2013 Am Law Tech Survey: Firms' Data Security Fears Rise

Data security has become a top concern for law firm technology chiefs.

, The American Lawyer


Law firm technology directors, it would seem, just aren't destined to get a good night's sleep. First there was the recession, which slowed the pace of upgrades and new projects. Then there were lawyers using their personal smartphones and tablets for work, raising questions about how firms should safeguard data on those devices. Now, a new challenge is keeping restful slumbers at bay: Protecting against cyberattacks—and convincing clients that the firm is doing this job well.

To be sure, security has always been a top-of-mind issue for law firms. But as The American Lawyer's 18th annual survey of law technology reveals, the worries, and the stakes, have never been greater. Eighty-six percent of respondents—technology directors and CTOs from 87 Am Law 200 firms—say they are more concerned about security threats now than they were two years ago. An array of factors, the chiefs say, are driving the heightened focus: tougher regulatory requirements, more security-conscious clients, and the more sophisticated techniques used by cyber-criminals, who are increasingly targeting law firms.

Those dark clouds mask an otherwise sunny vista. The "bring your own device" trend, for example, is rapidly transforming from an anxiety-inducing phenomena to standard operating procedure. With the availability of better mobile device management systems—now used by 87 percent of respondent firms—phones and tablets are being integrated into the IT infrastructure with less hassle and more reassurance. As a result, multiplatform environments are now the norm: All of our responding firms have lawyers on iPhones, while 86 percent count Android users among their attorneys, and 45 percent have Windows Phone users—all of those figures are up from last year.

Meanwhile, some optimism is warranted on the budget front. Nearly half of respondents (46 percent) say their technology budgets for capital expenses increased this year, with a fifth seeing more than a 10 percent jump. About the same number (49 percent) saw their IT budgets for operating expenses rise, though here increases were more modest (just a couple of respondents saw hikes of more than 10 percent). Firms may not be spending like it's 1999, but they're not skimping like it's 2009, either."I think the outlook is pretty good," says one CTO who asked not to be identified. "We're making the investments where we think prudent, even adding new positions, in areas like security. In my opinion, things are stable, even looking up." That cautious optimism was clearly reflected in the survey results: Ninety-three percent of respondents say they agree or mostly agree with recent decisions by management regarding the firm's technology.

Survey responses and follow-up interviews demonstrated a broad consensus among the chiefs on several issues. For one thing, they're not racing to embrace Windows 8, Microsoft Corporation's latest version of its PC operating system. Just 5 percent of responding firms are planning to migrate to that platform in the next 12 months. The holdup, the chiefs say, can't be pinned completely on Windows 8's new, and not universally beloved, user interface. Many firms have only recently upgraded to Windows 7, and given the complexities an OS upgrade involves—ensuring software compatibility, providing training—few are eager to go through the process again soon. As one CIO put it: "I don't want to change an OS until I have to."

The outlook is less than rosy, too, for BlackBerry (née Research in Motion), maker of the profession's once dominant mobile device. While 96 percent of respondents reported that their firm supports the BlackBerry platform, 71 percent expect to see a decrease in users over the coming year. BlackBerry had pinned hopes for a resurgence on new hardware and a new mobile operating system, BlackBerry 10, it released this year. Judging from the survey results, that doesn't look likely.

Yet much more significant—and eye-opening—is the nearly universal assessment that security threats have grown more worrisome. This, the chiefs say, is due to a combination of factors. First, law firms are more likely to be targeted. "I'm finding that the random attacks are relatively steady and stable," says one CIO who asked not to be identified. "But I'm hearing anecdotally from colleagues that some [firms] are seeing more targeted attacks." He's hearing it, too, from the FBI, whose representatives, this CIO says, have been speaking at trade shows, stressing the particular vulnerabilities of law firms.

"Law firms are often targeted [since] they store information on clients' pending deals and litigation," Austin Berglas, assistant special agent in charge of the cyber branch in the FBI's New York office, told The American Lawyer earlier this year ["Red Alert," January]. "Organizations who do not protect their 'crown jewels,' or proprietary information, and segregate it from any external facing network, run the risk of having this important information stolen during a cyber attack."

Targeted attacks can be particularly hard to defend against because they often exploit the weakest link in any security net: the humans sitting in front of the computers. These efforts rely on trickery as much as technical prowess: an email that looks so authentic that users don't hesitate to click on a link—and wind up infecting the firm's system with malicious code that extracts sensitive information. "The biggest gap in security is people," says one CIO. "That's where you are vulnerable." To help shore up security, his firm now hires an outside company to test its defenses once a year—in effect, it tries to break in and steal data, and home in on any weaknesses. Other firms are doing the same. Blank Rome CTO Laurence Liss says his firm traditionally did such penetration testing every year or two. Now, he says, "we are doing it very religiously every year."

Indeed, firms have been busy ramping up their defensive posture—and according to the survey, plan to continue that focus in the coming year. At some firms, this has involved creating new positions focused exclusively on security. Blank Rome hired its first director of information security this year. Ballard Spahr now has an IT security expert on staff. "It's not like we weren't concerned about security before, but we see the need for a more targeted focus," says Lisa Mayo, Ballard Spahr's director of data management.

But it's not just cybercriminals spurring the law firms to batten down the hatches. "The short, glib answer is, clients are driving the heightened focus," says one CIO who asked not to be identified. "There is a lot of noise, especially out of the banking industry, about looking specifically at your law firms." Tougher regulatory frameworks, not just in finance but in sectors like health care, are causing clients to ask more questions about the security their firms do, and don't, have in place. "We're seeing a significant increase in client security questionnaires and on-site reviews," says another CIO, who asked not to be identified. "Many firms are [secured] pretty well, but clients may require certain things and firms may have to add systems."

Increasingly, these conversations are happening before engagements are won. "Now as part of the RFP process, you'll need to provide very detailed specifications on what you have in place," says Mayo. "It's becoming a factor in whether you will get the business." Nor is it only preventive measures that clients want to know about. "We'll get requests about our response plan in the event of a cyber-breach," says one CIO. "So [now] we have a cyber-response plan."

In the area of mobile technology, the survey shows widespread use of consumer smartphones, but reveals a much more tepid embrace of tablets. Just 8 percent of responding firms supply them to lawyers, the same figure as in 2012's survey. Nor are most lawyers bringing them in on their own. At nine out of 10 firms, less than half of the attorneys—and often far less than half—are using tablets. Given the burgeoning volume of law-related apps, blogs, and tech show seminars, that might raise some eyebrows.

But in follow-up interviews, survey respondents painted a jury-is-out picture for the tablet market. Current devices, they say, work far better for some lawyers than others. Those who consume content—reading PDFs, performing research, reviewing documents—tend to gravitate towards tablets. Those who primarily create content—writing and editing memos, for example—tend to stick with their laptops. Indeed, the ever-shrinking profile and poundage of business laptops has made them nearly as portable as tablets. So perhaps it isn't surprising that when it comes to their next hardware refresh, the most popular strategy is to deploy laptops only, with 38 percent of firms planning to do so (up from 35 percent last year). Desktop-only and desktop-and-tablet strategies tied for second, with 21 percent of firms each, with the laptop-tablet model following at 20 percent.

Welcome to ALM. You have read 0 out of 0 free articles this month

Get 2 months of unlimited access FREE

Originally appeared in print as A Secure Location

What's being said

Comments are not moderated. To report offensive comments, click here.

Preparing comment abuse report for Article #1202473327555

Thank you!

This article's comments will be reviewed.