ITC White Paper · Detecting Danger Addressing global security threats in legal Thought Leadership ITC_WP_LegalSecurity_ITC White Paper 24/03/2014 15:00 Page 1

Detecting DangerAddressing global security threats in legal

Thought Leadership

ITC_WP_LegalSecurity_ITC White Paper 24/03/2014 15:00 Page 1

Executive IntroductionIT departments in the legal profession have never faced as much pressure as they do today. Compliance and security are now fundamental concerns for the Chief Information Officer (CIO), IT director, Chief Operation Officer(COO), not to mention the firm’s clients. Furthermore, these concerns mustbe dealt with in an environment of increasing regulation, globalisation,consumerisation, and cloud services.

These factors represent a huge challenge for CIOs and IT directors. Thegeneral health and security of the firms they serve now depend more thanever on their day-to-day decisions and general management.

Added to this, the legal sector is going through a period of profound change.Consolidation and globalisation are factors that have made the process ofmanaging IT, a massive undertaking. The mounting responsibilities are rarelymirrored by bigger IT budgets and resources. Many firms just do not have thecapacity to address all the technology challenges that they are burdened with.

Further still, with the de-regulation of the legal market and the advent ofAlternative Business Structures (ABSs) in the UK, there are even morepressures to deal with client matters in an efficient and cost effective manner.At the same time, experienced professionals such as CIOs and COOs are beinghired from outside of the legal sector, and are bringing established disciplineand practice to the industry.

This all comes at a time when growing regulation and increasing scrutiny byclients are causing firms to look closely at their internal checks and processesto prevent technology failures and security breaches. This is not somethingthat can be easily achieved, but there are security providers that can deliversophisticated and targeted services in an efficient way and not at anexorbitant cost.

In this thought leadership paper, we talked to senior members of the legalindustry about their views on data and network security. We discovered thatlaw firms needed to do considerably more to protect themselves against theincreasingly sophisticated threats to their security. Further still, we learnt thatfinancial and reputational loss was a very conceivable consequence of notimplementing the appropriate safeguards.

Tom Millar, Chief Executive Officer ITC Secure Networking

Legal sector security: How firms are acknowledging the threats

Thought Leadership www.itcsecure.com 1


Detecting DangerThe legal sector is awake to modern daysecurity risks and taking valuable steps toensure that internal data including clientdata is appropriately protectedIf the recent scandal surrounding former CIA employee and whistleblowerEdward Snowden has shown us anything, it is that nefarious surveillanceand cyber threats are more prevalent than we ever imagined. If theGerman Chancellor Angela Merkel’s mobile phone can be tapped, whathope do the rest of us have? Whether it is state-sponsored or not, thesethreats are genuine and ubiquitous, and for businesses a breach could leadto catastrophic financial and reputational damage.

Security management is an area in which many industries haveinvested an enormous amount of time, money and resources. Thefinancial services industry, for instance, takes security managementvery seriously. It does of course face some of the tightest regulation inthe global economy and a number of high-value fines have been dealtout to institutions that have not lived up to their regulatoryobligations. The Information Commissioner’s Office fined the Bank ofScotland for breaching the Data Protection Act in 2013. In the UnitedStates, TD Bank was fined $52.5 million by several agencies includingthe Securities and Exchange Commission (SEC) this year for violatingthe Bank Secrecy Act. The fines may be substantial, but thereputational consequences are even more damaging.

As banks deal with their customers’ money, they are subject to tightcontrols by regulators, particularly following the global financial crisis.But the same obligations are faced by many other industries, includingthe legal profession.

Legal sensitivitiesThough law firms don’t invest clients’ money and have been generallyslower to adopt the same level of security management as the financialservices industry, they do hold an incredible amount of sensitive clientinformation. With global threats increasing, growing scrutiny fromregulators and mounting pressure from clients to hold their data andinformation safely, firms are taking the security management agendaever more seriously.

Law firms do of course often move a little slower than other sectors.With most firms owned and managed by the partners, any ITexpenditure needs to be appropriately justified and substantiated.

Client and procurement pressureChris White, Global IT Director at Clyde & Co admits that the legalprofession is “behind the curve” compared to the financial servicesindustry, but he says that the tide is turning. “I think we haveunderinvested in our whole approach to IT security and informationsecurity, but we are having to respond to increasing client demandsaround security,” he remarks.

