All of us who work in the legal industry were forced into a work from home model in early-2020, virtually overnight, and suddenly found ourselves replacing in-person meetings with Zoom. It was a paradigm shift that had been quietly underway for years but accelerated with breathtaking speed.
A rare silver lining is that most law firms were able to successfully transition to this new mode of work as the year progressed and learned a lot along the way about the now-central role of IT in law firm operations. We entered 2021 much smarter and wiser about what firms truly need in terms of physical space, technology infrastructure, and workforce collaboration.
As we look ahead to a phased-in return to normal this year, it is important to consider what that will look like from an IT perspective and what IT-related risks law firm leaders are going to have to monitor and address as part of this new normal. Based on our experience working with Am Law 200 firms, here are five key IT risks to manage in 2021.
Law firms of all sizes are now facing daily cyber attacks, many of which are succeeding. During the early days of the pandemic lockdowns last spring, Legaltech News reported that 193 law firms — including some of the most elite firms in the industry — were victims of a breach that exposed passwords, confidential documents, and even passport numbers.
An especially ominous aspect of these rising security threats is that they are often clandestine attacks launched from abroad. Many firms and their cybersecurity providers have worked to fend off a number of highly coordinated breach attempts executed against law firms by bad actors from foreign countries. These international cyber attacks are becoming more sophisticated and more frequent.
One key development that is helping law firms establish a stronger defense posture in the cybersecurity battle is the creation of a Security Operations Center (SOC). A SOC is a 24/7, fully staffed organization that monitors, prevents, detects, investigates, and responds to cyber threats in real time. SOCs have the benefit of watching multiple vectors at once and monitoring a variety of industries, which enables them to see the entire cybersecurity landscape and apply that insight to a law firm’s specific vulnerabilities. This provides a central hub for coordinated efforts to implement security measures and defend the law firm against cybersecurity attacks. Look for more firms to embrace the value of a SOC in 2021 as a way to mitigate their cyber risk.
2. Mobile Device Management
The 2019 ABA Legal Technology Survey Report found that 98.5% of all lawyers now use mobile smartphones for work-related purposes. (Among this group, 79% use iPhones, 18% use Android phones and 7% use Blackberry phones.) This means that a law firm’s digital assets are potentially being accessed at every moment of every day.
For law firm IT teams, the ubiquitous use of mobile devices to access firm networks and databases has obliterated the firm’s historical data security perimeter. This risk management reality is going to require all firms to step up their mobile device management (MDM) policies in 2021. A robust MDM platform provides numerous benefits from a security and risk management standpoint. Remote monitoring and managing the mobile device, facilitating and controlling device updates and application availability, and enforcing security requirements are just a few of the capabilities provided by the MDM platform.
A prominent example is two-factor authentication (2FA), an important security measure that requires firm employees to enter an authentication code sent to a mobile device before they can access protected information. We increasingly see bad actors attempting to obtain private user credentials for their own nefarious purposes, with one recent study finding that the unauthorized use of credentials accounted for 29% of cyber attacks in 2019. Law firms will need to manage against this mobile device risk more aggressively in the year ahead.
3. Microsoft Teams
Law firms were forced to support a geographically dispersed workforce for most of 2020, which required their IT teams to test various software tools for reliable online collaboration. After some initial fits and starts with different products, Microsoft Teams emerged as one of the leading platforms to provide that support.
Teams is a logical long-term choice because it is often embedded into a firm’s existing Microsoft software license and increasingly the collaboration platform of choice for corporate law departments. The platform supports document collaboration, task management, voice calling, instant messaging, threaded internal discussions, and video conferencing — these are the fundamental applications needed to facilitate collaboration and communication.
While the long-term trajectory is clear, in the near term firms need to be aware of the potential risks associated with the adoption of Teams and ensure their IT leaders pro-actively manage these risks during the planning and rollout. This requires law firms to develop appropriate policies, procedures and controls within Microsoft Office 365 to ensure they are maximizing security and compliance throughout their Teams implementation. For specific insights on information governance, read my colleague Reggie Pool’s blog post on some of the governance issues related to this important challenge.
4. Employee Training
Law firm IT teams have done a good job in the past year with encouraging the adoption of technologies by their colleagues. Bloomberg’s 2020 Legal Technology Survey found there was “a marked increase in efficiencies attributed to legal tech” between March 2019 and July 2020, with a nearly 50% increase in the number of law firm respondents who felt their organization had experienced greater efficiencies through technology.
While this is encouraging, firms need to double down on the nature and content of the IT-related training they provide to lawyers and professional staff in 2021. First, this is necessary to continue maximizing the benefits of technology for purposes of law firm operations and client service. Thorough and recurring tech training is the best proven way to make sure that the firm’s professionals are getting the most from their software tools on a day-to-day basis. It also helps the firm workflow to be more efficient and improves client retention in a competitive marketplace for legal services.
Second, increased focus on employee training is also becoming more important as an IT risk management strategy. As legal professionals are aware, there is now an ethical duty for technology proficiency. In 2012, the American Bar Association amended its Model Rules to create a duty for lawyers to be competent in technology—and stay abreast of “the benefits and risks” associated with technology—and most states now require their licensed attorneys to maintain a degree of technology proficiency. Moreover, there is the specific cybersecurity risk. Routine employee mistakes in the use of technology, such as clicking on an attachment that triggers malware or failing to properly redact a document, regularly cost firms in substantial ways, ranging from financial penalties to reputational harm. Improved employee training is an important and low-cost way for firms to reduce their IT risk profile in 2021.
5. IT Supply Chain
An emerging risk is the increasingly unpredictable nature of the technology supply chain, such as the global shortage of semiconductors that accelerated in late-2020 and early-2021. This worldwide chip shortage has forced some auto manufacturers to shut down production and has caused disruption throughout various IT distribution channels, impacting the availability of everything from switches and routers to firewalls and laptops.
This newfound volatility in the IT supply chain could become an important risk for law firms to monitor as it could pose a threat to their ability to swiftly scale up their technology infrastructure in response to emerging opportunities. For example, if a firm wants to act quickly to acquire a team of lateral partners or a new practice group, it needs to be able to supply the necessary IT equipment in a timely manner. Moreover, if a firm identifies an opportunity for a merger with another firm, it needs to be confident that it will have sufficient access to the technology hardware to support that strategic growth.
As law firms return to a post-COVID working environment, there will be a wide range of IT-related risks to manage due to the “new normal” working environment, which we all realize is not going away. These risks are created by the acceleration in the shift to a chronically distributed workforce. This new operating model is how most law firms will be doing business and serving clients for the foreseeable future, to varying degrees from one firm to the next.
Perhaps the key for law firm leaders is to take a holistic approach to IT risk management: Adopt the most advanced technologies that support the firm workflow in a safe and smart manner; and then apply the knowledge of how to deploy those technologies in the least intrusive way that minimizes friction in how the professionals work.
What is clear is that the year ahead will demand greater vigilance and increased collaboration with IT professionals who understand the unique organizational dynamics and business practices of law firms. For firms seeking to identify the IT-related risks that are most relevant to them, a good starting point is to seek an independent evaluation of the firm’s IT risk profile to identify threats and opportunities in 2021.