More than 10 years ago at U.K. law firm Golds Solicitors, managing partner Jonathan Edwards had a vision to transform the firm. By introducing technology to streamline the mortgage and home purchase process, Golds was able to partner with all the major U.K. banks, transforming the firm into what was then one of the primary home-conveyancing and finance-related services firms in the U.K. This led to enormous business growth, and to winning a number of legal technology awards. In 2007, when Irwin Mitchell wanted to expand its business into the financial services arena, a merger with Golds was the logical choice.
Jarvie’s vision was not restricted to streamlining technology. He was acutely aware of the need to secure systems, both internally and externally — an aspect often neglected by others in the push to introduce new systems and technology. To meet this need head on, an experienced security professional was needed. IT security and service delivery skills were crucial to planning and implementing effective security measures at Golds.
One of the firm’s early cybersecurity achievements was motivated by having offices at different sites around the country. A quick and simple way to safely exchange data was to add strong encryption on communication links used to transport data between offices. An additional benefit was automatic backup paths. When an outage at a U.K. communication hub happened, communications were securely re-routed through an alternative data link in less than15 seconds. Golds’ security and IT teams were notified of the issue, and the automatic corrective action had overcome the problem before the service provider was aware of the fault. Those less prepared faced business disruption ranging from hours to several days.
Protecting the firm involved a significant amount of training and collaboration between the technology implementation teams. This was necessary to enable them to build defensive measures into the technology, to monitor system usage and to determine suspect or unusual activity for investigation. Having a well-defined full-time IT security manager role brought significant benefits in day-to-day operations. It was also a significant factor in expanding business with U.K. banks. Operating under strict financial regulation, pre-contract due diligence required auditable verification of security measures and practice. The security program demonstrated how Golds met and exceeded the requirement. It became key to distinguishing the firm as a solid business partner.
Ten years later, it is surprising to note how ahead of its time Golds’ vision was. Implementing system security as a core requirement and ensuring it is seen as a constant and ongoing process across all aspects of the legal practice is a lesson few have fully learned and far fewer have implemented.
Instead, the typical approach to security practised by many firms is a one-off process, comprised of installing a network perimeter defence, such as a firewall on an Internet connection, and some anti-spam filtering on email. Although better than nothing, it does not address any of the evolving aspects of systems security. Static security measures such as these are exactly what hacking tools can exploit to invade, steal or modify data.
The Federal Personal Information Protection and Electronic Documents Act places restrictions on the handling and protection of personal information. Addressing PIPEDA is not, by itself, a template for establishing adequate cybersecurity. A well-defined and well-implemented cybersecurity strategy and standard will, however, simplify meeting PIPEDA obligations. A cybersecurity strategy should be based upon the excellent security standards available: the U.S. NIST 800 series, the Payment Card Industry Data Security Standard, or PCI-DSS, and the ISO 27000 series. Canadian firms have the opportunity to take solid control of cybersecurity and meet formal security certification as a unique selling point.
Security standards focus on the ongoing process to implement controls to monitor systems and processes. Controls are designed to either prevent or detect issues and take appropriate corrective action to keep systems secure. IT specialists employed to manage day-to-day IT needs often do not have the necessary skills to fully address security needs. It is often tempting for them to engage what they are most comfortable with and know best — a particular security device or technology. Some elements can be automated, but it is a mistake to simply “install a box” and expect that to address every possible risk.
Law practitioners are familiar with passing client matters outside their area of expertise to more qualified colleagues due to the inherent risks of engaging in areas where they lack competence. General IT staff are similarly not always subject matter experts in all areas of cybersecurity and should defer to those with specialist knowledge.
Cybersecurity is, by necessity, a distinct discipline and requires properly certified security experts. With universities now adding specific cybersecurity degrees, in the future there will be a new class of graduate trained in cybersecurity. Like recent law graduates, they still need to build on their experience and competency. To address this, the International Information Systems Security Certification Consortium oversees the Certified Information Systems Security Professional certification to verify experience, skill and competency of those working in systems security. With this certification, there is an enforceable code of ethics and continuing professional education requirement to ensure continued competence.
What is certain is that cybersecurity is a growing concern and it is critical for all businesses to address it. The very nature and sensitivity of legal practice data makes it a valuable target for theft or extortion.
Scanning and attacking systems is easier than ever, and a profitable attack on a legal practice will lead to targeted attacks, exploiting weakness in security processes. Golds understood the need, sought the right mix of skills and experience to address it and took action, which helped protect systems and personal information and secure business growth. Subject matter experts, with the appropriate mix of skills and experience to make a difference for Canadian practices, should be integral to your practice to protect your future.
Act now — or ignore at your peril.
Jim Jarvie is the CEO of Network Systems Solutions, a company that provides computer security consultancy to clients in Canada, the U.S. and the U.K. Views or opinions expressed are personal. He is based in Toronto and can be reached at [email protected].