The legal industry has sensitive data in constant use, both for case proceedings and daily practice management, and for this reason their IT departments are often at the center of technology evolution. While this can be a good thing, it also means that law firms are particularly susceptible to cybersecurity incidents, since cybercriminals have increasingly come to view the legal industry as a big payout for cyberattacks.

IT departments in law firms must go beyond just having a continuity strategy in place to tackle IT downtime and cybersecurity. They must also be equipped to prove its effectiveness to their clients, auditors, and other stakeholders. The external and internal pressures of risk management have led to, and will continue to foster, a monumental shift within legal IT departments. Here are three new responsibilities that have arisen within IT teams, and what they mean to the future of legal practice.

1. Firms Must Integrate Cybersecurity Functions with IT Disaster Recovery Functions

Business continuity demands are becoming more similar than different from each other, since a cyberattack now tends to have the same impacts on IT availability and client reputation as a weather disaster. The rapid growth in cyber incidents means that the likelihood of a breach is now greater. This is why firms must formally begin considering security incidents as “disasters,” and IT teams must widen their perspective of what can take their business offline.

The realms of cybersecurity and IT disaster recovery (DR) have several similarities. Security professionals have long been known for their quick responsiveness to breach incidents and DR professionals are dedicated in their event reaction to avoiding data loss. The two groups, while historically in silos from each other, have a shared goal in meeting availability demands, and companies in many industries have noticed this commonality as a strength in building IT resiliency. We're seeing the lines of specialty blurred more and more, as the two groups are being asked to work together.

Proper risk mitigation demands a two-pronged approach: a balance of preventative and restorative measures.

It's a hard reality, but firm leadership must recognize that no matter the amount of money invested in cyber threat prevention, all it takes is one wrong click to invite an intrusion. For this reason, a restorative approach—i.e. a robust DR plan—must take equal precedence, if not more. And yet, it's the restorative aspects that are often lacking within law firms.

Disaster Recovery-as-a-Service (DRaaS) has long been used to solve for downtime and data loss. In these recent years, this solution has also emerged as a great way to achieve holistic IT availability, especially with cybersecurity and DR practices merged into a single plan. Since DRaaS has an established reputation as enabling a quick response to a variety of events, it's becoming increasingly popular among law firms.

2. Firms' IT Teams Are Now Responsible for Vendor Management

One growing trend that is affecting all legal departments is the use of third parties. The pay-as-you-go-for-what-you-use model of service for outsourced entities means that firms gain flexibility and a helping hand to tackle the challenges of the future. For IT departments, the biggest trend of outsourcing is that of the data center, since cloud computing has made it possible to offload this management to a third party. Since they no longer need to dedicate extensive resources to maintaining IT infrastructure, IT departments have now freed up bandwidth to refocus efforts on more pressing projects.

The problem with outsourcing is that, if not kept in check, third-party vendors could pose a major cybersecurity risk, since they're basically an extension of your firm and your firm's data. For this reason, many IT teams are being held responsible to manage the relationships between these vendors and ensure all IT systems, both on the firm's end and the vendor's end, are up to snuff.

3. To Truly Secure Technology, Firms Must Address Generational Gaps

Pat O'Day, CTO of Bluelock, predicts that the majority of cybersecurity incidents in 2018 will be a result of poorly-maintained legacy IT systems or poorly-implemented modern IT systems—a result of generational differences within IT teams.

As O'Day states, “Legacy in-house technology may not be up-to-par to compete against faster, more modern solutions. If this infrastructure is managed by an IT group entrenched in a traditional way of doing things, it could mean slower adaptation to emerging cybersecurity threats. Conversely, modern IT tools are often implemented and managed by a younger group that may never have experienced the full impact of an actual breach. Here, unfamiliarity on both sides is driving inadequate solutions.”

A disconnect in understanding and lack of communication creates the recipe for a security breach. When new technologies are implemented, how will they affect clients? If two law firms use Dropbox or Google Docs to share information on a mutual client, does the client know? What security risks could this pose? Adopting new technologies with the interest of greater convenience and winning a case may not always be the best choice in the long term.

The older generation must educate the younger generation of what can happen when technology goes wrong, since the younger generation may not have experience with breaches. Likewise, the younger generation must educate the older generation of what technologies exist that could drive efficiency. Then, the two groups must examine the pros and cons of new technology together, sharing with their unique perspectives. This cooperation will help IT teams agree upon the best course of action, which is the ticket to successful risk management.

 

Jeff Ton is executive vice president of product and service development for Bluelock where he is responsible for driving the company's product strategy and service vision and strategy. Ton has over 30 years of experience in business and information technology and previously served as CIO for Goodwill Industries of Central Indiana and Lauth Property Group.