for any reliance on their contents. All trademarks and brand names are respected within our publication. However, the publishers accept no responsibility for any inadvertent misuse that may occur. This publication is protected by copyright © 2015 and accordingly must not be reproduced in any medium. All rights reserved. ISSN 2055-6608 Printed by Buxton Press Limited, Palace Road, Buxton, Derbyshire SK17 6AE Arjun Media 26 St Thomas Place, Cambridge Business Park, Ely, Cambridgeshire CB7 4EX Tel: 01353-644-056
4 LAWTECH May 2015
hat a terrific bunch of people we have writing for us this month. They are all experts in their various fields and, despite the majority working for vendor organisations, they’ve all made a real effort to talk to you and address your needs. It’s not easy for them; they must feel tempted to give their products and services a little mention in every paragraph. But they’ve resisted heroically. The result is a collection of articles, which we hope you find interesting and informative. Yes, each is written by someone who knows his or her company better than any other, but show me someone in a senior position that doesn’t have wider experience of the marketplace. Most bring a broader perspective, and it shows. You will find that some articles overlap others but these different points of view will all help to round out your own perspectives. We are not here to guide you in a particular direction but we hope that by laying out these different viewpoints, article by article, issue by issue, that you are better placed to make your own tough decisions about which strategies to pursue and what sort of vendors you’d like to work with. For me, it’s a great honour and privilege to be able to take this fresh approach to publishing. No one who’s been aware of changes in the media over the past fifteen years can fail to have noticed a rise in the
“Every Company is a Media Company” sentiment. This phrase was first coined ten years ago by Tom Foremski, a former journalist who left the Financial Times after 30 years to found the Silicon Valley Watcher blog. He’s seen first hand how important it is for companies to share their knowledge, usually through their own online media. He has helped many companies achieve this by applying strong editorial standards to the process. And this is where we come in. We’re an independent publication with a strong editorial ethos that believes in giving the experts a chance to engage with a carefully selected audience. And that’s you. Thank you for reading LawTech magazine. We have some great issues planned for the future. The feature themes for the coming year are detailed on the website. The backdrop of ‘security’ and ‘cloud’ will always be there, but if there’s anything else you’d like us to cover, please drop me a line.
David Tebbutt Editor - LawTech Magazine
Our pick of the LawTech website’s news stories since the last issue
Do you put your clients first? Everyone likes repeat business and good references. And these can only come from satisfied clients. Yet, to see how some organisations behave, you’d think the customer was the enemy. This is especially true of smaller law firms, many of whom adopt a ‘me-first’ position, rather than a ‘client-first’ one. LexisNexis explores the issue in its 2015 Bellwether report, The Age of the Client. It researched 118 lawyers and over 500 active clients. The law firms chosen were up to 20 fee earners (75 percent) and sole practitioners (25 percent). The clients’ perception of lawyers differed from their self-perception. Averaged across 14 services, lawyers gave themselves 85 percent but their clients gave 63 percent. More brutally, 80 percent of lawyers rate themselves ‘Above Average’ for service, but only 40 percent of clients agreed. The report analyses the issues in much more detail and outlines the essential next steps for greater success.
must also have a private pilot’s licence, at minimum, and a current medical certification. The drone must remain in sight at all times. For the thing to work, it will need an on-board camera but, to comply with the UK’s Data Protection Act, it cannot take pictures which can identify individuals. Not without seeking permission from them, anyway. Perhaps the supply of a mug-shot and permission to use it to identify the recipient would be a condition of the service agreement. What if it crashed to the ground or collided mid-air with another drone, helicopter or aeroplane? It could cause considerable damage to property, people or livestock. And it would almost certainly damage the goods being carried. UK regulations also put distance limits of between 30 and 150 metres of people, depending what it’s doing and how many people are involved. It cannot go nearer than 50 metres from any vessel, vehicle or structure which is not under the control of the person in charge. Makes you wonder if the Amazon idea is just a publicity stunt. But, if it’s not, it will open an interesting new field of litigation.
RIP Windows Server 2003
Legal risks of drone deliveries Amazon’s been given permission to test delivery of goods using drones. If the US Federal Aviation Administration (FAA) gives Amazon the all-clear, pressure will be increased on the UK authorities to follow suit. The FAA insists that the pilot flying it
After July 14, Microsoft will stop issuing security updates for Windows Server 2003. To remain protected, Microsoft advocates migrating to Windows Server 2012 R2, Microsoft Azure or Office 365. According to Converge Technology Specialists (ConvergeTS), “Law firms need to act now or face security risks, cyberattacks and lost opportunities.” It adds, “Although Windows Server 2003 software will still operate, the support and security patches will officially end. This will place
confidential information at much greater risk from hackers and malware attacks, and could bring down core systems such as case and practice management and email, making it impossible to trade. It also means no new updates, resulting in a less powerful and responsive management system.” The company offers a free audit and advice on how to migrate. It could also work closely with your internal staff to help you maximise the business benefits of your migration. www.convergets.co.uk
ShepWedd retains Ascertus Shepherd and Wedderburn LLP called in document and management solutions provider Ascertus to migrate 2.1 million assets from cloud-based NetDocuments to its own preferred in-house HP Worksite email and document management solution. Now, it has awarded Ascertus the contract for the complete ongoing support of its 500-user Worksite system in its offices in Edinburgh, Glasgow, London and Aberdeen. These services include: online customer call logging; escalation and review; access to knowledge; managed software updates; consultancy and development services for integration projects, data imports/ exports, data conversions and database amalgamations. Later this year Ascertus will help the firm upgrade to the latest version of the solution. HP says “WorkSite easily handles document and email management, placing data in digital files, making them easier to find, share, and reuse.” (You may be mildly interested to know - in view of the ongoing legal tussles between HP and Mike Lynch - some of Autonomy’s exceedingly clever software runs at the heart of Worksite.) wwww.ascertus.com www.shepwedd.co.uk LAWTECH May 2015
THE OSPREY LEGAL CLOUD
Full Function, Web Based, Practice Management Software for your Law Firm, for just £45 per user per month, with no upfront costs.
• Customer Relationship
• SAR Compliant Accounts
• Comprehensive Reporting Suite • Integration With All Email
• Integration With Land Registry,
Credit Checking, SDLT & Money Laundering
• Time Recording • Document Automation • Document Management
• Turnkey Case Management Setup
• Online Case Tracking - to
include Virtual Deal Room and Conveyancing Chain View.
• FREE Legal Forms
Unlimited FREE training with the Osprey Academy. Holistic, structured learning courses for your staff.
THE OSPREY LEGAL CLOUD Celebrating almost 30 YEARS at the cutting edge of software design.
Telephone: 03300 604 940 6 LAWTECH May 2015
Carpe Diem timekeeping redesign Tikit, part of BT Group, has announced Carpe Diem Next Generation timekeeping software, a completely re-engineered and functionally-rich timekeeping solution for legal professionals. It’s apparently the outcome of a $2 million development project. According to Tikit, it’s so easy to use, “it virtually eliminates the need for user training.” It is a web-based (HTML5 ) application that works on all modern browsers on any desktop, mobile device or tablet. It combines different time capturing technologies, removing the need for “bolt-on time capture functionality”. Its reporting dashboards include reports on the lag between time spent and income received. Tikit likes to call this “velocity of time capture.” Peter Zver, President, Tikit North America , describe Carpe Diem Next Generation as, “End-to-end timekeeping for the modern professional – mobile time, contemporaneous time, passive time and ‘traditional’ time entry all in one, with one user interface and one, consistent user experience.”
Sensitive Data Finder’s searching power includes proximity searches, Named Entities, and optical character recognition to locate specific information across the contents of individual computers, log files, email systems, file shares, cloud services, databases and other enterprise storage systems. It works by deploying lightweight Nuix Engine Instances onto endpoints across an organisation to conduct these searches without storing a permanent index. This means that customers can run rapid distributed sweeps and audits without having to build complex server or storage infrastructure. Early adopters in the USA use it to improve compliance with privacy laws, regulations and industry standards, such as PCI-DSS for payment card data. It also helps them identify and manage highvalue data such as contracts. Julie Colgan, Head of Information Governance Solutions at Nuix, said, “By finding and remediating inappropriately stored sensitive data, organisations can improve compliance, manage business risks, and minimise the opportunities for it to escape though cybersecurity breaches, malicious insiders, or accidental losses.”
Nikec’s collaboration extranet
Find your sensitive data Sensitive Data Finder, from Nuix, quickly and precisely identifies high-risk and highvalue information wherever it is stored. Once you know what you’ve got and where it is, you can set about protecting it from breaches - both deliberate and accidental. A common theme that emerges from breach investigations is that the victims couldn’t adequately secure their sensitive data because they didn’t know what they had, where it was, and who had access to it.
Nikec Solutions has announced the availability of Nikec Hub, a secure onpremise or cloud-based environment for collaboration and communication on matters, projects and documents between law firm employees and with their clients. Teams can store, access, share and edit documents and exchange ideas and comments. Its open APIs provide a means to integrate with existing systems, such as finance or document management, meaning that other essential documents can be securely surfaced within the Hub. According to Nikec, “Individuals are able to set up an extranet site in minutes without the need for IT intervention and can customise the look, feel and layout to
suit their own personal, client or project requirements. It fully supports mobility so workers can access, review and edit documents from their mobile devices and stay up-to-date with colleagues and clients at all times.” Nicholas Child, the CEO of Nikec Solutions, noted that the product was developed, “after extensive market research and input from various law firms.” With its 17-year experience working with such firms, it is well-placed to make such a claim. Delivery and implementation is taken care of by the company’s a dedicated inhouse professional services team. www.nikecsolutions.com
And Finally... Ten Florida lawyers from Gray Robinson decided to jettison their traditional desks in the interests of health and productivity. They showed off their new workplaces to Tampa’s Bay News 9 (vimeo. com/121170911). Richard M. Blau installed a treadmill where his desk used to be. He now walks and works at the same time. He can set the treadmill to less than one mile per hour but still cover seven to eight miles in the course of a day. Woodrow H. “Woody” Pollack went for a rather hi-tech hydraulic desk, at which he stands. He claims he’s less tired at the end of the day and that both his productivity and his health have improved. Andrew J Mayts, Jr (Andy) showed off his lap desk - rather like an angled tray, that he takes to wherever he wants to work. Okay, the lap desk doesn’t really combine law + tech, but we couldn’t leave him out. www.gray-robinson.com
LAWTECH May 2015
REFERRALS Build your business by analysing your referrals; in both directions
By Fiona Jackson, Client Advisor at LexisNexis Enterprise Solutions
8 LAWTECH May 2015
Earlier this year, the merged Dentons and China’s Dacheng firm with 6500 lawyers became the world’s largest law firm. While this alliance clearly takes the cake, ‘merger mania’ has been growing over the last few years for a number of reasons. Some firms do it to overcome financial pressures; many see it as a way to become national or global organisations, or to enter new practice areas and markets. Firms also enter into exclusive alliances to save themselves the trouble (and disruption) that typically accompanies a legal merger and yet benefit from all the business advantages of combined strength. Linklaters is one such example. With this level of cross-border M&A activity, the challenges increase significantly for the independent firms. How can they pit themselves against the might of these global law firms? A strong referral network to win business is now imperative. Actually, referrals have historically been a key source of new business for law firms, but despite its importance, referral management has never been undertaken strategically. It needs to be an integral part of firms’ co-ordinated marketing and business development initiatives.
Why track referrals?
