The political and economic climate calls for caution across the board. Nowhere is this more apparent than in IT security. Law firms may not be quite as dependent on technology to conduct their daily business as investment banks, for example, but an IT failure can still bring a firm to its knees.
The lifeblood of globalisation is its underlying electronic infrastructure, which depends to a large degree on the integration of IT systems. Firms’ reputations are underpinned by their ability to keep clients’ information watertight, so it is not surprising that the chief executive of Sybari, a supplier of virus scanning software, cited law firms as among the best practitioners of IT security – rare praise for a profession that is often said to be several years behind other professional services in the innovation stakes.
Given the nature of the subject matter, the IT directors interviewed for this article expected anonymity for their firms. As one senior practitioner put it, one of the gravest dangers for an organisation is to be held up as a paragon of tight security. The higher the profile of an organisation’s network security, the more it is perceived by hackers as a challenge.
Any form of complacency is dangerous, but even though law firms are an unlikely target in an information war, there are few signs that law firms are resting on their laurels. Although Legal IT could not find any reliable statistics, there is a general impression among IT directors that security represents an increasingly large chunk of their budgets. No matter how much an organisation spends on security there can be no guarantees. One of the biggest legal buyers of IT security products last month found that one of its European offices was paralysed by the Nimda virus, because it used the AltaVista search engine as a document management platform, forgetting to switch off all of the default settings.
Security can never be absolute. “Security policy is always a balancing act between convenience for users and measures to keep others out,” the chief information officer at a US-based legal giant told Legal IT. Another technologist added to this compromise the factor of cost: an acceptable level of risk has to be a three-way balance between functionality, how much inconvenience users will accept and what the organisation can afford. IT directors are also quick to point out that security policy must ensure a consistent level of protection across all fronts, in the physical as well as the virtual world.
This is rarely the case. As one IT director put it: “If I were to attack this firm I would leave the IT network alone. It would be far easier to get a job with the cleaning contractors. Cleaning staff are the biggest security risk. They are in the building when everybody else has gone home and there are often sensitive documents lying around.”
There are several global trends that are shaping law firms’ security policies. It has become unworkable to use non-Microsoft based technology for client facing systems. It is inevitable that Microsoft applications will be the likely Achilles heel of any organisation’s network, because Microsoft’s pre-eminence in the market attracts the
attention of hackers. MS Exchange is often cited as the weakest link but the server itself is not always the root of the problem. Outlook Express is the greatest cause for concern. Outlook’s power, as a ‘brilliant replication engine’ can also be turned to other purposes such as swamping firms’ networks with duplicate e-mails containing a worm virus. One senior practitioner says that the Internet Explorer 5 web browser is as likely a point of entry for hackers and viruses.
Some of the world’s largest firms are moving from fixed networks to virtual private networks (VPNs). Other large firms are running VPNs as a backup network. These should cause no more concerns about confidentiality than a fixed network. The encryption issues are slightly different. One senior practitioner predicts that VPNs will become more common because of their inherent agility; he thinks that the infrastructure is probably no less reliable.
The real problem is one of availability: In the economic climate and as a result of the bidding wars for each new generation of mobile telephone licenses, telecoms companies are finding it hard to deliver large-scale VPNs to business customers. Best practice seems to consist of rolling out VPNs as the main network in a few satellite offices to build up in-house skills while waiting for better availability. One advantage of the sorry state of the telecoms industry is that there is no shortage of skilled labour: telecom companies’ ex-employees.
Another trend among law firms – along with the rest of the IT industry – is the installation of wireless local area networks (LANs). Firms can choose between two systems, Bluetooth and 802.11, also known as wi-fi. There is not much to choose between them and although some firms consider 802.11 to be slightly more secure, they are more likely to choose it because more business applications are being written for it. Key suppliers such as Dell and Compaq have also adopted it extensively.
