Comment: Pessimistic security – a necessary evil?

Given the amount of commercially and potentially nationally sensitive and valuable data held by law firms, and given recent security breaches such as the Panama Papers, the question is no longer whether firms are being targeted by hackers but how, and how far they need to go to protect against a leak.
While law firms have historically focussed on defending their perimeter wall, the wider trend shows that attacks are becoming far more sophisticated, with spear phishing attacks tricking employees into giving away passwords and login details, potentially giving a hacker the internal privileges and access rights of that employee.
Speaking to Legal IT Insider, Dr Mike Lynch, former founder of Autonomy and more recently Invoke Capital Partners, which has invested in next generation cyber security provider Darktrace, said: “We see law firms being attacked by nation state players where an important person from that country or the government is involved in a case or transaction. Law firms are being attacked by the most sophisticated attackers, not bedroom hackers but really serious people. Most of the time they do it really quietly; it’s about gaining an advantage in a legal situation. But in the flick of a switch, it could bring down the firm.
“The same goes for security. Imagine a data breach in a law firm where someone puts all your privileged documents on the web – you’re finished. Law firms are starting to realise that, unlike other industries, a major cyberattack is not survivable.”
While international law firms are using or looking – within the constraints of their varying budgets – to build an increasingly sophisticated cybersecurity arsenal, many are not moving fast enough for clients. The Panama Papers leak, stemming as it did from Panamanian law firm Mossack Fonseca, became the biggest leak in history, with 2.6 terabytes of documents released, exposing the hidden wealth of some of the world’s most prominent leaders and celebrities.
Howard Russell, CEO of RBRO, which is behind cybersecurity solutions such as Safe Sentry and Authorize, told Legal IT Insider: “The concern among large corporations is that law firms don’t have enough complexity in their record access rules and that they have been largely left to do what they want to do. If you are a large enterprise working on a greenfield project and you know it might attract negative publicity, particularly following the Panama Paper leaks, you want to know that your law firm has better security.”
Restricted file access
The result is that a number of firms, particularly those from the United States, are looking at significantly limiting file access within the firm.
Pessimistic security flips the normal ‘optimistic’ approach of law firms on its head, with staff only able to open files where they have explicit rights. If a user has different and potentially conflicting permissions, the default position adopted will be the most restrictive.
This complex exercise in damage limitation – one already adopted by a number of accounting organisations – is, for many IT directors, the stuff of nightmares, given the fast pace that law firms work at, often through the night, with major financial drivers to complete work quickly and without technical impediments.
That is not to mention the fact that the knowledge capital and precedents by which law firms differentiate themselves and add client value – and in the future are increasingly likely to monetise – also currently involve sharing vast amounts of client information around the firm.
Russell says: “If you go to a pessimistic model it will limit the ability of your average user to find valuable reusable documents or identify an expert.”
Dentons leads the way
Where firms are still largely contemplating how they might make pessimistic security work – if they are thinking about it at all – Dentons is leading the way by a country mile. The world’s largest global law firm is currently conducting a pessimistic security pilot in Germany led by global CIO Marcel Henri, who in September told Legal IT Insider: “There is a push within the firm for a completely pessimistic security model; it’s what clients expect.”
Given Dentons’ large financial institutions client base and geographical reach, including into China, it’s not surprising that it is ahead of the curve.
The firm is under no illusion that firmwide pessimistic security will be extremely difficult to implement. Henri said: “The business gets it but of course some parts of the business are resisting it because it limits your ability to share knowledge and content. Firms have invested heavily in search but what is a search if everything is locked down?
“One scenario we have discussed is to draw a line in the sand and say that, from a given date, we will apply a pessimistic security model and lock things down. In order to be able to share best practice and model documents, you are going to have to put more effort in the qualification of those documents and you are going to have to clean them and profile them, which is an extra workload.”
The knowledge management dilemma
For most firms currently, pessimistic security is simply not on the radar. One IT director at a UK top 20 law firm said: “We could just extract the knowledge but the real knowledge isn’t just about the precedent, it’s ‘how did we do the deal’ in its entirety.”
While a balance must be struck to enable the law firm to function, iManage’s chief marketing officer Dan Carmel says: “We need to remind the industry that we are facing a different kind of threat that is particularly challenging and we need to find a way to balance between client requirements, firm risk management and knowledge management.
“If the lawyers are thinking only in terms of knowledge sharing and not recognising the risks, it falls to all of us to raise awareness.”
While draconian, restricting file access doesn’t have to be black and white. Carmel adds: “There is no ‘one size fits all’ solution. When an M&A transaction is ‘in-play’ it may be ‘need to know’, but once announced it might default to a broader policy.”
Russell adds: “You would have to strengthen your ability to identify knowledge by implementing a process to clean up valuable content and making it available.”
Client advantage
Of course, pessimistic security is not a cybersecurity panacea and Russell says: “If an individual inadvertently opens a back door to your system and that individual has access to a highly confidential matter, pessimistic security doesn’t solve your issue.”
Firms are increasingly looking towards solutions that detect irregular activity from within the firm, with iManage, for one, currently testing Threat Manager, its new big data solution that is said to reduce the ‘false positives’ associated with these types of solutions.
Taking significant internal steps to govern client information well is already giving law firms a competitive advantage and the pressure to restrict file access can only be expected to increase. Henri adds: “In light of the many recent security breaches that have made the headlines, I simply don’t think firms will have a choice.”
It may take a major law firm to fail before others agree with him.
Caroline Hill (pictured on the home page) is editor in chief of Legal IT Insider