Adoption of new technologies has accelerated as a result. Efficiency-related systems and products, such as document management and scanning tools and e-discovery, are already helping firms cut costs and maintain profits, according to Macquarie Bank’s 2017 Legal Benchmarking Report.
Widespread embrace of more disruptive technologies, such as data analytics and artificial intelligence, is yet to occur but it will likely prove inevitable for firms that are serious about re-engineering their business models for sustainable success.
With the brave new world of digital systems comes a whole new world of cyber risk. Ensuring sensitive commercial and personal data is secure as new systems are rolled out should be top of the To Do list for law firms which are serious about protecting their clients’ privacy and their own reputations.
Following the law
Australia’s tough new data breach reporting laws, which came into effect in February 2018, mean a rigorous approach to IT security is more important than ever.
Businesses with turnover in excess of $3 million which experience a data breach, or suspect one has taken place, must notify their customers and the Office of the Information Commissioner; a statutory body which can impose stiff penalties on firms which don’t take appropriate action to remediate the issue.
Designing security into the system
The optimum time to implement security measures is when new systems are being planned and installed but too often cyber-protection is an afterthought, bolted on at the end, rather than treated as integral to the implementation process.
Taking a ‘secure by design’ approach avoids exposure to unnecessary risk and ensures cyber security is factored into system upgrades and overhauls from the outset.
It will likely be viewed as ‘bridesmaid’ technology – not the aspect of a major project which wows users or gets the project team excited – but treating it as a low priority is an invitation for hackers to swoop.
An Australian defence contractor learned this the hard way recently. Information about the country’s Joint Strike Fighter program and other military hardware was stolen – not a good look for a firm hoping to maintain an ongoing relationship with the Australian Department of Defence.
Unfortunately, for many professional firms – even those to which privacy and security should be of paramount concern – it takes a negative experience to put cyber security where it belongs, at the top of agenda, at the outset of a project. All too often, our team is called on to act as the clean-up crew; fixing vulnerabilities which could have been more easily and cheaply attended to during an earlier project stage.
Why be ‘Secure by Design’?
A ‘secure by design’ approach allows firms to identify security risks in the early stages, and remediate vulnerabilities when it is most cost and time effective to do so. Being secure by design is about proactively managing information security risk across the life of a project, in order to deliver a secure outcome for your practice.
Think of it this way: Imagine trying to retrofit seatbelts, airbags, and crumple zones to the design of your car – hardly a straightforward undertaking! When you buy a vehicle, you quite reasonably expect the manufacturer will have incorporated those safety requirements before focusing on performance and aesthetics. The same should apply when an IT system is being implemented.
The ‘Secure by Design’ process should begin at the project kick-off meeting, when solution requirements and desired business outcomes are being discussed. That way, you can ensure you’re making good security design choices and building a secure system from the ground up.
It’s worth noting that being secure by design isn’t a discrete activity – it’s an ongoing process. IT systems are not static. They’re designed, built, tested, deployed, modified and patched – and used. They have an operational lifecycle and security is vital at every life stage. IT systems’ inherent risk can never be fully eradicated but must be managed via monthly reporting, regular penetration testing and scrutiny upgrades, in the event of changes to the risk profile.
At Aura, being secure by design is considered a four-phase process. During the design phase, potential security risks are identified by software and infrastructure security architects.
The same consultants remain involved throughout the build process, to ensure systems are being implemented securely. They undertake an end-to-end penetration test prior to ‘go live’ to ensure any remaining security flaws are remediated. And during the operating phase they carry out ongoing analysis, reporting and security optimisation.
Protecting what matters
Law firms must embrace digitisation, automation and data analytics in order to survive and thrive. Those which don’t make cyber-security integral to their software and infrastructure implementations are dicing with danger. Neglecting to put rigorous defences in place opens their biggest assets – their sensitive information repositories and their good names – up to attack from cyber criminals. Once compromised, these can be difficult, if not impossible, to restore.
Tom Moore is a practice manager for Aura Information Security.