Effectively managing inbound and outbound referrals is an important component in the management of a modern law firm. Firms that invest time and resources in doing it well achieve a number of objectives – from bringing in new business and enhancing client satisfaction to ascertaining who the firms’ major business partners really are and evaluating the effectiveness of business development efforts. Typically, firms manage inbound (coming from external sources) referrals reasonably well, but find the management of outbound (the leads that the firm passes on to other organisations) referrals difficult. Firms generally leave the recording of referral information to individual fee-earners’ discretion, often resulting in either events not being recorded or the task becoming a part of individuals’ personal business development efforts. Just as clients are considered ‘the firms’ clients’, and not clients of individual lawyers, outbound referrals should be considered assets of the firm, and not of individuals. Knowing where inbound referrals come from allows firms to more effectively determine which firms to refer work to so that they can achieve higher levels of reciprocity. Furthermore, tracking referrals in a commercial and measured manner provides valuable data that can be used to evaluate firms’ business development and marketing investments as well as ascertain how best to use these resources in the future.
Make referral management strategic
To this end, referral network management has to be part of a firm’s business strategy. For instance, referrals can be made part of partners’ key performance indicators and objectives. They must also be an integral part of new business pipeline management. This will help firms objectively measure both how partners are tracking towards their referral goals, and monitor the source of each new business lead and reward those relationships – internally and externally.
Memberships of international networks (e.g.s Lex Mundi, ALFA, etc.) is another good way of ensuring that referral management becomes a key part of business development initiatives. Firms benefit a great deal from such ‘good friend’ networks.
Manage reciprocity proactively
Gone are the days when partners could draw in business based on their/firm’s reputation alone. In the current environment, developing relationships is critical and managing reciprocity can help build connections that deliver quantifiable business. It makes business sense for firms to manage outbound referrals to firms or banks that in turn provide them with the most referrals. However, the firm can ensure this only if it is actively monitoring its new business pipeline to determine and identify such relationships, which then be managed in order to strengthen them further. Similarly, firms need also to manage their relationships with intermediaries, much as they do for key clients.
Referral management in CRM
CRM technology, which is often prevalent in firms, can be used for referral network management to help grow the sales pipeline, compete and win new business. But it is grossly under-utilised. Firms should look at setting up referral network management systems within their CRM to enable them to quantify the strength of their relationships, value inbound and out bound referrals and then the revenue generated by those actions. This kind of insight will enable firms to value their referral networks, ensure reciprocity, and extend those relationships for continued business gain. Oslo, Norway-based Wiersholm, is a good example of a law firm that has leveraged CRM to adopt a proactive and dynamic approach to managing its international referral network and relationships. Over the years, the firm has even increased the breadth of its services to clients. The firm’s referral network plays a key role in driving its business development strategies. In the current competitive and globalised marketplace, independent firms need to invest time and effort in devising a referral management strategy that percolates through the organisation from the top down. Legal Week recently reported that referrals between law firms Allens and Linklaters have surpassed the 800 mark – a sign that referral network management is a conscious, strategic initiative that bears results. No law firm can afford to be blasé about it.
About the author Fiona Jackson is a Client Advisor at LexisNexis Enterprise Solutions. She has spent the last 14 years implementing and running CRM solution Lexis® InterAction® in a variety of professional services firms.
LAWTECH May 2015
PROTECTING DATA IN
END-OF-LIFE EQUIPMENT See how law firms should dispose of equipment which contains sensitive data
Robert Rutherford, CEO at QuoStar
of data that can be unintentionally (or maliciously) disclosed to a third party. Specifically, you should have security and disposal policies covering at least: • • • • • • • • •
PCs, laptops, tablets Mobile phones Printers USB storage devices CD/DVDs Servers Hard disks Backup tapes Cloud Storage
Again, all of these items can be encrypted and, arguably, they all should be if your data could cause your firm or a client embarrassment.
Any device where data is downloaded or stored is at risk of being accessed by a third party once it is no longer in your possession. Devices at risk range from the obvious hard disks, right through to printers. The basic principle is: if data is written it can be retrieved, unless it’s encrypted. Therefore, in an industry where your clients’ data is always sensitive, if you can encrypt the data on a device you should always do it. Of course, you need to factor in performance overheads in relation to encryption but that is becoming less of an issue now with the entry of technologies such as solid state disks and self-encrypting storage arrays. Encrypting data will effectively remove a lot of the concerns around disposal and/or loss of a device. If you do have to dispose of a device, 10 LAWTECH May 2015
then it is usually best to have it done by a third party specialist data destruction firm. However you need to be aware that, by choosing to outsource this function, you are not outsourcing all responsibility. If a client’s data were to be stolen from one of your disposed machines, it’s your firm’s brand that will be tarnished. In an industry where reputation matters, you have to do your due-diligence, assess the data destruction firm and assess your risks. Do not simply settle for a van turning up to remove the worry. Once you identify the risks you should get them signed off at partner level and agree on a strategy to apply suitable controls to minimise them. If you follow these steps you can be pretty sure that your clients’ data and your firm’s reputation will remain safe. Don’t just think about PCs as the source
Risk of extortion
Never think that your information is not of interest to a third party. A large proportion of data and security breaches are now focused on blackmail and extortion. Hackers hack for money now, not simply for fun. A hacker doesn’t have to come in over the wire, getting hold of a physical device littered with information will give them extortion material and valuable clues on how to breach network defences at a later date.
Your key considerations
So, what are the key things to consider in relation to ensuring data is destroyed after its useful life? In this article, ‘destruction’ refers to physical destruction (shredding) and ‘wiping’ to cleaning the data off securely, to retain some resale value to the firm or a third party.
1. Control Access
5. Destroy it quickly
2. Control/Document Assets
6. Have a Process
As you can imagine, it’s possible that, if you leave a pile of hard disks or USB keys in an uncontrolled area, one could go missing. And if this happened, it would be open to all risks. When you have set aside equipment for disposal then secure it away from general access.
Make sure your asset lists are up to date so when you wish to ensure any data is destroyed you don’t miss anything. If you aren’t controlling your assets you aren’t truly controlling the risks. When you do dispose of an asset, ensure the information is logged, including the device, serial code, how it was sanitised, by whom, when, where it went, etc. If you go to a third party it should provide you a full certification of destruction.
3. Destroy the Data
If you just format or delete data on a device it’s relatively simple to pull it back. If you want to ensure the data is irretrievable then you can use specialist tools to do so. You can start by looking at tools such as Kroll Ontrack and Blancco if you want to do it yourself. If you want to go belts and braces, encrypt the device storing the data and then run the secure erase tools. You then of course need to factor in the time required to undertake this work. It all comes down to how sensitive your data classification.
4. Destroy the Device
In some circumstances the data is so sensitive that the entire device should be destroyed; shredded in fact. Generally you would outsource this but you can also buy the specialist equipment to do it yourself. Typically memory and hard disks are shredded, and other parts of the device sold on to retrieve precious metals. There are strict environmental guidelines on disposal of equipment so be sure to familiarise yourself with the current regulatory requirements if you do it yourself.
Security is changing
As we look back over this tiny area of IT security, the case for ISO 27001 is becoming more and more important in law firms. The risk of a security breach of any kind can have serious implications, more so now than ever before. ISO 27001 will give a firm a framework to identify all risks and assign appropriate controls to mitigate them. It will also give your firm a continual improvement methodology that will deliver gains year on year. It should
Once you have identified equipment to be disposed of or wiped then do it quickly. The longer devices hang around, the more chance they will fall out of control or go missing. You would typically expect to have a periodic destruction cycle or pick-up if using a third party.
Ensure that you have a documented process for the destruction of data and devices as required. If you don’t have a rigid structure things can and will slip through. Generally, legal firms can’t risk that happening so controls and processes must be put in place and followed. Failure to follow procedures must have tough disciplinary repercussions.
7. Check third parties
If you are outsourcing the destruction of data and devices to a third party then ensure that you are careful in your choice. There have been press reports of devices turning up on sites such as eBay with very sensitive data on, even on a printer’s internal flash disks. So, when choosing a service provider, you should be looking for companies with ISO 27001 and ISO 14001 certification as a bare minimum. Also, it helps if they are certified to destroy MOD equipment, i.e. CESG and MOD approved. The higher end secure destructions firms will also have equipment that they will bring to your premises, or premises that you can visit to witness the destruction of your data devices.
8. Communicate and Review
Once you have a process and policies in place in relation to wiping and destruction of data and devices then ensure that it’s communicated and clearly understood. Make sure all relevant areas of the company understand their roles. Also, once created don’t just forget about the policies and processes, review them, at least annually. Your assets will change, as will the risks. Ensure that you review them regularly and know what they are.
also be noted that many clients are now demanding ISO 27001 certification as a standard before instruction. As a final note, just do remember that your data is of interest to many people. Don’t take risks, or at least don’t take them without informed sign-off from your firm’s partners.
About the author Robert Rutherford is chief executive officer of QuoStar, a consultancy specialising in business technology. Founded in 2005, it offers business improvement and technical consulting, outsourcing and cloud services.
LAWTECH May 2015
DATA HOARDING HAMPERS
12 LAWTECH May 2015
BETTERBUSINESS How information management cuts eDiscovery costs
By Lee Meyrick, Director of Information Management at Nuix
It is no secret that eDiscovery is becoming increasingly challenging, time consuming and, as a result, expensive. One reason is the rapidly growing volume of electronic documents involved in discovery, and the growing number of devices in which they can be stored. Finding an important document is no longer as simple as looking for the right colour-coded label in the filing cabinet and extracting a paper copy, where the filing clerks put it away neatly and in alphabetical order. Even at an individual level, it’s a poor assumption that you can easily find a document when you need it. If you don’t believe me, see how long it takes to find the notes you took in the meeting about your goals for Q4 last year. I’ll go and put the kettle on while you’re doing that. Digital storage is getting cheaper, which means that organisations are simply loading more and more of their growing data stores into email databases, archives and storage systems, without taking the time to organise their information. But when an organisation is forced to respond to litigation or a compliance request, legal teams have to scramble around, trawling through mountains of data to find the crucial pieces of information they’re looking for. The reality is that it’s getting harder for law firms and litigation support vendors to deliver timely, error-free and profitable services. The increasing volume and complexity of data involved in eDiscovery is pushing up costs for legal services firms at the same time their clients seek to pay less. Although storing the data may cost only hundreds of pounds per terabyte, lawyers charge hundreds of pounds per hour. If organisations haven’t taken the time to manage their information before storing it, the price they pay is a costly eDiscovery process.
First, understand what you have
So where do you start? A necessary first step is to scan through all of your organisation’s data, get rid of what you don’t need and make sure what’s left is properly organised and easily searchable.
Information governance, as it’s called, may not sound exciting. But the next time you get a call from general counsel with an urgent eDiscovery request, and have to scramble reactively to find key evidence, you’ll understand why it’s necessary. The biggest concern many organisations have is that so much data is discoverable. In the event of a court case, regulatory inquiry or high-profile scandal, they will likely have to search massive amounts of data across multiple repositories to find key evidence. Often data is duplicated in many places and never deleted.
Reduce your unnecessary data risks
We often think of digital information as impermanent. If you’ve ever lost important personal data to a virus or hard drive failure, it certainly feels that way. But for large organisations, the opposite is often the case: Information stays around forever in storage systems, email databases and archives – it is never deleted and is often duplicated in many places. This problem is only going to get worse. Right now, there’s a massive movement of data from behind-the-firewall systems into the cloud. Or more accurately, a massive duplication of data, because most organisations don’t delete the original copies they keep in their data centres. Effectively, they’re doubling the volume of data they will likely have to search through. A lot of old data has no business value; it just sits around wasting money. But organisations need to think about more than just costs. That data can also contain business risks. The term “risky data” encompasses things such as personal information – like dates of birth, national identity numbers and credit card details – an organisation stores about its customers or staff. Organisations should know exactly where such information is stored – which should only be in encrypted and tightly controlled repositories – or preferably not keep it at all beyond the bare minimum needed to do business. Most organisations have strict compliance rules about retaining certain types of data such as customer records for a number of
“Old data just sits around wasting money”
LAWTECH May 2015
“Organisations can profile data into big buckets”
many archive formats. This makes it possible to classify the documents you must keep and those you can delete, apply policies and only retain the information you need. What’s more, once you have indexed this information, you can search it immediately the need arises. In some cases, you can delete duplicates to save storage, as long as you have retained one backed-up and indexed copy.