The veteran of IT in the legal sector indicates that clients are asking moreand more questions about what sort of security measures the firm hasin place. “When a client says jump, you jump,” he says, suggesting thatthe firm has not yet lost a pitch for business due to unsatisfactorysecurity management, but that this was a very real possibility.

He points to the fact that the legal profession is immensely competitive.Firms win competitive tenders and positions on legal panels throughsmall margins of differentiation. By having better security processes,the firm can offer that extra assurance to a client and stand an evenbetter chance of winning their business.

White uses the analogy of buying a house. He explains: “When thereare two houses that are exactly the same, but one has locks on thewindows; you choose the one with the locks on the windows.”

One IT director at a major global law firm suggests that clients arebecoming more and more aware of their own security risks and don’twant their advisers to be responsible for a damaging breach. “Ourclients now increasingly ask us detailed questions about our processes,procedures and security controls. They come and audit our systems toconfirm that our answers are accurate. They often ask if we have hadexternal penetration testing and would normally expect the answer tobe ‘yes’,” he remarks. More and more clients are requesting detailedaudits and penetration testing reports.

The experienced IT specialist says that the reputational damage causedby a breach and loss of data could be absolutely catastrophic: “Inprofessional services, we are holding a lot of data on the client’s behalf.We are concerned about this leaking because of the commercialconsequences of that loss occurring and also because of the fear oflitigation. That drives a lot of our work in security. We don’t want to bepublicly embarrassed and suffer reputational loss as well as litigation.”

Further still, firms could face severe financial liabilities and add this tothe reputational damage. Corporate clients that lose sensitive data ordocumentation because of a security breach at their lawyers’ officescould well launch legal action to recover damages. Tony Moss, LitigationProgramme Manager at British American Tobacco says that hiscompany is incredibly serious about security management and hewould expect his external legal advisers to have the same approach.“Our big concern is that the security of our data is only as secure as theweakest link. We would expect law firms to treat our data at least asseriously as we do, if not more so,” he remarks.



“We have monitoring technologyin place, but we get swamped withthe information that comes backand it becomes very hard to lookfor the relevant warnings. We justdon’t have the resources orexpertise to do it properly.”Chris White, Global IT Director at Clyde & Co

“In a worst-case scenario where a law firm did not have theappropriate security and we suffereda loss as a result, we would certainlyconsider a negligence claim.” Tony MossLitigation Programme Manager at British American Tobacco


Mr Moss senses that law firms need to up their game on securitymanagement because the stakes are being raised on a daily basis. “The security threats and risks you hear about are changing daily andtherefore periodic audits and tests are insufficient. The chances arethat without the appropriate monitoring, logging and reporting, thelaw firm won’t even know that they have a problem. I think this isplaying with fire,” he says.

And what if a firm did not take a fitting approach towards network anddata security and then suffered a security breach as a result? Mr Mosssays it wouldn’t receive much sympathy from the client. “In a worst-case scenario where a law firm did not have the appropriate securityand we suffered a loss as a result, we would certainly consider anegligence claim,” he states.

The sensitivities around this are becoming even more acute, becauseclients are increasingly choosing their legal advisers as part of a formalprocurement process as opposed to traditional personal relationships.Sophisticated procurement departments are now looking closely at afirm’s expertise, resources, capabilities and its ability to hold informationand data securely. A Chief Financial Officer (CFO) at an AlternativeBusiness Structure (ABS) firm believes that clients and potential clientswill start to perform increasingly demanding audits on their legaladvisers, including external intrusion testing, as part of a wide-rangingprocurement-driven analysis. “We service large parts of the insuranceindustry,” he explains. “Traditionally, the relationship would have beenstruck between the head of claims and a senior partner, but now theteam that oversees the contract will be multidisciplinary.”

More onerous regulationWhile firms are feeling the pressure from clients and procurementprocesses, they are also burdened by increasing regulation. Thoughthe Solicitors Regulation Authority (SRA) is not considered asvigorous as its equivalents in the financial services industry, such asthe Financial Conduct Authority, it is not viewed as lenient. In the 12months leading up to 30 June 2013, the SRA closed 38 law firmsaccording to accountancy firm Wilkins Kennedy.

The SRA introduced outcomes-focused regulation in 2011, whichincludes a detailed emphasis on identification of risks, and thecontrols for mitigating those risks. The SRA demands that firmsperform satisfactory monitoring and reporting procedures, so thatconsumers of legal services are properly protected.

For many firms, this represents a possible thin-end of the wedge, an erain which more burdensome regulation will be heaped on the profession.Security management will inevitably be an important aspect.

