2013 Am Law Tech Survey: Firms' Data Security Fears Rise
Data security has become a top concern for law firm technology chiefs.
Law firm technology directors, it would seem, just aren't destined to get a good night's sleep. First there was the recession, which slowed the pace of upgrades and new projects. Then there were lawyers using their personal smartphones and tablets for work, raising questions about how firms should safeguard data on those devices. Now, a new challenge is keeping restful slumbers at bay: Protecting against cyberattacks—and convincing clients that the firm is doing this job well.
To be sure, security has always been a top-of-mind issue for law firms. But as The American Lawyer's 18th annual survey of law technology reveals, the worries, and the stakes, have never been greater. Eighty-six percent of respondents—technology directors and CTOs from 87 Am Law 200 firms—say they are more concerned about security threats now than they were two years ago. An array of factors, the chiefs say, are driving the heightened focus: tougher regulatory requirements, more security-conscious clients, and the more sophisticated techniques used by cyber-criminals, who are increasingly targeting law firms.
Those dark clouds mask an otherwise sunny vista. The "bring your own device" trend, for example, is rapidly transforming from an anxiety-inducing phenomena to standard operating procedure. With the availability of better mobile device management systems—now used by 87 percent of respondent firms—phones and tablets are being integrated into the IT infrastructure with less hassle and more reassurance. As a result, multiplatform environments are now the norm: All of our responding firms have lawyers on iPhones, while 86 percent count Android users among their attorneys, and 45 percent have Windows Phone users—all of those figures are up from last year.
Meanwhile, some optimism is warranted on the budget front. Nearly half of respondents (46 percent) say their technology budgets for capital expenses increased this year, with a fifth seeing more than a 10 percent jump. About the same number (49 percent) saw their IT budgets for operating expenses rise, though here increases were more modest (just a couple of respondents saw hikes of more than 10 percent). Firms may not be spending like it's 1999, but they're not skimping like it's 2009, either."I think the outlook is pretty good," says one CTO who asked not to be identified. "We're making the investments where we think prudent, even adding new positions, in areas like security. In my opinion, things are stable, even looking up." That cautious optimism was clearly reflected in the survey results: Ninety-three percent of respondents say they agree or mostly agree with recent decisions by management regarding the firm's technology.
Survey responses and follow-up interviews demonstrated a broad consensus among the chiefs on several issues. For one thing, they're not racing to embrace Windows 8, Microsoft Corporation's latest version of its PC operating system. Just 5 percent of responding firms are planning to migrate to that platform in the next 12 months. The holdup, the chiefs say, can't be pinned completely on Windows 8's new, and not universally beloved, user interface. Many firms have only recently upgraded to Windows 7, and given the complexities an OS upgrade involves—ensuring software compatibility, providing training—few are eager to go through the process again soon. As one CIO put it: "I don't want to change an OS until I have to."
The outlook is less than rosy, too, for BlackBerry (née Research in Motion), maker of the profession's once dominant mobile device. While 96 percent of respondents reported that their firm supports the BlackBerry platform, 71 percent expect to see a decrease in users over the coming year. BlackBerry had pinned hopes for a resurgence on new hardware and a new mobile operating system, BlackBerry 10, it released this year. Judging from the survey results, that doesn't look likely.
Yet much more significant—and eye-opening—is the nearly universal assessment that security threats have grown more worrisome. This, the chiefs say, is due to a combination of factors. First, law firms are more likely to be targeted. "I'm finding that the random attacks are relatively steady and stable," says one CIO who asked not to be identified. "But I'm hearing anecdotally from colleagues that some [firms] are seeing more targeted attacks." He's hearing it, too, from the FBI, whose representatives, this CIO says, have been speaking at trade shows, stressing the particular vulnerabilities of law firms.
"Law firms are often targeted [since] they store information on clients' pending deals and litigation," Austin Berglas, assistant special agent in charge of the cyber branch in the FBI's New York office, told The American Lawyer earlier this year ["Red Alert," January]. "Organizations who do not protect their 'crown jewels,' or proprietary information, and segregate it from any external facing network, run the risk of having this important information stolen during a cyber attack."
Targeted attacks can be particularly hard to defend against because they often exploit the weakest link in any security net: the humans sitting in front of the computers. These efforts rely on trickery as much as technical prowess: an email that looks so authentic that users don't hesitate to click on a link—and wind up infecting the firm's system with malicious code that extracts sensitive information. "The biggest gap in security is people," says one CIO. "That's where you are vulnerable." To help shore up security, his firm now hires an outside company to test its defenses once a year—in effect, it tries to break in and steal data, and home in on any weaknesses. Other firms are doing the same. Blank Rome CTO Laurence Liss says his firm traditionally did such penetration testing every year or two. Now, he says, "we are doing it very religiously every year."
Indeed, firms have been busy ramping up their defensive posture—and according to the survey, plan to continue that focus in the coming year. At some firms, this has involved creating new positions focused exclusively on security. Blank Rome hired its first director of information security this year. Ballard Spahr now has an IT security expert on staff. "It's not like we weren't concerned about security before, but we see the need for a more targeted focus," says Lisa Mayo, Ballard Spahr's director of data management.