Put policies in place for the future years. But once the retention period is over, the risks and costs of keeping that data greatly outweigh any residual value. It just sits around waiting to cause trouble. Even if you didn’t need to keep certain information, the fact that you did makes it discoverable. In reality, most of the information organisations keep is irrelevant to running the business or to any legal proceedings. It’s duplicated, trivial, no longer used or past its retention period. Deleting this low-value data, according to predeﬁned and legally sanctioned rules, reduces risks and also minimises the volume of data that could be compromised in a security breach. It also makes responding to discovery, investigations and information requests quicker and more targeted because there’s a whole lot less data to consider in the first place. At the very least, it will reduce legal costs because the discovery process is more efficient. But it can also mean the difference between incurring and avoiding fines or legal damages.
Take control of your data
Most organisations, I’m sure, would rather reduce the volume of data they store than allow it to spiral into a massive, potentially discoverable information minefield. Even if your organisation hasn’t properly applied data retention or lifecycle rules in your storage systems – and most haven’t – you can still implement a deletion policy now. Advanced technology can rapidly and automatically index the data stored in enterprise repositories including Microsoft Exchange, SharePoint and Lotus Notes Databases, as well as 14 LAWTECH May 2015
Once you have cleaned up your historical data, you can put in place retention policies for everything your employees create in the future. You can review, regularly and incrementally, new information, ensuring it is retained, dealt with or destroyed in an appropriate manner. Keeping retention and security policies viable in the face of so much data requires a compromise. Manually classifying records is overly labour-intensive. But retaining everything is overly simplistic, not to mention costly and risky. By using advanced indexing, search and classification technologies in conjunction with manual reviews, organisations can profile data into big ‘buckets’ of essential record types such as contracts, policy documents, financial, legal and intellectual property – each with its own retention schedule.
Realising greater benefits
Are eDiscovery costs our punishment for information governance sins? Proactive information governance makes life easier for everyone. Fast and precise access to information has huge impacts on a business. Litigation budgets and storage spending are reduced, while risk management is improved. With these benefits, information governance projects very quickly become self-funding. They can also become a source of business value as employees can quickly find the information they need day to day and the organisation as a whole gains knowledge from understanding its own data. There’s no question that organisations that face frequent litigation or regulatory action have a clear business imperative to
put in place information governance programs. The challenge is taking the time to define a set of practices to put governance into action. This requires someone who can articulate what process the organisation should follow and explain the reasons behind it; for instance, because retaining multiple just-in-case copies will increase eDiscovery and compliance costs. Electronic data stores in organisations are only going to get bigger, and eDiscovery costs will continue to rise accordingly. If organisations don’t take a proactive approach to manage and understand their data now, they will end up paying lawyers to do it for them. Perhaps it would have been cheaper, after all, not to
have fired all the filing clerks. About the author Lee Meyrick, Director of Information Management at Nuix. He advises organisations on the use of discovery techniques for information retrieval in unstructured data. He focuses on FCPA and the UK Bribery Act and discovery of ‘risky data’ for remediation. www.nuix.com
2103 Sprout Barrister ad_2103 Sprout Barrister ad 16/12/2014 19:00 Page 1
We make happy barristers
020 7036 8530 LAWTECH May2015
IN THE CLOUD? OPINION
How the cloud may be embraced by modern chambers
By Matt Torrens, Director at SproutIT
Large swathes of the UK Legal market, despite being a comparatively conservative business sector, are already happily working in the cloud. Law firms, from the high street conveyancing firm to the UK’s top 200, have embraced cloud technology. Some operate hybrid models, with a cloud-delivered Practice Management Solution (PMS) and/or Document Management Solution (DMS), while others have retired their entire onpremise server estate and moved lock, stock and barrel to the cloud. Some PMS and DMS software-as-a-service offerings can be delivered via your internet browser, and some providers will package these, with a fully hosted environment. The attractions of a well-specified cloud from a trusted provider are clear: lower total cost of ownership, enhanced data security, mobile access, reduced maintenance and local management, and access to the latest technology, to highlight just a few. But for all the articles, adverts, chatter and buzz surrounding the cloud, and the large number of law firms that have adopted cloud technology, chambers is one sub-sector that largely has not bought in. The inevitable emergence of virtual chambers, the financial pressures on particular practice areas and the emergence of merger activity all suggest cloud computing as a 16 LAWTECH May 2015
suitable solution. One explanation of the difference in attitude towards new technology, between law firms and chambers, is their
respective organisational structures and working practices. Law firms are normally hierarchical in nature, with major strategic decisions made at partner level - the rest of the firm, in general, will have to toe the party line. Conversely, and despite management by committee and a more recent trend towards the role of CEO within chambers, barristers tend to retain significant autonomy over their own practice – and that includes computing and technology. These differing structures present an enormous challenge to anyone (CEO, consultant or IT strategist) to take chambers on a successful journey to cloud computing – simply, most chambers suffer from the too-many-chiefs syndrome,
when it comes to major strategic decisionmaking, particularly those around technology.
What next for chambers?
With the well-publicised cuts to legal aid, the availability of direct access and the increased demand for fixed fee work, the pressure on chambers to become more efficient is self-evident. A less efficient path for individual barristers is to continue employing dissimilar software and working practices. The history and traditions of chambers are important but the modern world demands a shift in attitude. And cloud can help with predictable annual service costs on a per-user-per-month basis, serviced by upto-date technologies. We have seen, and we’re likely to see more, significant chambers merger activity. Presumably, these mergers are based, at least in part, on efficiencies as well as other synergies. Yet some existing examples, several years on, share nothing more than the letterhead, with separate diary systems, telephony, computing systems and even domain names. The obvious answer is the cloud. The first ‘virtual chambers’ have appeared and the move away from traditional 100 percent physical residence within chambers, is likely to continue.
Cloud computing can enable sets to inhabit smaller and cheaper premises with a hot-desking environment, for when members do work from chambers. Yes, I’m aware that to suggest hot-desking is to rip up any chambers Christmas party invitations that may have been coming my way, but it is absolutely the way things will go. Several sets have already taken that plunge, using thin clients to connect to secure clouds alongside hosted telephony. The last few years have seen many chambers grapple with the idea of reputation and brand. The ‘chambers marketing manager’ role was born and, largely in vain, marketing professionals have tried to direct individual barristers towards the idea of shared reputation and brand. More recently, we’ve seen a tangible shift, with chambers beginning to understand the importance of reputation and brand. Technology and, specifically, the cloud can help to bolster reputation and provide best-of-breed bragging rights. Related to reputation is the increasing pressure from instructing solicitors around data security practices within chambers. Traditionally, chambers were seen as the least defended path to highly sensitive information. More and more often, we see instructing firms requiring significant effort and investment from chambers around data security before they will engage. A well-designed, private cloud from a reputable supplier will tick 99 percent of those compliance boxes. Reputation enhanced.
Chambers are represented and governed by a number of bodies. The information provided by The Bar Council to barristers, on cloud computing, consists of three paragraphs and precious little detail. The chambers market has suffered from a lack of leadership regarding technology and any move to improve this would be a big help to the market in making the right cloud decisions. The Information Commissioner’s Office, set up to uphold information rights, is on record in recent months as signalling its intent to crack down on data security breaches in the legal sector. Following 17 reported data breaches in the UK legal
sector during just three months in 2014, Information Commissioner Christopher Graham noted, “It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.” Personally, I am not certain that this can constitute an ‘early’ warning, given that just a quick look through the ICOpublished monetary penalties, decision notices and undertakings quickly reveals that the legal marketplace is virtually absent. Local and central government offices, along with NHS trusts, form the majority of their published enforcements. Commentators have previously wondered whether there has been some form of bias or selectivity as to what kind of entities the ICO pursues – but perhaps the ICO’s recent comments are indicative of a turning tide. The incoming EU General Data Protection directive will see fines of up to 5 percent of global turnover for data breaches. The notion that individual barristers can effectively manage data security is self-evidently wrong. The provision of quality cloud services to chambers will afford each individual barrister the luxury of ‘out-of-the-box’ data security. Of course, each Data Controller is also likely to be responsible for data security outside of any cloud (it’s no good printing sensitive data from a secure cloud and then leaving it on the train) but, for most, a good cloud will instantly enhance their data security and compliance levels.
• • • • • • • • • • • • • • • • • • • •
Virtual chambers Hot-desking / reduced rents Predictable OPEX Scalable and merger ready Private connectivity between chambers and cloud Enhanced resilience and availability Enhanced data security ISO 27001 and Cyber Essentials certification Built-in disaster recovery and continuity Electronic bundles, annotation and document collaboration Document management systems/ version control Secure file sharing and synchronisation Secure print services Encrypted emails and court admissible transmission data Email archiving Tamper-proof eDiscovery Mobile working, any device, offline access Hosted telephony and video Automated time capture Digital dictation
Ultimately, chambers’ computing will follow solicitors and other professional services to the cloud. Whether or not that transition is successful, cost benefitting and secure is down to the chambers themselves. The technology exists and the opportunity is there. Pressure is mounting on cost, service delivery and data security. A good cloud would be a big asset.
How can cloud help Legal IT?
According to Gartner, 10 percent of legal services are in the cloud today, but 90 percent will be cloud based by 2018. Plenty of legal cloud projects have failed; built on a lack of understanding and poor decision-making. If Gartner is right, and why wouldn’t it be, then chambers need to start thinking very quickly about their role in this inevitable move to the cloud. Putting the predictable protestations to one side, here are some tangible benefits that the right suppliers could bring to chambers:
About the author Matt Torrens, Legal IT expert and entrepreneur, has been providing secure, innovative, outsourced IT services to professional service firms for over 20 years. He coowns SproutIT, a specialist in the legal industry and now the leading supplier of IT strategy and service to Barristers’ Chambers. www.sproutit.co.uk
LAWTECH May 2015
A WELL-BALANCED CASE AT
18 LAWTECH May 2015
How load-balancing maximises service delivery at global law firm
By Ed Martin, UK country manager at KEMP Technologies
Professional services firms, like any other businesses, rely on 24x7 access to email along with other critical applications such as document management, billing, workflow and client management systems. This makes reliability, scalability, performance and quality of service essential, rather than nice to have. Anything that reduces productivity and avoids downtime, leading to loss of earnings and profits, tends to focus the minds of the CIOs. Enter load balancing. This was once seen as a problem for only the largest enterprises and a costly and unnecessary expense for everyone else. But this is no longer the case. In essence, a server load balancer or Application Delivery Controller (ADC), provides the ability to direct incoming traffic to the best performing, most accessible servers based on factors such as concurrent connections and CPU/memory utilisation. This makes sure that bottlenecks do not occur to reduce performance; and if a server or application fails, the user is automatically re-routed to another functioning server. The process is invisible to the user and critical to delivering an optimised and reliable experience. Traditionally, large ‘big iron’ load balancers have dominated the top end market, coming with a similarly large price tag; while at the other end, Microsoft has bundled a DNS (Domain Name System) load balancing service. This so-called ‘round robin’ balancing is a basic software solution that works by responding to DNS requests by simply alternating these requests between servers, without consideration for matching the user IP address and its geographical location, server load or network congestion. However, a new generation of hardware and virtual appliances has appeared to meet the growing demand for reliable and costeffective, third-party load balancer and ADC solutions.
