When cybersecurity first emerged as a pressing issue almost a decade ago, law firms began to implement safeguards to protect their clients’ data. Many of these early efforts led to headaches and complaints. There were more steps needed to log on, longer passwords to remember, and less freedom to install applications.
But security has evolved, pushed along, somewhat ironically, by the rise of cloud computing. Unobtrusive background technology designed to prevent hacking and data leakage now makes the data security of only a few years ago seem crude by comparison.
Several events prompted IT departments through the legal profession to tighten security. First, as attorneys increasingly used their personal computing devices — consumer laptops, tablets, and smart-phones — for work purposes, data began to spread wildly beyond firms’ control. The (now rarely heard) term for this was Bring Your Own Device or BYOD. Though BYOD led to stress in IT circles, it was met with enthusiasm by Apple fans and others and therefore could not be stopped. Along similar lines, “Shadow IT” referred to nonauthorized programs and services such as DropBox or other file sharing services, which users were increasingly introducing into the workplace.
There were also current events: a spate of highly public corporate hackings, the rise of WikiLeaks, and unsettling revelations of the activities of the U.S. National Security Agency (NSA).
Reacting to these threats, IT departments introduced measures to control the access and sharing of data. Mobile device management (MDM) platforms put restrictions on devices that accessed firm documents, including preventing users from downloading unapproved programs and requiring them to enter a password. Two-factor authentication asked users to enter two sets of credentials when accessing client data, and the use of corporate-grade, legally compliant versions of apps like DropBox was encouraged. Attorneys were asked to come up with new, 20-character passwords every three months.
Some of these measures, to the frustration of IT and management committees, failed to gain acceptance, while others, to the consternation of users, felt time-consuming and stifling. Discussions, webinars, and panels about the right balance between security and convenience abounded in the legal IT industry.
Then, almost as suddenly, the concerns ebbed. A series of innovations that seamlessly incorporate security into workplace IT have largely led to the waning of the security-convenience debate.
Heavy-handed, clunky MDM has given way to cloud-based tools that flag suspicious behavior and draw on identity-based verification for security. Enterprise-grade cloud infrastructure, operating systems, and applications have endeavored to build in controls like encryption, multi-factor authentication, and security analytics. These give IT an easier way to keep track of where the firm’s data resides and to revoke access if necessary, even when the file has already made its way to someone else’s system. Cloud platforms have the added security benefit of frequent updates that patch found vulnerabilities.
Single sign-on (SSO), in particular, is a consequence of the cloud that has made security less of a burden. SSO refers to the ability to access data and applications from any device with a single username-password combination. The cloud, as my colleague Chris Owens wrote in Peer to Peer, “unifies and then verifies identity.”
Identity verification sometimes comes in the form of a notification or code sent to your phone, measures that public solutions like Gmail have been using for a long time. Users have fewer hoops to jump through, and the firm can apply a more laissez-faire attitude to any device that pulls up client data.
Security monitoring has become more streamlined and effective as systems like Windows 10 draw on a symbiotic human-and-machine model of monitoring, which many industries are now relying on to stop hacking and fraud. The computer, using data analytics, flags anomalous behavior, such as access from a suspicious location or a very large data export; the IT administrator then uses human judgment to determine whether a security threat really exists.
On a lower level, document repositories themselves are embedding protection into documents. Legal document management systems like iManage and NetDocuments are encrypting documents and applying digital rights management (DRM), akin to the technology that keeps iTunes music from being copied and shared illegally.
Admittedly, we must still enter pin codes on our phones, and it is still kind of annoying (and is also why Apple spent billions developing facial recognition for the iPhone).
Applying Another Layer
While many of the above-mentioned security mechanisms function in the background and are included with technology you probably already have (e.g., desktop operating system or a document management system), keep in mind that they generally only are available with the recent versions of hardware and software. I mention this caveat because 56% of respondents to ILTA’s 2018 Technology Survey are on Windows 7 or 8, while 57% are using Word 2010 or an earlier version. Many law firms have yet to experience minimalist security, although they will soon as more firms start to upgrade to the latest technology.
Beyond the analytics, encryption, and management features that are included by default with new systems like Windows 10, modern hardware and software are also designed to support optional biometric security. Some law firms are choosing to implement fingerprint, retinal, and facial scanning, which can offer the benefit of simultaneously boosting security and convenience. No need to enter the 20-character password — one swipe or a quick glance and you’re in.
Indeed, most laptops today include fingerprint scanners. In fact, most computers being manufactured today are only compatible with Windows 10 and therefore support biometrics and run the new Kaby Lake processor from Intel, which does not support Windows 7 or 8. Whiskey Lake, its successor processor, is actually already in some new laptops.
Tellingly, Whiskey Lake, unlike a traditional chip release, does not boast flashy improvements in performance; its updates are focused on mitigating security risks from the Spectre and Meltdown vulnerabilities. Even chips are focused on behind-the-scenes security now.
This article was originally published on Thomson Reuters Legal Executive Institute.