With law firms increasingly relying on technology and end-user sophistication on the rise, the use of unsanctioned applications and services, an issue known as “shadow IT,” is an unwelcomed occurrence in the legal industry. While most employees aren’t maliciously bypassing safe computing policies – they simply are trying to work more effectively – their reliance on self-procured, often consumer-grade solutions can leave their firm’s (and their clients’), most sensitive data unprotected.
Many law firms have already taken steps to mitigate unsanctioned technology use but would benefit from a fully developed plan aimed at addressing widespread tech activities taking place outside of the IT department’s knowledge. Firms must not only create clear policies, but also provide approved alternatives for unsanctioned activity. As a result, law firms are increasingly looking to IT leaders to change the equation by addressing barriers that cause employees to deviate from approved cybersecurity policies.
Before updating or implementing shadow IT policies and guidelines, law firms must accurately diagnose the symptoms and causes of shadow IT. To reduce continued use of unsanctioned applications and services, law firms should debunk some common myths and misperceptions around shadow IT:
Identifying misconceptions around shadow IT is an important first step in eliminating it, but law firms need to go further to root out risky practices. Through a combination of greater communication with attorneys and firm management, regular training on cybersecurity best practices, and policies that are better aligned with business requirements, law firms can give their employees the tools they need to succeed without placing the firm at risk.
Enhancing Collaborative Capabilities
Law firms should view shadow IT as an opportunity to learn which tools their employees prefer and why, and use this to inform the IT planning and budgeting process. At the same time, it’s imperative to create an open-minded technology adoption policy that maintains security standards without discouraging employees from communicating with IT departments. For this to be successful, however, organizations need to ensure IT is not isolated but is instead proactively integrating with the firm.
Fostering Internal Communication
When the IT leaders or executives make legal software decisions without employee feedback, unauthorized application use will predictably follow. IT should actively collaborate with legal employees to understand their needs and challenges, allowing them to procure software that more closely matches their needs. Legal employees should be included in the software procurement process as early as possible to ensure decisions are made with the end-user’s preferences and needs in mind.
Meanwhile, executives also need to foster greater and more frequent communication with their IT departments. When IT departments are able to provide attorneys with the tools they require, employees are less likely to use unsecured third-party products or services to meet their technology needs. Firm’s need to understand the impact that short-term or strictly cost-focused decisions can have on user behavior ; firm management should actively collaborate with IT to prioritize departmental expenses, placing a premium on investments that will reduce organizational risk.
Training and Monitoring
Even with the best selection of approved technology, employee habits die hard – or at least slowly. Law firms should take a two-pronged approach to residual shadow IT, incorporating both mandatory security training and ongoing monitoring. Since unapproved technology use can occur at any level, it’s important that firms train and monitor all personnel. Law firms should also consider creating cybersecurity task forces, drawing from legal and IT teams in order to draft and enforce policies.
Cybersecurity training can’t be a one-time effort; attorneys and staff must be regularly retrained on both why unapproved technology use is dangerous and how they can work with the IT department to gain access to the tools they need. Security training doesn’t need to occur in person as video-based and online training modules can be implemented to improve participation and better track which employees are aware of cybersecurity best practices. IT leaders should also build cybersecurity training into the onboarding processes for both new hires and lateral transitions to ensure attorneys are never left without proper guidance.
Ongoing, IT departments must actively monitor their firm’s network activity to detect possible incidents of shadow IT. When unsanctioned activity occurs, IT must first identify the source and help affected individuals find more secure alternatives.
Ultimately, shadow IT creates a need and represents a unique opportunity to revamp security policies and increase the dialog between C-level executives, managing partners, the IT department, attorneys and staff. Without suitable tools or knowledge of the potential risks, law firm personnel often turn to free and convenient yet risky alternatives.
When executives successfully align their priorities with those of the IT group’s, IT leaders have more leeway to address the underlying causes of cybersecurity risks. By better supporting IT with business priorities – and giving them the support to address law firms’ concerns – organizations can rid themselves of shadow IT.
Copyright © 2019 Legal IT Professionals. All Rights Reserved.