The Osborne Clarke experience
International legal practice Osborne Clarke is a company that takes its load balancing seriously. The company may have been founded in 1748, but it thrives on being approachable and dispenses with stuffiness and pointless tradition. Its forwardthinking attitude has helped attract industry-leading commercial tech clients including Yahoo, Google and Facebook and has helped the firm grow to a top-tier practice of more than 600 lawyers based in eight countries across Europe, North America and supporting sites in Asia. The demands of Osborne Clarke’s team of lawyers keep the firm at the forefront of technology innovation and that means
“Reputation and client confidentiality are critical for law firms”
delivering maximum reliability to ensure that business-critical applications perform 24 hours a day. Like any law firm, the lifeblood of Osborne Clarke is its email communications and the mass of documents it processes. Osborne Clarke’s IT team uses three new load balancers from KEMP Technologies to ensure its core Microsoft Exchange email and Worksite and SharePoint document management systems remain available 99.9% of the time. The load balancers also help optimise its specialist applications including BigHand, an application allowing the dictation of letters while on the move; DTE Axiom for time recording/billing; and Vuture for marketing.
Osborne Clarke Enterprise Architect, Jon Garrett, explains: “Our load balancers support all of our applications crucial for the day-to-day running of the business; any loss of service would impact the performance or impression of the firm.” Osborne Clarke’s team deployed a High Availability (HA) pair of devices in its main Bristol data centre with a single device in the London backup site. The solutions manage its heavy volume of email and web traffic. The firm processes approximately 9,000 genuine emails an hour between 1,300 active users in its 18 offices across Europe and North America and supporting sites in Asia. The easy-to-deploy and simple-to-install systems ensure that data is handled in the fastest and most efficient way, allowing the firm to switch its processing load around as required. For example, the team can now safely take individual servers offline to perform vital maintenance and patching, without disrupting its users. LAWTECH May 2015
In fact, it was this issue that first persuaded Osborne Clarke to buy its new load balancers to replace a previous Microsoft solution. Garrett explained: “We were not happy with the Microsoft network load balancing (NLB); we found it unstable and slow. It also did not allow us to take a Client Access Server out of service safely to perform maintenance and we need to do that — we are a 24/7 firm.” The new load balancing systems were easy to install and have proved to be reliable ever since, Garrett said, “Initially it took about two hours to get them running and the Exchange templates and configuration loaded. We then switched over to using them in about an hour during a downtime window.” He added, “A valuable feature of the KEMP solution is support for our LANDesk incident management system. This allows the firm to offload the task of checking the SSL certificates that verify the authenticity of any website user’s contact.” The encrypted SSL sessions can be terminated at the load balancer so that the headers and content can be read in order to direct it to the correct servers. For the future, Garrett sees load balancing continuing to play a key role in Osborne Clarke’s strategy to build more international data centres. “We are in the process of identifying new data centres that will allow us to provide services in a ‘follow-the-sun’ manner,” he said. “This will allow our IT team to backup and maintain services while the user load is moved away as a new time zone comes online. This is part of our Global Strategy to deliver on our vision for a highly available and robust network to deliver services.”
Balancing for all bases
Like many technologies, load balancing has had to adapt to changing environments. Virtualisation started on the desktop but now offers a cost-effective alternative for re-architecting complete IT infrastructures. But applications running virtually still need to be balanced; so a new range of software solutions now support the likes of VMware and Hyper-V. It is also possible to deliver a fully featured load balancer or ADC running natively, as an operating system, inside the fabric of a blade server system such as DELL R Series, Cisco UCS or HP Proliant. This way, users can leverage their existing hardware investments and benefit from increased application performance by eliminating the need for external third-party ADCs and load balancers. Then there is the cloud; tempting customers with the benefits of lower investment and support costs as well as greater agility and flexibility for delivering applications. But with concerns around the loss of control that comes from having off-site hosting, along with myriad articles on the security risks of the cloud and the impact of Edward Snowden’s revelations, there is growing hesitation about moving everything into the cloud. Instead, the idea of a hybrid cloud is starting to resonate; with all the benefits of cloud computing but with the confidence of a physical on-site presence. But whether totally in the cloud or with a hybrid set up, there is a real need for making sure it is well balanced. Just as the virtual load balancer has been a critical component in the transition of client/server apps from physical devices to virtualised topologies; they have an important role to play in managing application delivery in the hybrid cloud. 20 LAWTECH May 2015
The latest buzz is around Software Defined Networks (SDN). This effectively decouples the network from underlying hardware and allows the network to better integrate with and support virtualised environments. Furthermore, Network Functions Virtualisation (NFV) eliminates the need for physical proprietary pieces of hardware. But, while the infrastructure may change, load balancing still plays an important part in delivering efficiency and performance. KEMP technology for SDN dynamically uses Layer 2 information such as network and server congestion extracted from the SDN controller to enrich its Layer 4 and Layer 7 load balancing policies for making more intelligent forwarding decisions and enhancing dynamic application delivery, user experience and service levels. So, regardless of whether you have a physical infrastructure or are migrating to a virtual or cloud-based environment, or even looking at SDN and NFV as the way forward, it is clear that there is a strong case for load balancing to cover all bases.
About the author Ed Martin joined KEMP Technologies at the beginning of 2014 and has held senior international positions in the load balancing and ADC sector. After graduating from Nottingham University, he worked for six years for Citibank in Australia.
Now is the time for... Integrated practice management software for modern law firms
Your people work better together... shouldnâ€™t your software? Case Management
Legal Accounts Workflow Client Web Services
Find out more
THE THREAT FROM
Why we must all become human firewalls
By Orlando Scott-Cowley, Cyber Security Specialist, Mimecast
22 LAWTECH May 2015
BETTERBUSINESS Protection of confidential information is fundamental to law firms and their clients. But, as the value of data continues to rise, attackers are increasingly looking to exploit these trusted relationships to gain access, insight and intellectual property from firms and clients alike. We spend endless time and money protecting from the threat outside the gates, but give little consideration to the enemy within. We need to start helping our employees be more aware of both of these threats, not just the obvious ones that they learn to expect. There’s no denying that 2014 was a grim year for IT security. According to a BIS report, 81 percent of large businesses and 60 percent of small businesses in the UK admitted to a cybersecurity breach that year. According to the Ponemon1 Institute’s Cost of Data Breach report for 2014, the total average cost, including expenses such as breach detection, escalation and response, stood at £2.21million. If such costly breaches are to be successfully avoided in the future, it has become increasingly clear that traditional IT tactics are woefully inadequate. Law firms, given the nature of their business, are particularly vulnerable to targeted email attacks and spear phishing. Especially those that have high profile clients or work on high profile cases; for example every defence contractor has a law firm, and every celebrity divorce requires two. Attackers understand this unique hunting ground well, and know that the defences of many law firms do not match those of their sensitive client base, so they look to exploit the weaknesses in a firm’s armour in order to gain access to these highly sensitive clients and their data. No matter how polished, traditional cyber security methods – such as desktop anti-virus software and a firewall – cannot protect critical information from highly targeted and wellresearched spear phishing attacks. More importantly, no single technology solution can protect from what might be the most pressing threat of all, human error.
Inevitable human error
Humans are imperfect. From the managing partner down to the legal secretary, everyone makes mistakes, and the chances are that one of those mistakes will inevitably result in a security breach, either immediately or long after the original blunder was made. Given that human error is inescapable, law firms of all shapes and sizes need to begin to supplement their IT investments with cyber-security educational programmes for their employees. Of the many ways a law firm can be compromised, a cyberattack
directed at them through email is the most likely, as email addresses are often not well protected, especially from the more effective threat actors. Users need to be made aware of the threats, what the risks look like, when to flag a suspicious email and why they should think twice before clicking on a seemingly innocent link. How will they ever know they’re being socially engineered, if you don’t help them spot the signs?
Building a human firewall
Thinking like a security professional is going to be hard for most. After all, it is simply not their day job. What the professionals need to do, is to help their colleagues to at least see the world from their point of view. Firstly a sea-change is needed in the way businesses think about cyber-security. Only by introducing a more task-orientated set of security rules that consider how employees use enterprise services, and how those same people are exploited, do you start to address the problem. After all, users have become the front line for attackers looking to gain access to your network as humans are easier to hack than the code the IT team writes. So, instead of constantly hardening our code and infrastructure why don’t we start to ‘harden’ our humans? It’s only when you start to get employees thinking for a fraction of a second longer than normal before performing a task, running an attachment or clicking a link, have you started to drive a behaviour change in them. This behaviour change is what invokes your human firewall, it’s the only way you’ll protect your firm from the insider threat, and it’s the only way we might be able to solve our cyber-security woes. This ‘human firewall’ may be the best defence against both external attackers and the human error threats that are emerging against our businesses.
About the author Orlando Scott-Cowley is a highly-qualified cyber security specialist. His 17 years’ experience, ranges from security and risk consultancy, to penetration testing and other specialisms. He writes and speaks on these topics, as well as cloud and SaaS technologies. www.mimecast.com
LAWTECH May 2015
SECURE AND EFFICIENT CLOUD COLLABORATION How to choose a cloud which protects precious information and enables efficient working Mark Edge, UK Country Manager at Brainloop
LAWTECH May 2015
The global proliferation of the Internet, coupled with widespread access to ever-increasing broadband speeds, has dramatically altered the business landscape over the last decade. One of the key ways it has done this is by transforming the way board members, clients, partners, firms, regulators and authorities communicate and collaborate with each other. Intercontinental communications that once took hours, days or even weeks to accomplish, can now be achieved in just seconds with a few clicks of a mouse. The emergence of online file sharing and collaboration tools as the flag bearers of this communications revolution has brought both excitement and concern to many organisations. Popular consumer file-sharing platforms such as Dropbox and Google Drive are finding their way into the workplace in ever increasing numbers, with employees attracted by their convenience and familiarity. But sharing high-value confidential information via these public cloud platforms creates very real security and compliance risks that cannot be ignored. In the legal profession, these dangers are magnified by the intensely sensitive nature of the files and documents at the heart of its day-to-day activity. Understandably, legal firms want to take advantage of the workflow efficiencies that new online file sharing tools can bring, but they are wary of the many potential threats these tools pose to the very lifeblood of the firm - sensitive client information. They are right to be concerned. The use of consumer file sharing services in a business environment opens client information up to a wide variety of vulnerabilities and threats. For instance, are employees sending sensitive information from personal email accounts? Are emails encrypted and secure? Who has access to the documents? How can that access be safeguarded and controlled? Are documents accessible to mobile or remote employees? If so, does the firm know who is accessing them and where from? If not, alarm bells should be ringing. Versioning of documents is also an important consideration. How can the firm ensure changes are accurately tracked in documents being distributed
across multiple stakeholders both inside and outside an organisation? Is there an audit trail? Post-deal/transaction bibles are often created manually, or with expensive custom tools, and frequently shared via physical media, such as USB sticks. Naturally, this type of sharing carries its own inherent risk of physical loss or theft. Distributing hard copies of information packs at partner/ board meetings creates another security concern as sensitive material could easily end up in the wrong hands, be mislaid or simply be left lying around somewhere it shouldn’t be. In addition to questions about the documents themselves, what about the security of messages sent along with it in covering emails etc? Encrypting email in a way that is easy to consume externally and which allows administrators to access it without exposing the sensitive information itself is not a straightforward task. So how can law firms solve this plethora of issues in order to take advantage of the latest technology? One solution is to create a secure, automated workflow through the implementation of a collaborative cloud solution. Not only does this remove the vagaries of human choice that can lead to information loss, but it can also speed transfers and drive huge productivity gains, delivering significant competitive advantage in the process. Ideally, a single cloud platform should be identified that can suit all of the firm’s complex requirements, including collaboration, file sharing, transactions/ due diligence and board communications. A suitable platform should: •
Be able to set security categories based on confidentiality level or document classification.
Be hosted on servers in certified high security information centres in the UK that meet national and international information protection regulations.
Be easy to use and provide secure access to documents any time and from anywhere, preferably via web browser. This would allow employees to securely manage
and collaborate on confidential documents and other information within the local infrastructure, across the Internet and on mobile devices. •
Integrate seamlessly into the firm’s existing infrastructure.