Wireless local area networks (WLANs) of both types bring their own security concerns. A wireless network signal must not be available from the pavement outside the building. Berwin Leighton Paisner’s IT team spent a lot of time checking that the signal of its WLAN did not penetrate the walls or windows at any point, according to IT director Janet Day.
Another IT director raised concerns about the encryption standards used by the systems on the market and the certificates issued to suppliers. His firm would only use WLAN for specific purposes, such as small offices in old buildings where the alternative – ripping all wires out with the risk of structural damage – is too expensive.
The truly paranoid also consider the positioning of desktop PCs within a building. CRT tubes in desktop PC monitors emit sufficient radiation to enable a sophisticated snooper to recreate the monitor’s display on another machine. Hence, many firms put their lawyers a few floors up from street level and a few replace CRTs near windows with flat, liquid crystal-based screens. As one IT director who used to work for a government covert surveillance unit says: “There is so much noise generated by all the machines in the building that you would need a van-load of kit to get anything useful.”
According to Clifford Chance IT director Brian Collins, in the wake of the WTC disaster everybody will have to take disaster recovery seriously. London’s ‘Square Mile’ could quite easily be held to ransom. If a firm’s City hub goes down, the whole firm is inconvenienced, and all the more so if it is a global organisation. Collins says there should be multiple routings out of a firm’s head office because no suppliers guarantee that any one organisation will be the first to be reconnected following a crisis. If a supplier could give such a guarantee it would become the object of considerable interest from law firms.
An example of how seriously Clifford Chance is taking disaster recovery is the firm’s decision that its London hub will this month begin streaming all its data in real time to a mirror site – a split-site storage area network based outside London. This may be expensive, but it is already common practice in the banking industry.
Most large law firms are not streaming all their data to a mirror site. The chief information officer of one of the largest firms in the US says even though the cost of bandwidth is much less in the US than in the UK, it is still too expensive and most firms do not think the data is important enough. “You only lose one day’s worth of work,” he says. “People want to shoot the IT team but in the grand scheme of things, it is not that big a deal.”
What makes it different for Clifford Chance? When looking at the cost of streaming data to a remote site, Collins says you must think about the total cost of ownership. The cost of streaming might run into millions, but it still only represents about a day’s worth of billing for Clifford Chance’s London office.
Server farms can take up a lot of room. Legal practices with an economy of sufficient scale may benefit from employing a supplier relationship manager for the IT function. Suppliers are more likely to offer discounts if they know in advance the total amount a firm will be spending with them over a given period.
Given the importance of client-facing systems to a
law firm, application security is a hot issue that many people miss, according to the IT director of an international firm. He says all HTML code should be checked, as there are ways to trick the system into divulging information that the page writer never intended to make available. He says that the best way to identify holes in an extranet application is to hire an expensive consultant (the best people can charge up to £15,000) to conduct the initial application scan. The first time a firm does this, there is effectively no way to avoid paying premium rates for expert assistance. By instructing two members of staff to shadow the consultant, the firm can perform further application scans and vet subsequent alterations to the application
in-house. Many large firms use software products such as Appscan and Appshield for this purpose.
Intrusion detection systems – also known as ‘sniffers’ – can monitor the network. The latest models have a small amount of intelligence and a learning capability. The IT director of a large US law firm says the most important quality of an intrusion detector is its port scanning
capability. “The cost of having this capability is not the initial purchase price, which is about $6,000 (£4,300) to $8,000, but the additional $2,000 for each extra node,” he says. “You can end up spending about $10,000 to $12,000 a month just on monitoring.”
Brian Collins says firms should conduct regular third-party penetration audits. These are expensive but less than breach of confidentiality lawsuits. In the near future, he says, “firms’ professional indemnity insurance may require that these audits are carried out regularly”.
Automatic intrusion detection systems are very useful tools, but they are less important than developing an incident management process. It is bad for business to close the network when an intruder is located. Sometimes this is necessary, as is alerting the authorities. The best option (where possible) is to restrict the intruder’s access.