Consumerisation and the CloudJust as firms are facing a more challenging regulatory environment,they too are having to deal with the advent of consumerisation oftechnology and the bring your own device (BYOD) phenomenon.BYOD technology is enabling lawyers to be working, managing theirtime and billing constantly. Security needs to match that occurrence.It should enable firms to work in a way that satisfies client demands

and boosts their financial results. Corporate data is now often held inmultiple data centres, in the cloud, and across various networks anddevices. The days of CIOs and IT directors having a prescriptive role isover. No longer do they allocate locked down BlackBerry smartphonesand corporate laptops to the workforce, when individuals believe theycan be more productive and work more flexibly with their owndevices. This clearly has security implications and increases thechance of a breach. “People may be working from home or in airportlounges and they’ll want to access corporate data from wherever theyare and on whatever device they are using. Security is an importantelement of delivering that,” White comments.

And then there is the issue of infrastructure as a service (IaaS),software as a service (Saas), and the cloud. A firm’s technology suite isno longer entirely managed internally. “The City environment is moreaware of electronic communication and how we are more dependenton technology. With cloud computing, it would be very easy for us tolose control,” White says.

Data integrityHe suggests that firms are becoming more and more comfortablewith using external providers for various technology services. Forinstance, a high proportion of top City law firms use Mimecast foremail management and recognise that this doesn’t mean thatMimecast has access to their confidential and sensitive data. Thereremains a misconception in some quarters about whether securityproviders can actually see or access the data. Providers actually onlyreceive event information from logs and other sources. Whiteexplains: “One of the big issues around data is where the data isactually held and there is legislation around that, but with ITC forexample, they don’t actually hold the data.”

One IT director agrees that firms and clients understand that thetraditional methods of holding and monitoring data are no longerfeasible: “Our clients recognise that is not how the world works. We tell them that we have a third party helping to secure our systems,including holding our data, and then they ask what security measureswe have in place around that third party, including what kind ofaccreditation it has. We haven’t encountered anyone saying that wecan’t use a third party.”



ITC suggests a simple five step process to secure a law firm and becompliant with international regulatory bodies including the SRA:1 Deploy a central log management solution 2 Build an Asset Model identifying your key systems 3 Scan those assets for security vulnerabilities 4 Send all this information to a central reporting tool (SIEM) 5 Introduce Dynamic Threat feeds that identify sources of

poor reputation (e.g. new Malware, infected sites e.t.c.)For full details see page 7

“Traditionally, the relationship wouldhave been struck between the headof claims and a senior partner, butnow the team that oversees thecontract will be multidisciplinary.”A CFO at an ABS firm

“One of the big issues around datais where the data is actually heldand there is legislation around that,but with ITC for example, they don’tactually hold the data.”Chris White, Global IT Director at Clyde & Co




“People may be working from homeor in airport lounges and they’ll wantto access corporate data fromwherever they are and on whateverdevice they are using. Security is animportant element of delivering that.” Chris White, Global IT Director at Clyde & Co


GlobalisationThe use of third-party providers becomes even more attractive for firms that are continually expanding. With the legal professionembracing globalisation, it has led to an era of consolidation,mergers and the opening of overseas offices. Firms have alsoestablished lower-cost advisory and support offices, includingbusiness process outsourcing (BPO) centres and legal processoutsourcing (LPO) branches.

With a larger workforce, operating from multiple locations, thisobviously creates more risk and keeping on top of the additionalthreats can be a huge task. White remarks: “There is all sorts ofmonitoring technology out there but quite frankly we are a firm withhundreds of people across a global network and with a relativelysmall IT department.”

He says in theory, the firm could manage the security issues in-house, but with the growth of the firm and the complexity andsophistication of worldwide threats, it is an unmanageable challenge:“We have monitoring technology in place, but we get swamped withthe information that comes back and it becomes very hard to look forthe relevant warnings. We just don’t have the resources or expertiseto do it properly.”

In summarySecurity management is a top priority for many law firms’ ITdepartments, because clients are understandably sensitive abouthow their data is held. The regulatory landscape is becoming morerigorous, to the extent that national authorities demand that firmsmeet minimum requirements for data security.