Allow firms to send secure links to files directly from Outlook with protection and encryption of the email body and any attachments.
Automatically create secured, watermarked PDF portfolios via workflows for deal bibles and partner meetings information packs.
Incorporate rights management technologies to ensure document protection all the way down to the user’s desktop, including the capability to define the time to access documents and permissions to edit them.
Incorporate versioning to allow users to keep track of edits and the document history and provide an audit trail to track all changes.
A cloud platform which ticks all of these boxes can not only resolve the challenges of protecting confidential documents, but also provide efficient workflows for effective collaborate whilst meeting stringent compliance requirements. If your firm is yet to explore secure cloud collaboration, there has never been a better time to see what the cloud can do for both you and your clients.
About the author Mark Edge, UK Country Manager and VP of Sales at Brainloop, is building the UK team and driving growth across the region. His 20 years’ business technology sales experience includes senior positions at Watchdox, IBM, A10 Networks and Citrix. www.brainloop.com
LAWTECH May 2015
HELP YOUR USERS BLOCK THE
CYBERCRIMINALS Don’t let users become the chink in your security armour
By Fred Touchette, Senior Security Analyst at AppRiver
A recent study1 conducted by LexisNexis found that 89 percent of lawyers use email to collaborate with clients or privileged third parties. In most cases, however, the only safeguard used to protect that information was a confidentiality statement at the bottom. What’s more, the same survey revealed that more than half of lawyers use free, consumer-grade file sharing services for sensitive communications. If you consider the confidential nature of the information on most lawyers’ computers, it comes as no surprise that law firms make an alluring target for hackers.
Inside the cyber underworld
Today’s cyber criminals employ many methods to steal information and money. And, since so many people maintain and rely on email accounts, what better place for cyber criminals to target? Much of the early spam traffic was annoying and essentially amounted to junk mail that consumed your time. It wasn’t long, however, before cyber criminals began using such messages to deliver far more destructive content. Email-borne attacks come in the form of phishing, spearphishing, Trojans, malicious attachments, and hidden scripts. Attack techniques are ever-evolving and adapt with technology in an effort to stay ahead of security professionals – driving malware authors to become very good at what they do. Nowadays, an unwanted email can contain an exploit that gives a hacker unlimited access to a computer or network. And it remains the most widely used means to deliver malware, but it’s not the only one. Simply clicking on a link to a malicious website can download malware that can compromise your entire network.
Email as a Postcard
In addition to the threat from malicious messages, a company’s own emails can be compromised as well. The best way to think about an unencrypted email is as a postcard that can be read by anyone while it is in transit.
LAWTECH May 2015
You’ve been compromised. Now what?
All businesses should have some sort of cyber incident-response plan: –– Start by identifying those assets within the organisation that are most vulnerable to infection and those assets that would be most damaging if exposed. ––
Know where your organisation’s sensitive data is stored and what systems are mission-critical to the business.
The sooner a security breach is detected the better the odds are of limiting the number of impacted systems. A few critical detection methods include DNS log analysis, (Intrusion Detection System (IDS), event log checking (looking for repeated login failures), and training employees to report something as simple as a poor-performing computer.
Isolate malware and take all necessary precautions to prevent its spread. This often requires taking some systems offline while the infection is removed.
Once infected systems have been isolated and contained, begin to remove malware from infected locations. Keeping good system backups can make this rebuilding process much more manageable.
Once all systems are back up and running, learn from the incident by re-examining the events and asking, “Was this preventable?” Identify and document steps that would help recovery become more seamless.
That said, it’s helpful to remember that encrypted data is unusable to those who do not have the proper decryption keys and means to decrypt. End-to-end encryption solutions ensure the uninterrupted protection of transmitted data by encoding it at its starting point and decoding it at its destination. Look for vendors that offer encryption solutions that wrap around any existing email infrastructure or application so that your organisation does not have to replace existing technology, including email addresses or email programs. Also look for solutions that provide certified email delivery and tracking slips so that authorised individuals may see multiple characteristics about any given message, such as who sent it, who received it and how it was handled, including deletions, forwards and attachment downloads that are timestamped with corresponding IP addresses.
Staying Ahead of Threats
IT security is so often a game of ‘cat and mouse’, whereby cybercriminals and security professionals are in constant pursuit of one another. The ‘cat’ (or security professional) is unable to definitively claim victory over the ‘mouse’ (cybercriminal) who, despite not being able to defeat the cat, is able to avoid capture. Today’s threats are not static, predictable or simple. And the models for distribution can vary from cast-net style malware campaigns to precisely-targeted advanced attacks. No industry or business is immune and that is why all organisational security postures should include a blended security strategy. The idea behind layered security is that there is no “silver bullet” that can make your systems 100 percent safe from attack. The best approach is to have multiple, redundant safeguards in place. Frank Strong, writing for LexisNexis’ Business of Law Blog - Study Tells a Story About Law Firm File Sharing businessoflawblog.com/2014/05/file-sharing-lawyer 1
End User Tips How to improve your organisation’s – and employees’– IT security posture: ––
Always run anti-virus and firewalls. Firewalls are important as they typically act as the first line of defence against network attacks, while anti-virus solutions serve as a strong last line of defence and aim to protect individual hosts. Make sure all devices are up to date with the latest patches. Attackers and researchers continually find vulnerabilities in software, and a patch or hotfix is designed to correct those security flaws. And, if unpatched software is left on a device, it makes it easier for an attacker to leverage them. The same rule applies to all software (not just the main operating system). Old programs that are not in use should be uninstalled and removed.
Always use complex passwords that are not easily guessed. Easy-to-guess passwords do not present a challenge to attackers and can open the door to your accounts. Instead, make sure your password is lengthy and has a healthy mix of symbols, characters, lowercase and uppercase letters.
Do not use the same password across different systems. By using different passwords for every account, the user is limiting the effectiveness of an attack to a single compromise. If that same password were used across multiple sites, the attacker would have immediate access to every single one of them. It is also important to change passwords at least once a quarter. Password managers such as LastPass or KeePass can help users to manage this burden.
Protect your personal information. Remember, do not advertise sensitive information online. Tighten your security settings on social media, do not use your real birth date, telephone numbers or addresses because this information
can be used to fuel custom attacks or answer account security questions. ––
Be mindful of your digital footprint and what you post online. Don’t post anything online – in online forms and the like – that you wouldn’t want everyone in the world to see. Really.
Only use trusted sites. There are roughly 252 million registered domains and a large portion of those domains are malicious. Some are quite obvious while other, legitimate, sites can be compromised and host malware within their pages. Stick to the well-known, established sites to increase the odds of staying safe online.
Do not open attachments from unknown people or attachments that appear suspicious. This is a very, very common method for attackers to use - delivering malware straight to your inbox, which is both convenient and highly effective. Do not click on an unsolicited link or open an attachment unless you know it is reputable.
About the author Fred Touchette, CCNA, GSEC, GREM, GPEN, Security+, is a Senior Security Analyst at AppRiver. He is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services, and information security expertise to assist in designing security solutions for new and existing applications. www.appriver.com
LAWTECH May 2015
SOCIAL MEDIA FOR
Focus on quality, not quantity, for the best results
By Adam Elgar, Co-founder at Passle Law firms can be reluctant to interact on social media, with few law firms being very active on channels such as Twitter and even professional ones like LinkedIn. But, used wisely, social media can help build profile, establish reputation and attract quality clients. Recent research undertaken by Passle shows that the UK’s top 200 law firms have fewer than 360,000 Twitter followers between them – that’s around 150,000 fewer than the one-year-old nephew of One Direction’s Niall Horan. And, although law firms have started to embrace professional social media platforms, they are not always using them to their full potential. The UK’s top 50 law firms, for instance, have only 370,000 LinkedIn followers between them. To put this in perspective, L’Oréal has 605,000. Of course, using social media effectively is not just about quantity, but also about the more important issue of quality. If you simply create uninteresting noise, who will listen? Strong evidence suggests that firms generate a greater amount of leads if they regularly share, on social media, thought-provoking insight and knowledge of use to clients, and potential clients. After all, interesting (or entertaining) content is a top three reason1 people follow brands on social media. Special Offers and Current Customers take the top two spots.
Social media – instantaneous, far-reaching
The best thing about sharing your expertise or responding to important issues, using social media, is that it is instantaneous and far-reaching. If you’ve cultivated your audiences well, your comments will reach all your clients or prospective clients quicker than any other medium. And all evidence suggests that more and more businesses and people, of all ages, use and track social media 28
LAWTECH May 2015
every day. Your clients are very likely to be among them. In the legal realm, understanding the impact of new legislation or creating the full picture and context around an important issue is critical for clients to remain on the right side of the law, or simply to be better informed. And the quicker they’re armed with this knowledge, the better it will be for them. Social media is the perfect medium to get your message out, fast, and, most importantly, before any of your competitors do. It is, however, important to use social media not only to share insights with your target audiences quickly, efficiently and in easyto-understand bite-sized chunks, but also to engage with them. This is a fantastic way to communicate effectively with those who need to know. Using social media also means you can communicate not only with potential clients, but reach opinion leaders – journalists for example – instantly too. Those opinion leaders can, in turn, share your messages with their audiences, reaching many more people in the process. In short, the profile and credibility-building opportunities of using social media to share an expert’s insight, expertise and experience in a timely way is huge. So how can firms harness the power of social media and create content that makes the most of their team’s expertise? By following these steps, you are more likely to ensure the insights you share on social media are topical and useful and work to your advantage:
1. Get the right people to contribute
Lawyers spend years gathering knowledge and expertise, it’s what makes them good at what they do – and why they can expect good recompense in return.
Experts are the only ones with the right insight into their legal field that can, and should, be commenting in the market place. Everyone sees through low quality, high-volume, ghost written social media posts. Only someone with real expertise can point out the really great articles and explain what makes them so. This relentless need to ‘feed’ social media gives it a bad name, but it doesn’t have to be that way. The trick, and always the biggest challenge to sharing insight of value, is for busy lawyers to find the time to share it, and to do it when the topic is hot. But there are ways to do this.
SERVICE SUPPORT OR PRODUCT NEWS
FRIENDS ARE FANS OF THE BRAND
INTERESTING OR ENTERTAINING CONTENT
SPECIAL OFFERS/ DEALS
2. Build confidence, reduce hesitation
Encouraging experts to share their knowledge on a social platform can be tricky to do. But there are some things that will encourage them to do it, and do it regularly, including:
Show them the money It would be difficult to find any business person, lawyer or otherwise, to ignore a potential business-generating opportunity – so show them the money. Plenty of research demonstrates the bottom line returns of using social media effectively. In fact, 78 percent of small businesses2 attract new customers through social media, while 60 percent of large companies3 have acquired customers through Twitter. Why not see what your peers are doing online?
Make it simple It’s a good idea to choose one platform for the experts to use, and train them how; this reduces the fear of spending too much time doing promotion and not doing fee-paying work. Once a comment has been created, it can be replicated again and again on all the platforms you choose to use.
Make it easy The platform you choose should also play to your experts’ strengths. In our experience, professional services experts like to be able to use their own voice, so use a platform that enables them to use their own style of language (jargon free of course!); have the flexibility of a good amount of words (although not too many, this is social media after all); and, importantly, be able to use full and proper language, and that includes punctuation.
3. Above all, create quality content
When you have the right people ready and willing to post, it’s critical that what they comment on is topical and timely. The source of that commentary, or the inspiration, does not have to come from the most obvious place, but once you’ve created the desire to contribute insight, people will see opportunities in unconventional places. One tax expert we know was idly scrolling through autocar. com one lunchtime and spotted an article on electric cars. He posted a comment explaining that the initial purchase cost of such cars, which is high, could in fact be saved in income tax by the second year of ownership. A nifty bit of profile raising, and a most productive use of a lunch break.