According to a senior industry figure: “Before acting, network administrators have to look carefully at the diagnostic information and ask themselves how confident they are that an intruder is benign, and not leaving lots of time bombs.”
For any firm that is concerned about hacking, seasoned practitioners recommend arranging hardware and software to make the system’s architecture appear unconventional to an intruder. Many firms have adopted a diverse range of systems for this reason. One IT director spoke of islands of Unix – which are extremely difficult to hack – in a sea of Microsoft. A cellular structure offers the greatest strength but is increasingly difficult to realise. Client facing systems have to integrate with one another and most rely on Microsoft’s technology to do so. “You can run your back end on Unix but it is vital for large scale productivity that you use Microsoft upfront,” Collins says.
The increasing uniformity of Microsoft’s systems might bring enormous functionality benefits, but once a hacker gains entry to one system, this ‘seamless integration’ makes it much easier to enter the rest of them. As one IT director says, firms should aim to strike a balance, using two or three common platforms.
It can be difficult for an IT department to operate if a
blanket ban on file transfer protocol (FTP) is in place. It is crucial to restrict FTP access to a few trusted people who are fully aware of the security risks. After a system crashes it may re-enable the default settings – including FTP and Telnet – and it is the user organisation’s responsibility to check these settings every time the system crashes or is taken down.
This can become repetitive and firms have to take what they are given. But there are signs of an industry move for users to dictate elements of the product specification, or to alter the source code to achieve the customisation they want. Microsoft responded to users’ complaints about the way its systems allocated administration rights globally, rather than splitting them according to the normal division of duties within an organisation’s IT department. This was addressed by its Windows 2000 release, which defined separate roles within the admin function. With older versions of Windows, if an intruder gains access to any part of the admin function they can easily access the remaining areas. Some technologists believe there is a great deal of security-related best practice – applicable to PC networks – to be gleaned from mainframe operating procedures.
Most firms use products to restrict fee earners’ internet access during working hours – partly to avoid employees downloading offensive materials such as pornography, which can lead to sexual harassment lawsuits, but mainly because recreational surfing can affect network performance.
Most large law firms do not employ people to monitor the network full time – it is better to configure the network to send automated messages to explain why a user’s access has been blocked. The IT department should not be seen as a censor because that could sour its relationship with the rest of the firm. “If you monitor full time, you create a hostage to fortune,” Janet Day says. “You have to trust the lawyers’ integrity. They have to ask a helpdesk to lift restrictions – the overwhelming majority understand the reasons for these restrictions and do not think that it gets in their way.”
Berwin Leighton Paisner uses e-mail monitoring and scanning software that goes beyond keyword searches and metadata. In common with many IT directors, Day does not think image filters are worthwhile. She says standard practice is to block executable file types because they can bring the network down. Image files are also blocked but this is mainly because their size can slow down the network. Image files can be dangerous so they are usually stopped and analysed on a separate network before being despatched to the recipient.
Day says it is easy to convince lawyers of the need for security measures once they understand the logic behind the procedures. She says lawyers rarely use Hotmail and AOL accounts – these do represent some risk but it is down to the firewalls to contain the problem.
Extranet security is more of a cultural issue than a technical one. According to a senior practitioner the real issue has nothing to do with encryption and authentication. “File sharing will go on no matter what you do so extranets are the lesser evil as far as security is concerned – much better than just using e-mail,” he says.
When law firms decide that a single password does not provide adequate protection, they have to use a two-factor authentication process. They rely on physical encryption keys to provide the second layer of security – even if an intruder knows all the passwords, they cannot log in without the key. SecurID is one of the leading suppliers. The drawback to these devices, according to Brian Collins, is that a client may contact the firm from the other side of the world and demand that, for example, an extranet be set up urgently. Such clients will not accept a protracted delay while the firm organises delivery of a SecurID.
