The traditional law firm business model is evolving. Increased client expectations — along with greater competition, global reach, and pressure for increased efficiency to deliver margins — have all fuelled the drive for digital transformation.
But replacing piles of files and pieces of paper with sophisticated search tools, digital case and document management, legal CRM, cloud billing and expenses systems, and online collaboration has introduced cyber risks for law firms. All respondents to the PwC Law Firms’ Survey 2020 had suffered a security incident, and the most common attack method was phishing.
The legal sector will always be an attractive and potentially lucrative target for cybercriminals. The sensitive corporate information that law firms process, the insight into mergers and acquisitions, and the personal, financial, and tax data that these firms hold make them a natural choice for both financially and maliciously motivated attacks. Because trust in relationships is such a vital part of the client/lawyer contract, preventing breaches is of the utmost importance.
In our experience, legal IT and security teams are often lean outfits. The task of reshaping law firms — often requiring infrastructure and cloud investment while ensuring optimal cybersecurity — was an ongoing challenge even before they faced the disruption of the global pandemic, which suddenly forced hundreds if not thousands of employees to work from home.
Managing the ever-increasing risk of ransomware and phishing attacks, as well as implementing strategic data loss prevention while overcoming the limitations of existing VPN networks to protect the security and productivity of a newly remote workforce, has only stretched the resources of legal IT teams.
So how can law firms’ IT teams reduce risk, promote digital innovation, and optimize security operations for a distributed workforce?
As the pandemic took hold and offices emptied, London law firm Howard Kennedy was among the global organizations working with Menlo to support their digital transformation. IT Director Tony McKenna and his colleague Jonathan Freedman, Howard Kennedy’s head of technology and security, needed to swiftly transform the way their lawyers worked together and interacted with clients. The vision was simple: “Business as usual, but not in the usual place.” This tagline has become a mantra for the firm’s overarching digital transformation efforts and ambitions.
But with pragmatic intent, the goal was incremental changes and technology for a specific purpose, rather than nebulous innovation. McKenna was eager to implement a defined transformation, avoiding a “cathedral solution–type moment” that too often fails to deliver the intended productivity gains to empower employees.
“Because we’re a law firm this year, and we’ll be a law firm next year, our focus is on continuous improvement,” McKenna says. “It’s about taking specific problems and solving them with the right technology, processes, and people, in order to deliver better value to the client.”
As a result of lawyers working from home around the world, it became clear to Head of Security Jonathan Freedman that the firm’s once-resilient data center VPN could not handle the immediate strains of hundreds of offsite terminals. As he explains, “The biggest challenge we had was the way our security was set up. We were using a full-tunnel VPN, sending all the Internet traffic back to our corporate data center, and that coincided with the enormous surge in the use of video conferencing.”
“One of the projects we’d been testing in the background was with Menlo Security,” Freedman continues. “We wanted to keep the security benefits of the traditional VPN — scanning and filtering all the traffic — but we wanted to remove any speed limitations for people working from home. Implementing Menlo’s technology platform enabled staff to use the Internet and access email without losing any of the security of our previous on-premises IT infrastructure.”
With employees and many of the cloud-based tools and applications they use in their work for clients now sited at varied locations across the globe, Howard Kennedy is just one of the law firms questioning whether their network must be managed and secured from a centralized, on-premises location that is no longer being physically used. Many law firms are now shifting security to where the work is happening — in the cloud — and realizing a variety of efficiency and productivity gains.
To establish optimal levels of document and Internet security — to eliminate email phishing, credential theft, and malware — many law firms are adopting a Zero Trust approach. Zero Trust shifts the point of execution for active content away from a user’s browser to a disposable, cloud-based virtual container. This essentially acts as a screen, preventing all active content, including exploit code, from reaching any user’s device.
Zero Trust is a natural security fit for an industry reliant on digital content and collaboration, such as the legal profession. For Howard Kennedy and other law firms, isolation is one method to establish Zero Trust within a cloud network. Web browsing and electronic documents are isolated on Menlo’s cloud and instantly tested for malicious content, before being rendered and returned safely to users’ devices.
With ongoing disruption caused by the pandemic and increasing threats from malicious attacks and ransomware, these capabilities enable organizations to secure lawyers’ day-to-day digital activities outside the confines of the corporate network. By sidestepping the need for a VPN, IT teams not only reduce the resources they need to invest in managing alerts by implementing airtight, automated digital security in the cloud, they can also reduce infrastructure costs and increase visibility and control over data loss.
For legal IT and security teams that are balancing security and productivity, isolation separates the enterprise network from public access while providing users with secure, low-latency connections to the vital resources and SaaS applications that they need. All content is rendered safely in a remote browser so that any potentially malicious code simply does not have an opportunity to execute on the endpoint. It is not “almost safe” like other security solutions; rather, it can stop malware 100 percent of the time.
IT Director Tony McKenna feels that this new Zero Trust approach puts Howard Kennedy on a solid footing as they head beyond the disruption of the pandemic.
“Our business aspiration is growth, and therefore having technology just ready to switch on in a dynamic way is a real business differentiator for us,” he says. “As we start to bring on other businesses or look at what we deliver against our strategic ambitions as a firm, we’ll be able to do that quickly and simply with the best technologies.”