Quality vs. quantity, that is the question The ultimate question. But, stick to the rules – get the right people to create the right content, in a timely way – and create a culture of understanding of the benefits and you will get people to post quality content. Creating excitement and some fun around doing it regularly, such as a competition, will increase that activity ten-fold. Should any firm ever get to the point where its experts are creating too much quality content, well, you’ve probably reached that most amazing of places, the Holy Grail. www.contentplus.co.uk/marketing-resources/infographics/anatomy-ofcontent-marketing 2 www.relevanza.com/research-studies-point-to-googleplus-solomo/ 3 blog.hubspot.com/marketing/where-do-marketers-get-customers 1
Have an approval process in place Every public platform opportunity needs careful thought, and social media is no exception. Having a good – but instant – approval process is critical to making people feel relaxed about creating commentary.
Create a buzz One of the best ways Passle has seen to create a buzz around writing posts on a regular basis is to create some kind of peer-topeer competition. Interestingly, such gamification helps to inject a competitive spirit as well as reduce the fear of creating social media posts. The posters stop feeling inhibited by the millions of potential readers and focus on what will work well for their immediate circle. It also helps to legitimise the act of creating posts if others are creating them: “if my colleagues are doing it, then so can I.”
About the author Adam Elgar co-founded Passle alongside his brother Tom in 2012. Prior to starting Passle in 2012, the brothers successfully founded and built other game-changing technology businesses, including streamingmedia.com and Serverside Group. www.passle.net
LAWTECH May 2015
DATA’S PROMISCUITY Communications monitoring is key to data security
By Phil Beckett, Partner at Proven Legal Technologies
In the last year alone there have been a number of high-profile hacks, which have highlighted how susceptible businesses are to this kind of attack. These incidents should therefore act as a call to action to law firms of all sizes to tighten up data security across the board. The Daily Telegraph recently reported that GCHQ had advised businesses to strip their employees of smartphones in order to minimise cyber attacks. In fact, the GCHQ advice was more moderate than that but, nevertheless, it was spurred by the proliferation of Bring Your Own Device (BYOD) policies, which have resulted in potential risks to all businesses, with confidential company information leaving the office on employees’ devices and posing serious threats to data security. Modern firms need to be aware of this problem, and must recognise the fact that this situation extends beyond smartphones to include computers and a wide range of removable devices as well. After all, data can be very promiscuous, in that it tends to associate itself with different devices in different formats. For this reason, firms need to implement rigorous security practices surrounding BYOD and managing corporate data. This begins with regular checks and monitoring of all technology, so that no device goes ‘under the radar’ and firms retain full visibility of where their data lies. In order to protect against threats to intellectual property and unauthorised attempts to access sensitive data, firms must first identify the risks that they are facing – as well as what would be at stake should the worst case scenario occur. By educating themselves on the dangers, firms can establish policies which will 30 LAWTECH May 2015
minimise those risks, while understanding what to look out for when monitoring communications for unusual activity.
Rigorous rules and regular checks
To keep a handle on their data, firms need to implement appropriate training and guidelines for their employees - including strict BYOD policies - so that employees clearly understand what they are and aren’t allowed to do with the firm’s data and devices – as well as the consequences for the misuse of both of these. The same goes for cloud storage sites; if OneDrive, DropBox or Google Drive are being used to copy, transfer or back-up data in the absence of physical devices, their use should be encouraged only under careful supervision and according to agreed protocol and guidelines. Once rules are established, firms must run regular checks to ensure they are being adhered to and more quickly locate the source of any internal breach. Tell-tale signs of off-system communication can normally be detected by closely monitoring firewalls, proxy and other network logs to identify unusual patterns of behaviour. Off-system communications are stored on removable devices irrespective of where the communication is sent, so companies can access such information through systematic observation. IT-based monitoring should also cover communications within the organisation. For example, emails should be checked carefully for signs of unwanted communication with any thirdparty organisations that could pose a security risk. Firms should also be aware of their employees emailing certain documents to
themselves to access at home, as this removes secure data from the company domain and is hard to monitor on external devices. Although emails are the most common form of corporate communication, instant messages, chat and SMS messages could also contain confidential information, and firms must ensure that confidential information is not being discussed via these means. Although checks are typically carried out post-event, it is also possible to set up real time triggers that send alerts when certain behaviours or patterns occur. Organisations may also want to perform audits on specific actions and individual machines. Audits like these can be used to identify which individual devices have been connected to machines and also highlight users’ internet activity. This type of surveillance can quickly reveal patterns of harmful behaviour, and can also highlight when employees may be accessing web pages which are not secure, leaving machines vulnerable to viruses, malware and external penetration. Monitoring and auditing must be approached with caution and care, however. Firms must not come across distrusting, and staff must understand that monitoring is taking place for the sake of data security. However, ensuring that employees know their activities are being watched can also be seen as a positive, as it encourages professional practice and an increased awareness of the policies in place.
people have access to it. Internal monitoring of employees’ behaviour should be combined with regular checking of the firm’s IT systems, cloud storage and databases. Networks should also be carefully scanned for backdoor entries and any attempts to penetrate the system. Some firms may even want to go as far as a blanket ban on USB and other removable devices if they feel they are posing a threat to the organisation. Firms that implement clear cybersecurity rules and procedures will be in the strongest position to protect themselves and their data, but only if their employees understand – and adhere to – company policies. Whilst prevention is always better than cure, communication monitoring is key to identifying a security breach if something should slip through the net. Not only will regular checks ensure that businesses can respond to security breaches much more quickly and effectively, but the investigation process itself can often reveal important information for making on-going security improvements. About the author Phil Beckett is a Partner at corporate forensic investigation and e-disclosure firm, Proven Legal Technologies. Previously, he led Navigant Consulting’s European Forensic Technology practice for seven years. He’s a qualified fraud examiner and recognised court expert in digital evidence.
A secure strategy
Fundamentally, organisations can protect themselves by ensuring that confidential data is kept confidential and that only authorised
LAWTECH May 2015
WHAT NEXT FOR
A view of the future and some productivity issues you’ll need to address By Matt Lancaster, Director at Pracctice and Vice Chairman of the LSSA
The next twelve months will undoubtedly prove interesting for both the software suppliers in the legal market and the law firms that use this technology on a daily basis. Much more of lawyers’ work will take place in the cloud, interaction with portals and collaboration via software will be expected rather than optional. The Law Society is making its attempt to tap into this with the release of Veyo, its own conveyancing software package. Setting aside all of the discussion about how successful a software package provided by the Law Society will actually be and the scepticism expressed by law firms in advance of its release, we should welcome this greater competition and choice in the market place. Healthy competition encourages all suppliers to develop and improve their own systems and can only result in greater and better choice across the legal software market. The risk of limiting competition was 32 LAWTECH May 2015
precisely the argument made against the Law Society’s plan from last year to endorse a preferred software supplier.
Some common questions
At Osprey, 27 years into providing legal software, the only constant is that functionality (and lots of it) is the driver for change and adoption choice. Our experience shows that law firms will always seek the ‘all-singing, all-dancing’ product. After all, law firms adopt technology to increase efficiency and control, and to manage the ever-increasing regulatory demands made on them. We explain how to make this possible in our 2015 Legal Landscape Software seminars. The types of question we get asked now are: •
Will it integrate with: text messaging; search providers; CJSM; corporate or institutional portals? Can I use the software to market to
potential and existing clients? Can I work from home or when I’m on the move? Will the software improve our business processes?
After more than ten years of providing software in the cloud, we’ve stopped having to argue as to whether lawyers should adopt cloud technology, but the coming twelve months will show that interaction in the cloud is key to how legal services will be provided in the future.
Law firms will face demand from their clients, whether individual or corporate, not just to see information available on the web, but also to work with and progress their matters online. Law firms will expect to collaborate with each other online. Options to submit or receive information from corporates or institutions will
LEGALTECHNOLOGY be increasingly restricted to online interaction. While in the past the legal profession has been seen as conservative in adopting technology, law firm are now demanding that they should have the best that modern IT has to offer. And it’s not just about having it; it’s about using it effectively.
individual departments without looking at the bigger picture – a CRM or case management system, for example. Can such a system really work in isolation? Opening the same file in multiple systems is both inefficient and introduces a lot of potential for error, two things software systems are meant to avoid. The benefit of fully integrated systems is being able to access one file, for any type of work across your firm and to be able to see everything relating to that file in one place. This is more efficient, more cost effective and allows for greater control. Collating information from different systems while you’re trying to talk to a client on the phone is not a good use of
Do your research
It is worth doing a bit of research into the different ways that different suppliers provide their systems and looking at the consequences of this for the cost and benefits. Ask yourself, “Is it the latest technology? Is it future proof? Does it save money? Does it assist in disaster recovery and business continuity?” The answer to all of these should be “yes”, of course. Effective training From a due diligence point of view, Lawyers who have worked in the legal the datacentres where your data resides departments of large organisations will should absolutely be based in the UK, probably already be aware of the trends owned by the software supplier (not in using technology to deliver training outsourced to a third party host) and and skills development. Online content, mirrored in real time. This provides all webinars, and online academy style assurances and allows for the ultimate interactive courses have transformed the economy of scale – the best provision way that people learn in both the academic available in regards to security, and business spheres, and this year they performance, disaster recovery and are likely to become the expected norm for business continuity at the most economical users of legal software packages. cost possible. For many years, as a software provider, Software suppliers which haven’t we have offered unlimited training free to made the necessary investments will all our users. This not only removes any either purchase server on behalf of their upfront costs but also critically How to improve your allows organisation’s – aand employees’– IT individual clients and set up an expensive, our clients to take regular training on our security posture: oldonfashioned and problematic connection settings social media, do not use your real software to keep abreast of the regular for remote access, or they will simply birth date, telephone numbers or addresses new functionality updates, induct new –– Always run anti-virus and firewalls. outsource the hosting of their clients’ data because usersFirewalls as their firms grow, extend their use technology. may earnersthis information are important as they typically act as the firstItline ofbe that fee to a third party, which can cause issues of thedefence software and develop their business do only solutions one particular type of work against network attacks, while anti-virus contractual liability and security of can be custom attacks or answer account security processes newlast demands. in your firm so this is not so much ofused to fuelwith serve to asmeet a strong line of defence and aim to protect that data. questions. In an ever-changing an issue but imagine having different individual hosts. technological Software is constantly evolving but environment, it is paramount that law departments using different systems yearfootprint ahead will law online. –– Be mindful of your the digital andreally whatfocus you post knowsure howall todevices use theare systems forlatest case management, administration, –firms – Make up to that date with the patches. firms’ minds on their approach. Many Don’t post online – in online forms and the like – that they Attackers have invested We hear so often and marketing. Different staffanything and in. researchers continually findaccounts, vulnerabilities are driving this and out the you wouldn’t everyone in the world to seeking see. Really. aboutinfirms that have using different systems is neither efficient wantfirms software, and aperfectly patch or good hotfix is designed to correct right technology while others will find systems in security place butflaws. have And, no idea how nor effective. across the firm those if unpatched software is left onReporting a themselves following order to work to use them as they have not taken extremely problematic data sites. –– Onlywith use trusted There are roughlysuit 252in million device, it makes it easier for anany attacker tobecomes leverage them. a modern andof remain training buying system, or residing in different systems;registered one hand domainsinand a largeway portion thosecompetitive domains are Thesince sameinitially rule applies tothe all software (not just the main with theobvious more proactive firms. Either way, it firmsoperating that buy asystem). system based on specific wouldn’t whatbethe other malicious. is doing… The Some are quite while other, legitimate, Old programs that are not in usesee should will be aand topic at the top of within many law firms’ functionality requirements but then never considerations are endless but, sitescritically, can be compromised host malware their uninstalled and removed. this established year. learn how to use it. This is particularly would start with conflict checking. pages. Stick to the agendas well-known, sites to increase in use the coming as that are not easily Finally, although greater choice is of staying safe online. the odds –pertinent – Always complexmonths passwords guessed. technology is indeed moving very quickly can be very confusing for Easy-to-guess passwords do not present afantastic, challengeitto now.attackers and can open the door to your accounts. law firmsInstead, when looking –at– new Dosoftware not open attachments from unknown people or Wemake see structured training, courses andand has systems. A good starting point is to look that appear suspicious. This is a very, very attachments sure your password is lengthy a healthy mix of multi-media as a cost to to theletters. technical methodology, as the symbols,methodology characters, lowercase and uppercase About the author us in providing the service to our clients residence of data is critical to every firm. Matthew Lancaster is Vice Chairman cost our clients in using it. different Manysystems. software suppliers purport to offer –rather – Dothan not ause thetosame password across of the LSSA and Sales and Marketing However, all firms should see training as account, ‘cloudthe computing’ By using different passwords for every user is but the reality behind Director of Pracctice Ltd, the company a regular andthe ongoing investment inattack both to a the terminology differs wildly. Rather than limiting effectiveness of an single compromise. behind the Osprey Legal Cloud. He time Ifand money budgetwere annually a remote desktop-style connection into a that same and password used for across multiple sites, the has worked in the legal industry for 25 such attacker costs. Towould investhave in technology then not to every server,single whichone is essentially old Windowsimmediate access of years and specifically within the legal investthem. in itsItuse makes no sense. style at technology, is also important to change passwords least oncetrue a cloud computing software industry for 16 years. operates on multi-tenanted datacentres quarter. Password managers such as LastPass or KeePass can and is accessed by nothing more than help users to manage this burden. Avoiding conflicts a simple internet connection, as any With a rapidly changing legal software webpage would be. No set up or icons to –landscape, – Protectanother your personal information. do not pitfall for many firmsRemember, ospreylegalcloud.co.uk click,your just accessing advertise sensitive information security a webpage. will be to opt for modular systems foronline. Tighten
End User Tips
“One hand wouldn’t see what the other is doing”
LAWTECH May 2015
IMPROVE THE EFFECTIVENESS OF YOUR
34 LAWTECH May 2015
Could shared document building transform your working methods?