And with the onset of consumerisation, BYOD and globalisation,firms face a huge task to ensure that their systems are secure andthat they are aware of dangerous threats. For many, the prospect ofmanaging this in-house is a step too far, as one IT director admits:“You can recruit a security officer who has a specific remit aroundthis area, but we just found it helpful to work with a third party thathas done this sort of work with other organisations like ours. It isprobably best left to the experts.” Many firms have attempted tomanage their security internally, but increasingly they are recognisingthat they can get more power and expertise from a provider, and alsoat a fraction of their current costs. Indeed most providers will utiliseand enhance existing technologies through a consultative process.

Gareth Lindahl-Wise, Group Information Security Manager for BAT,feels that law firms must acknowledge the increasing concerns oftheir clients when it comes to security of information and data:"Companies will turn to external counsel for support for some of themost sensitive activities in business. This results in law firms holdinglarge volumes of your most valuable information. Recent studieshave demonstrated how law firms are seen as the 'soft underbelly' ofsecurity and may be the avenue that industrial espionage takes to getyour data.” Mr Lindahl-Wise says that BAT is finding it necessary topush the agenda and encourage its external lawyers to fall into line.“BAT's 3rd party information security due diligence programmerecognises this potential risk and will be ensuring the appropriateenvironment exists for the safe management of our information,” he explains. “Part of this evaluation will be to establish the technicalcontrols provided to monitor activities on the law firms’ systems toassist in preventing, detecting and responding to malicious oraccidental incidents.”



“We don’t want to be publiclyembarrassed and suffer reputationalloss as well as litigation.” An IT Director at an international law firm

“There is all sorts of monitoringtechnology out there but quitefrankly we are a firm withhundreds of people across aglobal network and with arelatively small IT department.”Chris White, Global IT Director at Clyde & Co



ITC Secure Networking

Established in 1995, ITC Secure Networking deliversassured IT solutions to a range of organisations andbusinesses. ITC designs, builds and optimises networkand security infrastructures to enhance performance,safeguard information and simplify management.NetSure360° is a unique offering, deliveringInfrastructure and Security Management as aService. NetSure360° is completely modular andscalable, delivering comprehensive visibility,control, and assurance across an entire IT networkand security infrastructure.



To protect themselves, organisations are increasingly deploying pointsecurity technologies and infrastructure such as packet filteringfirewalls, next generation firewalls, intrusion prevention devices,application firewalls, mobile device management and many othersolutions. Whilst these technologies may individually protect or alert upon one or a number of specific threats, they often producemountains of logs which are often stored to different loggingplatforms and although the data may have value, it is not at allcontextualised, summarised or prioritised. In other words, it justcreates more noise.

ITC has been deploying these very systems for over 20 years and we offer the following recommendations in Five Simple Steps fordeploying a security platform into which these point products can beintegrated and provide rich contextualised data, meaningful accuratealerts and valuable reporting.

The centralised logging platformWe implement both real time and forensic security analysis throughsynchronised logging on multiple platforms. This centralised loggingplatform covers the full IT suite, including infrastructure, servers andapplications. The platform offers long-term storage, processes logsfrom multiple sources, is centrally searchable, and can withstandmajor faults and outages.

The asset model We build an asset model of the customer’s IT estate, to highlight businesscritical and vulnerable systems. This asset model is used alongsidevulnerability data to contextualise and prioritise security alerting.

The vulnerability assessmentThis is the process of scanning servers, infrastructure andapplications for known vulnerabilities. It prioritises remediationthrough patching and upgrades, and enables security alerts to beappropriately scaled.

Security Information Event Management (SIEM)With a centralised logging programme, an asset model and capturedvulnerability data, we then define security ‘use cases’. This could beidentification of privileged access, VPN access by internal logged-inusers, or forced login attempts across multiple systems.

We already have a portfolio of ‘use cases’ built for general use,including specific programmes such as those we developed for DDOSthreats against financial institutions.

Dynamic threat feeds We recommend using threat data from as many sources as possible.The data may include sites with known bad reputations, high-riskattack sources, specific attacks, and new malware. We are then in a better position to identify an Advanced Persistent Threat (APT).

In summary What does FIve Steps to Security and NetSure360° deliver for our clients?Access to experts in information security, security architecture andsecurity management. NetSure360° delivers 24x7x365 visibility andcontrol of security events and incidents. Crucially it deliverscomplete assurance to your clients.’



NetSure360 SIEM

Asset Model

VulnerabilityManagement

o

Dynamic Threat Feeds

Logging

ITC’s Recommended Security Management Proposition


Documents

ITC White Paper · Detecting Danger Addressing global security threats in legal Thought Leadership ITC_WP_LegalSecurity_ITC White Paper 24/03/2014 15:00 Page 1