One IT director says his firm was looking at SecurID. “Clients hate them,” he says. Another IT director contends that using physical keys can reduce the level of security. He found that a worrying number of people issued with SecurIDs write the password on a sticker and attach it to the device, which they keep into a pocket of their laptop bag. One large law firm has removed this problem, at least with regard to internal users, by insisting that partners and fee earners use their SecurID as a key fob – this way they are more likely to carry it in their pocket. The addition of fingerprint recognition technology to these devices might go a long way to making such issues irrelevant.
Another option is to develop a two-factor authentication process that is web-based and does not rely on ownership of a physical device. Last year, the concerns of media and new media companies about the loss of their online content through piracy and other forms of unauthorised copying gave rise to systems that provide a second public encryption key system that is held on a separately hosted website. The data on the primary site is encrypted and can only be read if the user is connected to the second website, which provides the key. The connection to the key is broken as soon as the user tries to copy or download. This would enable access rights to be withdrawn retrospectively and could be used to give timed access to data.
Most firms do not allow fee earners to access their e-mail accounts from their PDAs because it is virtually impossible to protect data stored on them with encryption. The Blackberry is beginning to overcome these issues, which is why most large US firms use them. In the case of these firms, it is too late to stop lawyers from using them. As one IT director says: “After two blissful years of use most lawyers would only give them up ‘over their dead bodies’”.
Most large firms have had notebooks lost or stolen. Although it is hard to get past the encryption through the machine’s own interface, it is much easier if the thief puts the stolen hard drive into another computer to analyse its contents. A serious issue in the courts is to what extent the loss of laptops can be construed as malpractice; at the moment most experts think not.
A thorny issue is fee earners on secondment to client companies. After operating outside of a law firm’s control they return with many unknown files on their hard drive. Unless they dock their laptop before logging onto the system (which initiates an automatic virus scan) there is a danger of infecting other machines. This has happened to several of the UK’s largest law firms. If firms use secondments as an alternative to laying off junior staff – which is standard practice in an economic downturn – this issue is likely to come increasingly to our attention.
Monitoring e-mail and internet use
Peter Hall examines the confusion surrounding e-mail monitoring.
“E-mail usage has rocketed in the past few years and so have news stories about businesses facing legal liability for their staff’s illegal or inappropriate use of e-mails and the internet.
The potential for damages claims and embarrassment means businesses must manage these risks. Monitoring of e-mail traffic is one method, but the developing law around this issue contains grey areas, with two policy camps pulling in different directions.
The human rights ‘protectors’, such as the Office of the Information Commissioner (OIC), seek restraints on employers’ rights to monitor e-mail traffic and internet use, citing the Data Protection Act 1998 and the Human Rights Act 2000.
The OIC’s view, as set out in a draft Code of Conduct for Employers, provides guidelines on how monitoring should be conducted. Monitoring should be limited, targeted and carried out for clear business purposes only, when this cannot be achieved through other methods. Any e-mail marked personal must not generally be opened. Failure to follow this code when it comes into force could expose businesses to claims under the Data Protection Act and in employment tribunals.
Before the Regulation of Investigatory Powers Act 2000 (Ripa) became effective in October 2000, the business lobby protested that Ripa would expose them to claims for damages for monitoring communications without the recipient and sender’s consent. Consequently, the Lawful Business Practice Regulations 2000 were enacted at the same time, allowing businesses to monitor communications for a number of ‘legitimate’ purposes, to help them to avoid liability under Ripa.
Businesses still need to make all reasonable efforts to tell employees and correspondents that a communication may be monitored and the Regulations need to be read in conjunction with the OIC’s draft Code of Conduct. It is doubtful that these regulations comply with the right to privacy under the Human Rights Act.
Businesses should inform staff and correspondents about monitoring, target monitoring at high-risk areas and, wherever possible, use techniques that do not infringe the privacy of e-mails.
Peter Hall is a TMT partner at Wragge & Co.