By Peter Sheppard, Managing Director at Siteset Digital
“Never compete against clients’ manifest priorities. Facilitate them.” This incisive nugget comes from a Harvard Business School professor, Clayton Christensen, who knows a thing or two about building successful organisations. Let’s pick apart his statement as it applies to many well-run, high-performing law firms, large and small. What are the ‘manifest priorities’ that a law firm’s clients are looking for? In essence, they want sound, expert and clever legal advice that is delivered efficiently in a timely way, at a cost, which works for them, whether for a multi-million pound corporate transaction or the simplest conveyance. They will almost certainly prefer a style of relationship and a transactional experience that fits with their own world view, their preferences and that is on their own terms. So what would be meant by ‘facilitate’ in this context? For many law firms, most of the client relationship is likely to be conducted through face-to-face meetings, phone calls and email communications. This is the ‘traditional’ way but, for many younger people, it isn’t the most comfortable and it certainly isn’t what they have come to expect. What about the advice ‘never to compete’? The reality is that many good law firms are unwittingly competing against new priorities held by the up and coming generation, or by the teams that work for them. They are contravening Professor Christensen’s excellent advice with a demographic that is growing in number and significance. These clients are in the Millennial generation. If a client was born after 1980, and so aged 35 years and under, they are known as a Millennial. Even if the senior client contacts aren’t, those who work for them almost certainly will be and will be sources of influence. And it won’t be long before those Millennials step into positions of greater power and influence themselves. With these Millennials becoming the primary business contacts
for law firms, it is important that Professor Christensen’s advice is still adhered to. In this context, it is likely that the traditional methods law firms have relied on to develop relationships, which have worked extremely well in the past, are likely to fall short of the expectations of this new generation of clients. First we must ask, what is it about Millennials that may mean the traditional approach is no longer up to scratch?
What drives Millennials?
This generation is driven by technology, particularly technology that it can use on its own terms and in its own context. Collectively, this means that they can engage while on the go and from their devices. They want to read and respond on their smartphone or tablet. Work is not confined to the office; they work wherever it suits them, not just at desks. It is done in the coffee shop, on the train or in the living room. They are particularly time poor and so expect to be able to engage with others in a way that is convenient to them and in their timeframe: they work at conventional and unconventional times. Leisure time is a very important consideration for them as well, something that they are unlikely to wish to compromise. These factors mean that they have strong preferences for how they transact business. For one thing, they want to work on things the instant they’re ready rather than when you want to do it. They also prefer it to be online because they can respond at a time that suits them. The ‘Compare The Market’ model is a classic example that has driven their expectations. They are used to being able to get insurance or set up a bank account at a moment’s notice, so the concept of a much more drawn-out process is not only a turn off, it is utterly foreign. They prioritise messaging over speaking to someone in person, as it makes best use of their high-pressure, high-workload lives.
“They want to work on things the instant they’re ready ”
LAWTECH May 2015
BETTERBUSINESS So how do these preferences fit with the ways that most law firms currently work with their clients? Not that well. Phone calls and face-to-face meetings don’t serve Millennial preferences; phone calls may be taken with reluctance, even if the recipient is too polite to let that show to the caller. Seeing things noted down on a legal pad for someone to type up later would come across as antiquated, not to mention the practical time wastage that could be prevented if this process were more automated. Emails, while asynchronous, are not online and being asked to review yet another version of a document as an email attachment would come across as inefficient. Even worse would be a printed document that they need to take the time to go through.
What would fit best with Millennials? Document building and automation technology, which Professor Richard Susskind, IT Adviser to the Lord Chief Justice, has called “one of 10 disruptive technologies” changing the way the legal profession works. Technology is not only what Millennials prefer, but in the form of shared document building and automation, it is the facilitator which has the potential to transform the client transaction. It provides a way to create a Millennial experience for clients. It means creating a shared law firm/client environment online, which is underpinned by document building and automation systems. While this technology cannot, and will not, provide the sound, expert and clever legal advice that law firms provide, it can take centre stage in the lawyer/client discourse. The benefit of this technology is that it can handle, process and deliver the advice and ‘product’ to client. It can receive the
key information needed to enable each working transaction, in a controlled and focused manner, and it can in turn facilitate the outputs to the client in a way that meets their priorities. In summary, embracing technology as part of this process allows the clients to contribute more substantively to it and in ways that fit with their preferences, while reducing the manual processes that can delay or confuse their overall experience. The newest generation of document automation systems, like Fusion, enables lawyers to focus on what provides the greatest value, leaving the technology to provide the repetitive, standardised content. It is flexible enough to enable the law firm users to choose and set their own variables and options without needing to call in IT. The acquisition and intelligent use of a contemporary document building system delivers multiple benefits. These range from the delivery of high-quality outputs, to enforcing compliance, to time saving and error elimination. Such systems support customisation without reinvention. They minimise the time spent on the ‘boring’ bits for any bright and driven legal mind. They also ensure that all the right information is gathered from any potential client right at the beginning of a collaboration.
Time to adapt?
But the missing link for most law firms is the attitudinal and technological shift that brings the client into the documentbuilding process. When such technology is placed front and centre of the client relationship, it provides the kind of working experience that the next generation of client favours. For a Millennial, the fact that they have to have a conversation to
Millennials prefer the ‘green track’ for their interactions – document automation is a key technology for this. Avoid processes that take them off track to the phone, face to face, email or even post. The most common journey currently is the ‘yellow track’, with some firms even forcing the ‘red track’, neither of which meets the expectations of Millennials. 36
LAWTECH February 2015
BETTERBUSINESS brief their lawyer, who then emails back, and then probably has another conversation and more emails, is very 20th century. What a Millennial client wants to do is to go online to a secure web address and answer the questions that their lawyer needs. Those answers then form the relevant elements of documents that lawyers can then work on. Clients want to go online to review documents in one place, not as endless versions on streams of emails or printed copies, where the message is fragmented across communications and any concept of a holistic view is soon lost. They want to leave comments in context so that the whole team can see them. They want to be able to use a digital signature to give their approval. With the latest generation of document building technology, the client’s preferences for how they like their lives to run can be accommodated, while preserving the value that lawyers deliver. If a law firm can meet those emerging priorities, it will be the kind of firm to which the next generation of clients will be strongly drawn. It will also be a firm that takes proper account of what is increasingly irritating to Millennials and acts to address that irritation.
Law firms will see this shared transactional future as either a threat or an opportunity. Those that understand the opportunity, and refocus their organisation and its practices to meet Millennial preferences, will be the winners. The key thing to realise is that other sectors have been providing these sorts of experiences for quite some time and Millennials are the early adopters of this more flexible approach. They transfer these expectations to other areas of their transactional lives and that means that their tolerance for processes that are less easy to engage with is low. The opportunity is there to benefit both law firms and their new, younger, clients. It just needs to be embraced. About the author Peter Sheppard began his career with the projects team at Carillion, before becoming IT Project Manager at Capita Group. He then spent nearly three years at HeathWallace, part of WPP, where he ran award-winning projects for HSBC and RBS. www.sitesetdigital.co.uk
Writing for LawTech is an opportunity to influence thousands of your peers and enhance your reputation Our readers love to hear about: Successful case studies Technology ideas and insights New IT changes in your workplace What you’ve done to enhance your firm’s IT Don’t worry if your writing is less than brilliant, we can sort that out
If you’re interested in taking this further, please text, email or call our editor with your ideas
His name is David Tebbutt and he’s at 07711 567 726 or email@example.com
LAWTECH February 2015
FIVE STEPS TO CLIENT
How to keep your clientsâ€™ sensitive data safe
By Mark Stevens, Vice President of Global Services at Digital Guardian
According to the New York Times1, global banking institutions are increasingly pressing outside law firms to demonstrate they are employing top-tier technologies to defend against cyber hackers. In some cases, firms are being asked to fill out 60-page questionnaires detailing their cybersecurity measures in minute detail, while others must consent to on-site inspections.
LAWTECH May 2015
Although perhaps extreme, these examples demonstrate just how seriously banks are taking the threat of cyber crime and why the firms they work with must do the same. On the facing page are five recommendations that will help your firm meet the stringent requirements coming from the banks, while also ensuring all client data stays out of the wrong hands.
LEGALTECHNOLOGY Identify Where Sensitive Data is at Risk
Your clients will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential client data, including information contained on mobile devices, could be at risk. You don’t have to conduct this risk assessment yourself. Proven services on the market can quickly help you understand all locations where client sensitive data lives within your firm and how it’s being used.
Don’t rely on the Traditional Network Security Focus
Almost 100 percent of large law firms have security programs that start and end ‘on the network’. Why? Because it’s easier. Racking a security device on the network causes very little organisational friction. Yet the IT teams in these firms then spend almost every day purposely plugging holes in the network. VPNs are a common example; their widespread use makes them popular targets for hackers due to the high number of potential entry points and often lax attitude towards security from users. These inevitable holes mean the network will always be vulnerable to attackers. Add to this the fact that many lawyers operate in a mobile environment and demand access to sensitive information on their phones and tablets, devices that traditional network security measures don’t protect. A layered approach to security is becoming increasingly important for law firms, with device-focused technologies such as mobile device management (MDM) playing a pivotal role.
Focus on Data Protection Solutions
According to Forrester2, “In this new reality, traditional perimeter-based approaches to security are insufficient. Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model.” Several proven data protection solutions on the market ensure security travels with the data. Called Data Loss Prevention (DLP), these types of solution help classify data, put a usage policy against it and strictly enforce it. But DLP is no longer optional for any firm wanting to protect sensitive client data. This is the reality of the hacking environment in which we now live and work. If you make it fractionally harder to steal sensitive client information, or render the data useless once outside the network, hackers will move to another law firm that presents an easier target. Several leading analyst firms, including the above mentioned Forrester, are changing the conversation when it comes to data protection. As data remains the target and it’s being accessed through more devices than ever before, protecting that data must be at the core of any law firm’s security approach.
