PRO Partners

How Law Firms Can Manage and Mitigate the Risks of Shadow IT

Steve FalkinWith law firms increasingly relying on technology and end-user sophistication on the rise, the use of unsanctioned applications and services, an issue known as “shadow IT,” is an unwelcomed occurrence in the legal industry. While most employees aren’t maliciously bypassing safe computing policies – they simply are trying to work more effectively – their reliance on self-procured, often consumer-grade solutions can leave their firm’s (and their clients’), most sensitive data unprotected.

Many law firms have already taken steps to mitigate unsanctioned technology use but would benefit from a fully developed plan aimed at addressing widespread tech activities taking place outside of the IT department’s knowledge. Firms must not only create clear policies, but also provide approved alternatives for unsanctioned activity. As a result, law firms are increasingly looking to IT leaders to change the equation by addressing barriers that cause employees to deviate from approved cybersecurity policies. 

Common Myths of Shadow IT

Before updating or implementing shadow IT policies and guidelines, law firms must accurately diagnose the symptoms and causes of shadow IT.  To reduce continued use of unsanctioned applications and services, law firms should debunk some common myths and misperceptions around shadow IT:

  • Compliance comes with experience: Too many IT leaders in law firms treat rouge tech practices as a problem exclusive to rank-and-file employees, perhaps assuming that experienced attorneys are more likely to comply with corporate policies. While senior personnel may be more aware of the inherent security risks in using unauthorized tools, shadow IT can permeate every level of an organization, from legal secretaries to partners. Tackling shadow IT requires that firms address the challenges personnel at all levels face in order to reduce their reliance on outside solutions.
  • Policies alone are the solution: Firm policies around application use, file transfer and document storage are critical, but (on their own) do little to change ingrained risky computing behaviors. Employees often balance demanding and time-sensitive client work against internal best practices – a busy work style that might unintentionally leave some gaps in the firm’s security. Even when your firm’s policies clearly prohibit certain tools or third party services and a sanctioned alternative is available, expediency, client demands and unaddressed needs may still lead employees to use prohibited resources. It’s not enough for law firms to simply identify which applications employees use; ridding your firm of shadow IT or successfully managing it demands a holistic approach, including ongoing conversations about employee and client needs, identifying potential gaps in previously approved tools, determining training opportunities and conducting regular network monitoring.
  • IT is a cost center: While it’s true that technology expenses are a large part of overall firm operation costs, strategic IT spend can actually reduce overall costs through risk mitigation and productivity enhancements. Targeted IT spend can help organizations ensure the highest return on investment  and decrease future expenses associated with mis-alignment with business needs or worse, dealing with a security incident. Ensuring that all IT-related projects are known and managed by or coordinated with the IT organization can provide a level of control and consistency that can reduce cost and ensure increased value.  
  • Best practices are common sense: Law firms have in-house IT support, but many don’t have enough proactive and ongoing communication between their IT leaders and legal practice groups. This can result in untargeted IT spend, subpar tools and an inability to detect and prevent shadow IT. Law firms should ensure that IT and practice groups have clear lines of communication so they can work together to identify needs and resolve (or avoid) prohibited tech behaviors as soon as they arise. Without a solid understanding of the typical practicing attorney’s needs and challenges, IT efforts will be less effective and unlikely to address the deeply-rooted causes of shadow IT. 


Addressing Rogue Behavior's Root Causes

Identifying misconceptions around shadow IT is an important first step in eliminating it, but law firms need to go further to root out risky practices. Through a combination of greater communication with attorneys and firm management, regular training on cybersecurity best practices, and policies that are better aligned with business requirements, law firms can give their employees the tools they need to succeed without placing the firm at risk.

Enhancing Collaborative Capabilities

Law firms should view shadow IT as an opportunity to learn which tools their employees prefer and why, and use this to inform the IT planning and budgeting process. At the same time, it’s imperative to create an open-minded technology adoption policy that maintains security standards without discouraging employees from communicating with IT departments. For this to be successful, however, organizations need to ensure IT is not isolated but is instead proactively integrating with the firm.

Fostering Internal Communication

When the IT leaders or executives make legal software decisions without employee feedback, unauthorized application use will predictably follow. IT should actively collaborate with legal employees to understand their needs and challenges, allowing them to procure software that more closely matches their needs. Legal employees should be included in the software procurement process as early as possible to ensure decisions are made with the end-user’s preferences and needs in mind.

Meanwhile, executives also need to foster greater and more frequent communication with their IT departments. When IT departments are able to provide attorneys with the tools they require, employees are less likely to use unsecured third-party products or services to meet their technology needs. Firm’s need to understand the impact that short-term or strictly cost-focused decisions can have on user behavior ; firm management should actively collaborate with IT to prioritize departmental expenses, placing a premium on investments that will reduce organizational risk.

Training and Monitoring

Even with the best selection of approved technology, employee habits die hard – or at least slowly. Law firms should take a two-pronged approach to residual shadow IT, incorporating both mandatory security training and ongoing monitoring. Since unapproved technology use can occur at any level, it’s important that firms train and monitor all personnel. Law firms should also consider creating cybersecurity task forces, drawing from legal and IT teams in order to draft and enforce policies.

Cybersecurity training can’t be a one-time effort; attorneys and staff must be regularly retrained on both why unapproved technology use is dangerous and how they can work with the IT department to gain access to the tools they need. Security training doesn’t need to occur in person as video-based and online training modules can be implemented to improve participation and better track which employees are aware of cybersecurity best practices. IT leaders should also build cybersecurity training into the onboarding processes for both new hires and lateral transitions to ensure attorneys are never left without proper guidance.

Ongoing, IT departments must actively monitor their firm’s network activity to detect possible incidents of shadow IT. When unsanctioned activity occurs, IT must first identify the source and help affected individuals find more secure alternatives.

Putting Shadow IT to Rest 

Ultimately, shadow IT creates a need and represents a unique opportunity to revamp security policies and increase the dialog between C-level executives, managing partners, the IT department, attorneys and staff. Without suitable tools or knowledge of the potential risks, law firm personnel often turn to free and convenient yet risky alternatives. 

When executives successfully align their priorities with those of the IT group’s, IT leaders have more leeway to address the underlying causes of cybersecurity risks. By better supporting IT with business priorities – and giving them the support to address law firms’ concerns – organizations can rid themselves of shadow IT.

Steve is a Managing Director for HBR Consulting and has over twenty‐five years experience in technology consulting and project management. He currently oversees and consults in a broad range of practice areas including IT Strategy, Planning & Assessment, Mission Critical Infrastructure and Tech Facilities. He has a diverse background and manages a variety of projects, with emphasis on quality assurance, project management and strategic alignment to business needs and objectives. He leads strategic planning, analysis and implementation efforts addressing infrastructure, applications, data centers and cloud/hosted computing.

Copyright © 2021 Legal IT Professionals. All Rights Reserved.

Our Newsletter
All the legaltech headlines in your mailbox once a week? Sign-up now! 

Media Partnerships

We offer organizers of legal IT seminars, events and conferences a unique marketing and promotion opportunity. Legal IT Professionals has been selected official media partner for many events.

A muchbeta site