Petar Kobilarov - Channel Sales Manager DACH & The Netherlands at BigHand: We have been working in the legal software industry for 15 years and have witnessed significant improvements to the way law firms address security. However in a market that typically steps carefully when bringing in new technologies, the speed with which firms are moving on security is arguably slower than the threats themselves are developing. You may have recently upgraded your firewalls or operating system, even issued new encryption keys for laptops – all extremely valid initiatives - but in many ways these are confronting yesterday’s weak spots. The question is whether you are addressing the hidden security flaws we find law firms are not even aware of…
Leaking Metadata
In 2000, pharmaceutical manufacturer, Merck, wrote an article for The New England Journal of Medicine about their latest arthritis treatment called Vioxx. The article’s metadata (previously deleted content or identifiers) uncovered that the drug was linked to an increased risk of heart-attacks, but that the section containing these details had been removed before its release. Subsequently, Merck was hit with around 7,000 lawsuits and Vioxx was withdrawn from the market. In 2014, the Australian Federal Police shared documents online which disclosed the name, address and telephone interception details of a surveillance subject. The case was publicised as ‘a serious breach of operational security’ and ‘an embarrassment for the law enforcement agency and the federal government’. Are all your outgoing documents automatically checked for metadata?
Whaling
A recent article in CIO magazine by Clint Boulton in April 2016 covered the rising incidence of “a hacker masquerading as a senior executive asking an employee to transfer money” and that the FBI has seen a 270 percent increase in victims and exposed losses from CEO scams since January 2015. This scam is known as “whaling”, essentially email ‘Phishing’ but aimed at potential senior approvers within your firm. The legal industry is presented as the trusted source of protecting a payment to a third party, such as during property or deal completion payments, yet while there is still a reliance on email as communication in that process there are risks from threats such as whaling. The focus on confronting this issue falls both on identifying the fake email (as offered by suppliers such as Mimecast) but also on internal processes and systems that can quickly allow payment approvals but can only come from real employees. Do you have a secure process or workflow application that facilitates payment approvals without relying on email to complete part of the communication?
(Un)Encryption
In March 2016 WhatsApp, the consumer messaging service, announced it was switching to end-to-end encryption to ensure “only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp”. They explained how with end-to-end encryption messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message. In many firms we find users emailing wav or dss files to other users so they can play the dictation or voicemail using a media player. In some cases they are described as “encrypted” however in the majority they are not offering end-to-end encryption and those voicemails or dictations could be intercepted and listened to fairly easily. Is your dictation system offering end-to-end encryption?
Backdoors
One of the biggest trends in the legal sector in recent years has been the move from ubiquitous BlackBerry usage to a BYOD (Bring Your Own Device) policy. Allowing staff to use their own device or to select from a variety of devices has essentially opened a backdoor into your law firm. In 2011 a research team at Georgia Tech College of Computing used hacking a smartphone accelerometer—the internal device that detects when and how the phone is tilted—to sense keyboard vibrations and decipher complete sentences tapped on the screen with up to 80 percent accuracy. Applications downloaded for personal use, as well as the risk of lost or stolen devices has created a need for added protection against data loss, unauthorised access or malware. Each and every device that is out in the field represents an entry point or risk to your firm’s reputation. As a result firms are turning to Mobile Device Management (MDM) systems. MDMs can block the installation of insecure apps and can secure traffic between mobile devices & servers. Are you protecting and controlling your smartphone fleet via an MDM?
A Public Voice
We often hear that at many law firms younger lawyers “do not dictate” yet our pre-project assessments discover wide usage of apps such as Siri. These short utterance consumer voice apps are very easy-to-use and offer great results. They have been fantastic in encouraging professionals to use their voice to remain productive. However the fact remains that your voice and the “content” it contains has been sent into the public cloud. Potentially sensitive client data is being held in a location beyond your control and outside of your organisation, and possibly in another geography such as the United States where the Patriot Act presents a challenge to absolute confidentiality. Are you sure your voice data is private, secure and not accessible at will by an unapproved third-party or foreign government?
Fortunately these holes can be quickly addressed. The company at which I work, BigHand, has tools that confront all of the above security & privacy weaknesses at law firms in BigHand5. ‘Scrub’ for cleaning metadata, ‘Now’ for setting up a payment approval process, ‘End-to-End encryption’ for dictation, MDM integration on mobile apps and finally private speech servers for voice-to-text. Just ask for more details…