Consider Using a Managed Security Provider
A way around challenges associated with implementing advanced data protection strategies is to hire a Managed Security Provider. These companies have deep DLP expertise and proven infrastructure, meaning you can concentrate on your business while they keep your data secure. They can also improve your security posture much faster than if you implement data protection solutions yourself. Especially for already-stretched IT teams, Managed Security Providers give you the comfort of knowing that your clients’ data is being protected without taking valuable staff time. They can also provide the assurances demanded by banks and other security-sensitive organisations.
Go Beyond Traditional Security Training with Positive Social Engineering
Employee security awareness is a critical step to protect client data. The key to effective employee security training is to go beyond slideware and annual refreshers. Innovative companies are using the prompting functionality in technologies to help employees self-correct data use issues. For example, a customer recently reported an 85 percent decrease in data use policy violations after six months of using real-time, pop-up dialogue box prompts. Sometimes employees need a simple reminder of what corporate policy is, and how they can adhere to it.
Corporations will increasingly demand that their law firms show proof of ongoing security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realising that the weakest link in their security posture may not be within their walls but inside the walls of those with whom they choose to do business. If you follow these steps, not only will you be able to demonstrate how you’re protecting their data, you’ll also be in a position to use your advanced security posture as a differentiator with new clients.
About the author Mark Stevens drives customer success across professional services, managed services, support and training at Digital Guardian. A technologysavvy business leader, he has a distinguished academic record and work experience in developed and developing nations throughout Europe, Asia, and the Americas.
The Future Of Data Security: A Zero Trust Approach by John Kindervag, Heidi Shey, and Kelley
Mak. June 5, 2014. $499.
LAWTECH May 2015
HOWELLSâ€™ CLEAR VERDICT ON
How speech-recognition increases productivity for Yorkshire law firm
Adrian Woolfe, Freelance Technical Writer
40 LAWTECH May 2015
CASESTUDY The way the world works is ever-changing, and even established professions like the legal industry need to move with the times to stay competitive and keep up with new operating practices and regulations. Howell’s Solicitors is a successful law firm that’s embracing technology to keep pace with change. With decent rankings from Chambers, it’s a well-regarded firm in the north of England, operating from four offices located in Sheffield, Rotherham, Barnsley and Hull. With fairness, value and service as its core values, the firm provides legal advice on family law, civil law and criminal defence. As an organisation that regularly reviews its operations and procedures, Howells Solicitors sought a way to optimise some of its administration processes, including the speed at which it produced legal documents. This is a sensible strategy as recent research by market research and industry analyst company, Techaisle revealed that 25 percent of firms in the legal profession spend up to four hours a day working on documents, with 19 percent spending up to six hours a day. Reducing the amount of time spent on document creation and editing can pay dividends for productivity and, ultimately, profitability.
In solid defence of speech recognition
Chris Wong, a partner at Howells Solicitors, is responsible for preparing cases to go before the Crown Court and, in particular, more serious cases such as murder, complex frauds and drug related allegations. He has significant experience of complex proceeds of crime proceedings. As one of Howells Solicitors’ fifty users of Nuance Communications’ Dragon Legal speech recognition technology, he is well positioned to explain why Dragon presents a solid business case for use in a legal environment: He explains, “Its performance and accuracy claims promised to deliver the type of productivity gains we were after, very quickly, and with very little investment. I’m happy to say that it’s very effective and the accuracy rates are very high.” It’s flexible too, giving Chris and his Dragon-empowered colleagues the option to choose between using the keyboard for very short texts, or speech recognition for much longer and detailed documents. Chris uses Dragon almost every day for business and personal activities. He says, “It suits my style of working. I like to see things happen in real-time, and Dragon delivers on that front. I like how I can dictate and see the results almost immediately, compared to dictating to a digital recorder and having to wait for the transcript to come back from a secretary. With Dragon, there’s no waiting.” It’s just as well there is little or no waiting, as Chris estimates that in a typical day, he dictates up to 15 documents - from letters to statements or summaries – an accomplishment made possible by Dragon’s ability to transcribe up to 160 words per minute. As people tend to speak up to three times faster than they type –
Profile • Legal firm with four offices in South Yorkshire • Highly regarded Challenge • Streamline workflow processes to drive efficiencies • Speed up document turnaround time
combined with Dragon’s high accuracy rates - even the busiest professional can steam through their workload.
Every detail matters
Chris makes another observation about how Dragon benefits not just him, but the company’s clients, too. He explains how it improves the quality, accuracy, and timeliness of documentation and reporting, “Dictating a case summary is a far easier process than typing, so my case summaries contain more content and are far more detailed. Therefore, if I have to advise a client of the potential outcome of a case in a letter or correspondence, I can now include more detail about the probability of that outcome, what the alternatives might be and their implications. Clients find this extra information reassuring.”
Speech your way
Convinced by the efficiency benefits speech has brought to Howells Solicitors, Chris now also uses Nuance’s Dragon Dictation application on his iOS device. “It’s so convenient for capturing thoughts on-the-fly, especially when travelling in between meetings.” It was while Chris was travelling to a meeting that his non-work related dictation caught the attention of a fellow train passenger. Initially bemused by what she saw, she soon saw the speed and convenience benefits that dictation offered compared to her own struggles with her device’s small keyboard. Within minutes, she too had downloaded the Dragon Dictation app. The train passenger isn’t the only person that Chris would recommend speech recognition technology to. He told LawTech magazine, “I wouldn’t hesitate to recommend Dragon to other legal professionals because it is so quick and accurate. Relative to what you can achieve with it, it represents excellent value for money, too.”
Service and support
Dragon’s performance at Howells Solicitors has been matched by the service delivered by VoicePower, the company that supplied it. Chris notes, “VoicePower has been a long term supplier to us and we have come to trust its knowledge and expertise. The service and support it provides to me and the other Dragon users has always been excellent, and we have always been impressed by its personal service, attentiveness and determination to iron out any teething problems.” About the author Adrian Woolfe is a freelance writer specialising in high technology. He writes about digital communications, cloud infrastructure and the business use of technology. www.nuance.co.uk www.voicepower.co.uk
Results • Legal documents can be created in real-time • Dragon copes effortlessly with legal workplace demands
www.howellsllp.com LAWTECH May 2015
ARE YOU READY FOR A DISASTER? When the unexpected happens, how quickly could you recover?
By Gabriel Gambill, Senior Systems Engineer for EMEA at Quorum
Lawyers have to know all the angles of a case, and be prepared for any new revelation or bit of evidence that can come up. That’s their duty to their clients. But they may not be prepared for everything that can happen to a firm outside the courtroom. As any glance at the news will tell you, businesses – including law firms – are at the risk of data loss due to everything from natural disasters to malicious hackers. Although advance planning cannot eliminate or prevent an unexpected event, it can give a law firm an edge in overcoming any long-term consequences, such as lost client information and damaged internal records that can be caused by a disaster. For your practice, a Disaster Recovery (DR) plan should have two primary goals. First, it should be designed to protect crucial business records, including client contact information and case history. Second, the plan should provide a framework with the capability to quickly retrieve information and virtually replicate your office. This will allow your firm to continue at a new location, if necessary. To put it into context, perhaps it’s best to start by defining what a disaster could be. When we say ‘disaster’ often we mean something that is out of our hands. Floods, hurricanes power cuts and earthquakes all spring to mind. However, a disaster could be something as mundane as a software update or a simple human error. They’re often not as newsworthy as a natural disaster but have just as much impact on a firm’s ability to operate.
Protect case records, history and client confidentiality
A law firm can take several steps to make sure its business continuity (BC)/ DR plan is 42 LAWTECH May 2015
suited to its operations. The first step is to make sure the firm has technology in place that will support the firm in the event of a disaster. A hybrid cloud or disaster recovery as a service (DRaaS) approach is rapidly becoming an effective choice. The problem with disasters is they aren’t planned and they are unexpected. Because DRaaS doesn’t have the physical infrastructure and configuration synchronisation associated with traditional disaster recovery, it’s a flexible option. A hybrid cloud-based solution combines public cloud and SaaS automation software to make DR continuity planning easier than ever. Cloud provides companies with data backup, fail-over of servers and the ability to have a secondary data centre at a different site to allow for regional disaster recovery.
Put your recovery capabilities to the test
DRaaS solutions also provide computing capacity on standby to recover applications in the event of a disaster. This can be easily tested without impacting the production servers or unsettling the daily business routine. A so-called ‘sandbox’ copy is created in the cloud, which only the system administrator can access. They are created on demand, paid for while being used and deleted once the test is complete. This makes testing simple, cost effective and does not disrupt the business. After all, you wouldn’t have an office fire alarm without testing it would you? Cloud-based testing delivers financial benefits too. Service providers regularly offer sliding scales for DR testing. Putting your DR solution in the cloud also means you don’t have a redundant in-house infrastructure that is sitting unused most
of the time. One of the most challenging parts of a DR plan is to get employees to know what to do if an outage occurs. People learn by repetition so, just like fire drills, we have to create practice DR drills. Companies that don’t do these regularly should not be shocked if their employees don’t respond appropriately and panic when disaster strikes. But many companies with selfhosting based DR services are still hoping for the best.
It’s clear that law firms would be foolish not to protect themselves against data loss. In fact, most managing law partners understand the need for disaster preparedness but have previously found it difficult to formulate a DR plan. The main barriers to implementation are now being broken down by DRaaS. It not only addresses recovery plan goals, it also supports regular testing without the traditional overhead costs and logistical nightmares. Most importantly, it gives lawyers the ability to continue their work with peace of mind both inside and outside the courtroom.
About the author Gabriel Gambill is Senior Systems Engineer for EMEA, Quorum. He has over 15 years of experience in IT leadership and network administration. His current role is to provide technical expertise for sizing and architecting solutions.
In the next issue of LAWTECH…
Each issue of LawTech magazine spotlights some specific topics as well as covering regular important issues such as cloud computing and information security. We maintain a rolling four-issue list on the features page of our website, if you’re interested. We like to run features and opinion pieces outside of the main focus. The world out there is unpredictable and we like to reflect it as best we can. People come to us with important stories (and opinions) that just can’t wait for a future issue. So we run them. We all love to read case studies from law firms – especially the lessons learned from new technology implementations. If you have a story that you think might help your fellow professionals, please drop the editor a line, he’d love to hear from you. He will also give you as much help as possible to polish your piece, if you need it.
• Risk & Compliance • Social Media • Bring Your Own Device (BYOD) • HR Software • Data Monitoring
LAWTECH LAWTECH May 2015
LexisNexis® Enterprise Solutions Powering your practice
LexisNexis® Enterprise Solutions Creating enduring and valuable relationships with your clients is all about delivering excellent service at a competitive price whilst ensuring efficiency and profitability for your firm. To do this you need the right technology; built to adapt to changing competitive legal markets, delivered by an industry expert. LexisNexis Enterprise Solutions offers powerful software built with legal market expertise to help you get ahead – and stay ahead.
• LexisOne™ - Enterprise resource planning • Lexis InterAction - Client relationship management ®
Contact Us For more information, please contact us: firstname.lastname@example.org +44 (0) 113 226 2065 www.lexisnexis.co.uk/enterprisesolutions Follow us on Twitter @LexisNexisES
• Lexis® Visualfiles™ - Legal workflow and case management
Enterprise Solutions A division of Reed Elsevier (UK) Ltd. Registered office 1-3 Strand London WC2N 5JR Registered in England number 2746621 VAT Registered No. GB 730 8595 20. LexisNexis and the Knowledge Burst logo are trademarks of Reed Elsevier Properties Inc. © LexisNexis 2015 0415_A3167
Published on May 10, 2015