Webinar: The security risks – and solutions – of remote working
Includes consideration of cloud v non-cloud security; VPN; collaboration; Microsoft Teams; and the policies around physical documents at home
On Thursday 7 May we discussed post-COVID-19 security with NetDocuments VP of product strategy Peter Buck and were joined in the webinar by both listeners posting questions in the chat section, and on screen by a number of high profile lawyers and IT heads who contributed to an interactive and spontaneous conversation.
Buck kicked off our conversation by observing that there has been a sea change within the legal sector: whereas digital may have once been thought of as secondary, the feedback now is that “it’s digital-first” and he observed: “It’s like going to start your car and realising you need a better battery.”
The transition to remote working
For many legal organisations, one of the biggest issues in achieving remote working has been logistics such as equipment, and there has in some cases been a scrabble to fill the gaps in laptop provisions, with the security issues that neccessarily entails. “You have to divide the world into two groups,” said Buck. “Small-to-mid-sized firm and large ones. The latter have a mature deployment process and kit. That went with them. What was missing was the inventory. That’s the gap if IT were to do it over again – the mundane stuff. Mid-tier would come in and take their desktop and monitor with them. IT had to take photos of cable configurations to help them get reconnected.”
With the recovery more likely to take the shape of a ‘w’ than’ a straightforward ‘v’, Buck observed that going forward, law firms and companies will most likely create a ‘home box’ including headphones and other essential items that are properly inventoried in anticipation of a further wave of home working.
We were joined during the webinar by Ken Kroeger, chief information officer at Kutak Rock, who was invited to speak after his observation that he had pushed out 1,000 users in a week. He said: “We’ve been with NetDocuments over 15 years and we are built for mobile, so going home really wasn’t much different other than the volume, which yes, you need to make sure your VPN can handle 1,000 users.
“Security is a little different – in terms of two factor authentication – but the bigger issue has been access to the non-cloud applications which we still have, but the seamlessness between the office and home is one of the true benefits.”
VPN presents recurring challenges for law firms and corporates alike. While some organisations have taken a VDI approach that uses much less bandwidth, the majority use VPN, but Buck said: “The problem is that it relies on perimeter security meaning when I get there all bets are off, I can do what I like.
“The model we like and would like to encourage people to think about is where you’re using cloud technology and connecting over a secure internet connection, using all the technology to accelerate that, but then you use tools such as data loss prevention to protect your applications. That’s the trend we see, and it’s supported by Microsoft and we think law firms will need to go there.”
NetDocuments says that cloud technology will make VPN a thing of the past and Buck clarified this for us, commenting: “In the mid-market, those firms that use practice management systems like ActionStep, Clio, and Xakia connect over https – they have controls from multiple cloud vendors without having to route all the traffic back through the corporate network. I’m not saying that VPNs are bad, and they have an important role, but we think connection over the internet using multi-factor authentication is a modern way that will be simpler over time.”
We were joined during the conversation by Hans Albers, former chief of staff and associate general counsel at Juniper Networks as well as head of legal operations at Juniper Networks. Albers was previously president of the Association of Corporate Counsel and he asked: “Are you having these VPN v VDI v cloud conversations with general counsel – I know security is top of mind for them?”
Buck said: “The ‘how do I connect to the network’ issues are usually the domain of the IT team. The GC cares where their documents are stored and what controls they have over which county they are stored in and how that’s encrypted.” He added: “You’ll certainly be doing a lot on your phone and want to connect in a way that doesn’t bypass the environment but if you have to do three steps the likelihood of you bypassing it are greater, and that’s what GCs care about.”
He adds: “We don’t think its right that you should have to say ‘where should I store this document’. You establish the rules and it should just work.”
Albers said: “In my previous role as head of legal operations this was an important topic. When we did an implementation around our contract management system or workflow system that used a remote server, the infosec requirement would potentially have delayed the project by months. If the cloud provider could say ‘I’ve taken care of all this’ it would have taken a lot of worries off my plate.”
