2013 Am Law Tech Survey: Firms' Data Security Fears Rise
Data security has become a top concern for law firm technology chiefs.
Law firm technology directors, it would seem, just aren't destined to get a good night's sleep. First there was the recession, which slowed the pace of upgrades and new projects. Then there were lawyers using their personal smartphones and tablets for work, raising questions about how firms should safeguard data on those devices. Now, a new challenge is keeping restful slumbers at bay: Protecting against cyberattacks—and convincing clients that the firm is doing this job well.
To be sure, security has always been a top-of-mind issue for law firms. But as The American Lawyer's 18th annual survey of law technology reveals, the worries, and the stakes, have never been greater. Eighty-six percent of respondents—technology directors and CTOs from 87 Am Law 200 firms—say they are more concerned about security threats now than they were two years ago. An array of factors, the chiefs say, are driving the heightened focus: tougher regulatory requirements, more security-conscious clients, and the more sophisticated techniques used by cyber-criminals, who are increasingly targeting law firms.
Those dark clouds mask an otherwise sunny vista. The "bring your own device" trend, for example, is rapidly transforming from an anxiety-inducing phenomena to standard operating procedure. With the availability of better mobile device management systems—now used by 87 percent of respondent firms—phones and tablets are being integrated into the IT infrastructure with less hassle and more reassurance. As a result, multiplatform environments are now the norm: All of our responding firms have lawyers on iPhones, while 86 percent count Android users among their attorneys, and 45 percent have Windows Phone users—all of those figures are up from last year.
Meanwhile, some optimism is warranted on the budget front. Nearly half of respondents (46 percent) say their technology budgets for capital expenses increased this year, with a fifth seeing more than a 10 percent jump. About the same number (49 percent) saw their IT budgets for operating expenses rise, though here increases were more modest (just a couple of respondents saw hikes of more than 10 percent). Firms may not be spending like it's 1999, but they're not skimping like it's 2009, either."I think the outlook is pretty good," says one CTO who asked not to be identified. "We're making the investments where we think prudent, even adding new positions, in areas like security. In my opinion, things are stable, even looking up." That cautious optimism was clearly reflected in the survey results: Ninety-three percent of respondents say they agree or mostly agree with recent decisions by management regarding the firm's technology.
Survey responses and follow-up interviews demonstrated a broad consensus among the chiefs on several issues. For one thing, they're not racing to embrace Windows 8, Microsoft Corporation's latest version of its PC operating system. Just 5 percent of responding firms are planning to migrate to that platform in the next 12 months. The holdup, the chiefs say, can't be pinned completely on Windows 8's new, and not universally beloved, user interface. Many firms have only recently upgraded to Windows 7, and given the complexities an OS upgrade involves—ensuring software compatibility, providing training—few are eager to go through the process again soon. As one CIO put it: "I don't want to change an OS until I have to."
The outlook is less than rosy, too, for BlackBerry (née Research in Motion), maker of the profession's once dominant mobile device. While 96 percent of respondents reported that their firm supports the BlackBerry platform, 71 percent expect to see a decrease in users over the coming year. BlackBerry had pinned hopes for a resurgence on new hardware and a new mobile operating system, BlackBerry 10, it released this year. Judging from the survey results, that doesn't look likely.
Yet much more significant—and eye-opening—is the nearly universal assessment that security threats have grown more worrisome. This, the chiefs say, is due to a combination of factors. First, law firms are more likely to be targeted. "I'm finding that the random attacks are relatively steady and stable," says one CIO who asked not to be identified. "But I'm hearing anecdotally from colleagues that some [firms] are seeing more targeted attacks." He's hearing it, too, from the FBI, whose representatives, this CIO says, have been speaking at trade shows, stressing the particular vulnerabilities of law firms.
"Law firms are often targeted [since] they store information on clients' pending deals and litigation," Austin Berglas, assistant special agent in charge of the cyber branch in the FBI's New York office, told The American Lawyer earlier this year ["Red Alert," January]. "Organizations who do not protect their 'crown jewels,' or proprietary information, and segregate it from any external facing network, run the risk of having this important information stolen during a cyber attack."
Targeted attacks can be particularly hard to defend against because they often exploit the weakest link in any security net: the humans sitting in front of the computers. These efforts rely on trickery as much as technical prowess: an email that looks so authentic that users don't hesitate to click on a link—and wind up infecting the firm's system with malicious code that extracts sensitive information. "The biggest gap in security is people," says one CIO. "That's where you are vulnerable." To help shore up security, his firm now hires an outside company to test its defenses once a year—in effect, it tries to break in and steal data, and home in on any weaknesses. Other firms are doing the same. Blank Rome CTO Laurence Liss says his firm traditionally did such penetration testing every year or two. Now, he says, "we are doing it very religiously every year."
Indeed, firms have been busy ramping up their defensive posture—and according to the survey, plan to continue that focus in the coming year. At some firms, this has involved creating new positions focused exclusively on security. Blank Rome hired its first director of information security this year. Ballard Spahr now has an IT security expert on staff. "It's not like we weren't concerned about security before, but we see the need for a more targeted focus," says Lisa Mayo, Ballard Spahr's director of data management.