But it's not just cybercriminals spurring the law firms to batten down the hatches. "The short, glib answer is, clients are driving the heightened focus," says one CIO who asked not to be identified. "There is a lot of noise, especially out of the banking industry, about looking specifically at your law firms." Tougher regulatory frameworks, not just in finance but in sectors like health care, are causing clients to ask more questions about the security their firms do, and don't, have in place. "We're seeing a significant increase in client security questionnaires and on-site reviews," says another CIO, who asked not to be identified. "Many firms are [secured] pretty well, but clients may require certain things and firms may have to add systems."
Increasingly, these conversations are happening before engagements are won. "Now as part of the RFP process, you'll need to provide very detailed specifications on what you have in place," says Mayo. "It's becoming a factor in whether you will get the business." Nor is it only preventive measures that clients want to know about. "We'll get requests about our response plan in the event of a cyber-breach," says one CIO. "So [now] we have a cyber-response plan."
In the area of mobile technology, the survey shows widespread use of consumer smartphones, but reveals a much more tepid embrace of tablets. Just 8 percent of responding firms supply them to lawyers, the same figure as in 2012's survey. Nor are most lawyers bringing them in on their own. At nine out of 10 firms, less than half of the attorneys—and often far less than half—are using tablets. Given the burgeoning volume of law-related apps, blogs, and tech show seminars, that might raise some eyebrows.
But in follow-up interviews, survey respondents painted a jury-is-out picture for the tablet market. Current devices, they say, work far better for some lawyers than others. Those who consume content—reading PDFs, performing research, reviewing documents—tend to gravitate towards tablets. Those who primarily create content—writing and editing memos, for example—tend to stick with their laptops. Indeed, the ever-shrinking profile and poundage of business laptops has made them nearly as portable as tablets. So perhaps it isn't surprising that when it comes to their next hardware refresh, the most popular strategy is to deploy laptops only, with 38 percent of firms planning to do so (up from 35 percent last year). Desktop-only and desktop-and-tablet strategies tied for second, with 21 percent of firms each, with the laptop-tablet model following at 20 percent.
This means that nearly 60 percent of law firms have no plans to issue tablets firmwide in the foreseeable future. One of those firms is Gibson, Dunn & Crutcher, which has instead deployed Lenovo X1 and Apple Macbook Air laptops. "They're lightweight, they're fast, they have the capacity to support all [of our] applications and security parameters," says Brett Fazio, Gibson Dunn's chief information officer. In other words, the new generation of ultra-light laptops get everything right—something that has so far eluded every type of tablet. "For creating and editing documents, I don't know that the iPad is there yet," Fazio says. "The Surface Pro ["Surface Appeal," February 2013] comes close with the full suite of Office . . . but our testers say the weight is the same [as the X1 and Macbook Air laptops] and it doesn't run as many applications. At this time, we will support tablets but not issue them as default equipment."
Nor are firms quite ready to fully embrace cloud computing. Here, the story is familiar, little changed from last year, or the year before that. While more than two-thirds of responding firms (69 percent) are using hosted solutions in some fashion, few are trusting them with their most sensitive information. Just 12 percent use the cloud for storage, and a mere 5 percent use it for document management (numbers that were close to last year's results). Where are firms using the cloud? E-discovery and litigation support (with 62 percent of responding firms) and human resources (56 percent) were the most common uses.
Once again, the biggest worry about the cloud was security. Yet while 68 percent of responding firms cited it as a concern last year, 92 percent did so this year. On one hand, the bump meshes with firms' heightened focus on security. On the other hand, it contrasts with the burgeoning popularity of the cloud in other sectors, not to mention the idea—embraced by many consultants and cloud users—that a provider that lives and breathes technology can be a lot more effective in keeping systems secure than a law firm can. "It's really an issue of control," says Brett Burney, founder of Burney Consultants, which provides technology-related services to corporate executives and legal professionals. "The cloud isn't just magic and smoke; data is in a physical location, highly secured, with redundant backups. But law firms want to be able to say that the data a client entrusted to it is on their server, in their office—not on a server they can't even tell you where it is. They just can't get comfortable with that."
That wariness is unlikely to disappear soon. The cloud may offer efficiencies, but in an environment where clients are asking more about law firm IT, and even coming on site to kick the tires, it can also add complexity. "Clients will ask if you store their data on a third-party server and if you do, what security provisions you have with them," says Fazio. This means that a firm has to ask prospective providers tough questions—and it may not get the answers it needs. "In some cases, public cloud providers won't offer a formal nondisclosure agreement or a guarantee about what happens if there is litigation that involves data on their systems," says Fazio.
Perhaps it isn't security per se that is holding back the cloud, but those old demons long familiar to lawyers: vagueness and ambiguity. For many firms, there just isn't enough clarity, or certainty, about how cloud providers operate. "What happens if I switch vendors?" asks one CIO. "How do I get my data back and off their systems? I get stuck in the contractual language every time." The cloud would be cheaper for the firm, he notes, than running the systems itself and paying for all the real estate they take up. "But in the end," he says, "I just throw up my hands."
Contributing editor Alan Cohen writes about law firms and technology.