Buck observed: “It’s an important topic now and fortunately it’s an important topic for GCs not just the IT department.”
NetDocuments has recently launched ChatLink, which brings Microsoft Teams within the NetDocuments environment. Buck said: “There is a scary statistic I heard from an information governance professional last week that less than 30% of the matter content is stored in a consistent document management environment and you have to embed yourself where people are so you can mitigate that.”
One of the reasons for building ChatLink is because Teams as yet doesn’t provide geo-location of content.
Joining the conversation Haig Tyler, chief information officer at Herbert Smith Freehills said: “We love Teams and would love to get more into Teams but the fly in the ointment is that the chat storage, the chat message storage in particular, won’t follow multi-geo and that’s a real problem for us. It’s what a lot of firms have where you’ll have a number of large strategic clients insisting that their data doesn’t leave specific areas and something like Chat which is so valuable – the default workaround is to say to our lawyers please don’t put confidential information in there but that doesn’t hold up.”
Tyler said that it falls to Microsoft to resolve this and Buck added: “It’s incumbent on any company delivering cloud technology: it’s about the layers and you have to build all those on top of each other, so encryption and geo-aware storage.”
Kroeger said: “We’re not going to use Teams until it integrates with NetDocuments – that’s been our answer – so now we’ll start to look at using Teams but one without the other was useless to us.”
Asked whether remote working is now the ‘new normal’, Kroeger said: “We’ve had so many lawyers that have gone home and seen how well this works and asked, ‘why do I need an office?’ I think we’ll see a transition here and we’re also working number – of our attorneys we’re running the numbers to say why doesn’t everyone have Notebooks and we’ll do away with the desktop.”
He added: “This is the first time we’ve had to put the system to the test, but it’s won out and we’re going to be more and more mobile.”
One big issue that remote working poses – as flagged by a question in the chat room – is how you tackle the risk of having confidential papers at home.
Kroeger said: “We have a work at home policy that says stuff is still confidential while in your house and if you need to retain it, bring it back, and if you don’t, shred it. It’s a very simple one-page document. In terms of security audits, when we went to the cloud, early on we had to go through a lot with large banks but now they are going to ask ‘what are you doing with all that paper’ and we will see with outside counsel guidelines, they will start to say you can’t print at home.”
Tyler added: “We’ve done a little bit of setting up personal printers, but people seems to be using them less. We can put policy in place and tell people not to do it but a lot of times it comes down to the intelligence, good nature and professionalism of our people. I’ve worked in lots of industries and whilst the legal sector is fallible, it’s less fallible than a lot of other industries. We work with very smart people whose ability to practice depends on them not making a mistake, so there’s an incentive there for them to do the right thing.”
Preventing a major incident
A question we received in advance of the webinar was from Tim Haveron-Jones, former vice president, enterprise legal services at UnitedLex and now a consultant at Provergence, who asked: “I’m keen to explore what we can do as an industry to make sure that the progress that’s been made on new tech and new ways of working doesn’t come unravelled again in the event of a major security, privacy or conflicts of interest breach. The sheer pace at which change has had to be made – in what is, let’s face facts, one of the world’s most change-averse industries – means that a major incident will almost certainly happen at some point, and when it does, there will be MANY people racing to say “I told you so – this is why we have always done things the same way!” So what can we do – both in terms of technology, process, culture and behaviour – to minimise risk while at the same time consolidating the progress that’s been made?”
Buck said: “The fewer products in the portfolio or the integration of those products start to reduce risk because you have intimate awareness. of how they operate, how they are patched. The other thing is the mandates of your suppliers to comply with industry certification and audits – you have to do that basic blocking and tackling. Ken’s example of a simple remote working policy is an example of building that trust.”
You can listen to the webinar in full here: https://vimeo.com/417177897
Our poll was: “Is the transition to home working easier in the cloud, yes or no?” Drum roll… 92% said yes.