What Legal IT Administrators Really Think About Security and Mobile Access to Legal Data

23
Oct
2013

Bill Ho

Security is the perennial favorite as the number one challenge for legal IT administrators. Because of changing and tightening regulations and new policies regarding sharing certain types of personal or private information, every legal firm is looking for new strategies around delivering information and keeping it secure. At the same time we're seeing that technology must be accessible to anyone - from the pure novice to the power user - especially when files are shared with external users. Federal, state, and local regulations as well as compliance requirements are behind much of this movement. Legal firms are also recognizing that beefing up their security policies provide additional comfort for their clients, customers, and partners as the number of data breaches continues to increase.

 During this past August's International Legal Technology Association (ILTA) Conference, a Biscom-sponsored poll took the pulse of the legal IT community to determine exactly what IT administrators had to say about security the challenges they face protecting confidential client data and document exchanges such as emails or faxes from hackers and data breaches. 

Legal IT professionals were asked two questions: What is your greatest security concern this year and what measures are you taking to protect your data?

Here are the key findings:

• What is your greatest security concern this year?
• Of the polled professionals, 37% agree that mobile access to legal technology is their biggest problem as most workers use, on average, 3 devices to work remotely.
• Nearly 18% say that third-party collaborative sites such as Dropbox, while user friendly, don't offer the security law firms require.
• Some 13% say that security awareness training not only helps reduce user mistakes/lax practice, but is a big factor of law firm audits from corporate clients. According to 10.9% of respondents, short passwords, sharing passwords, using unauthorized software, and sharing confidential information on an unsecured device can jeopardize ironclad procedures especially in regard to cloud-based services/software.
• Only 8.7% said that hackers represent a problem. 
• Two security concerns, each mentioned by only 6.5% of poll respondents, were : compliance with government and privacy regulations and password management.
• What measures are you taking to protect your data?
• Fifty-two percent said secure file transfer was the number one way legal IT professionals can control the security around the huge amount of data being exchanged daily.
• Half of all poll respondents said e-mail encryption is also being adopted as another way to protect data.
• Mobile device management is becoming more important with 43% of respondents saying it was being used as a way to secure mobile data.
• When legal IT professionals were having a hard time in controlling a file sharing site, 27% say they are blocking it. 
• Surprisingly, two-factor authentication is being deployed by only 26% of respondents, who said it was hard to use and difficult to administer. 
• Data loss prevention was last in importance with 22% of respondents mentioning it as a measure currently being taken.

The Biscom - ILTA survey demonstrates that legal IT professionals, faced with enabling the use of mobile devices and the need to develop tighter policies around sharing documents, are looking for security strategies that allow for a flexible Bring Your Own Devicee (BYOD) environment while protecting corporate and client data. 

To understand why SFT wins among legal IT professionals, it is necessary to understand the issues with email, FTP, and mobile devices.

Email is probably what most attorneys and legal professionals will use by default to send or forward electronic files - it's easy to fill in an address and attach files, and practically everyone knows how to use it. But email has extremely poor security, usually comes with size limitations, and lacks reliable feedback on whether the file attachments actually made it to the intended recipients. Additionally, from an administrator's standpoint, large attachments also slow down the mail server, take up valuable storage space that needs to be backed up, and of course, without any security, sensitive files can be easily compromised or end up in the wrong hands.

File Transfer Protocol (FTP) is similarly susceptible to hacking - passwords are passed in clear text, it doesn't employ encryption over the wire, and FTP is not always the easiest to use, especially by those with a less technical bent. Although FTP is prevalent throughout organizations, administrators must manage the servers and spend time assisting users to upload and download files. Often FTP servers become dumping grounds for files - administrators can't tell which ones should stay and which can be deleted. For companies that have strict requirements around data privacy, FTP is a very poor method of transferring files, not just because of its security lapses, but also because of the lack of visibility into the precise transactions that show who and when users uploaded and downloaded files. This makes the job of compliance officers very challenging.

More recently, the growth in the number of mobile device has had an impact on SFT requirements. As more people invest in smart phones, tablets, and other connected devices, IT is facing a new demand to support these devices. The BYOD movement is gaining momentum, and when the principals, partners, and/or the management team of a law firm demand support for these devices, it's up to IT to provide it. And it also falls on IT to somehow ensure that all security policies and regulations apply to mobile devices. The challenge of protecting confidential client data on mobile devices ultimately boils down to addressing the two primary vulnerabilities to mobile device security. The first is leakage of corporate or protected data outside of sanctioned mobile device apps. The second is transferring confidential data from the mobile app to external parties using unsecure methods (i.e. personal or corporate e-mail and unsecure, consumer-based file sharing services).  

All these challenges of information access are the reasons companies are rethinking their information-sharing and file-transfer processes. In fact, just as recently as three years ago, the conversation at ILTA was focused on defining secure file transfer and whether it was needed at all. Today, there has been a real shift within the legal community which is now absolutely committed to the value and use of secure file transfer (SFT) as part of their legal IT operations.

Ideally, SFT can be initiated via multiple methods: a Web client, Microsoft Outlook, and mobile devices. Using the Web application, a sender signs in and initiates a secure delivery. Like a Web email client, the Web interface should include fields where senders enter the recipients' email addresses, a subject, and any file attachments. Senders can also include a secure message that is only available to recipients who have been authenticated. With robust authentication, there is enough security to send credit card information, passwords, social security numbers, medical information and other data that normally should not be sent without protection. 

There are times when lawyers need a more dynamic and active collaboration among users than email can provide. For example, collaborating on a project, a group of users can easily share files with each other, start a discussion or create a comment and manage the level of access based on the participant. Ideally, an SFT solution will enable ad hoc groups where group members can granularly control notifications for new files that have been uploaded or other related activity. 

Sharing files should be as convenient as opening any Web browser, dragging and dropping files onto the page, and clicking “Send” like an email. Unlike like email, however, SFT should guarantee delivery, provide a delivery receipt and log the entire process for auditing purposes. 

The message from the ILTA survey is clear and consistent: sending files securely and sending large files via email or mobile device needs to be extremely secure and extremely easy for users. Without those two components adoption of any solution will be challenging. Flexibility in configuring the application is absolutely critical to maintaining high levels of security - flexibility in terms of modifying the behavior of the application and setting policies for data retention, file restrictions, delivery parameters, and registration. Ultimately, SFT has the capacity to be an integral part of an organization's mission critical infrastructure and to be a relied upon service that can be used by multiple departments - each with unique and diverse requirements.