That was my big takeaway from last week’s ILTACON hosted by the International Legal Technology Association. My team and I came to the annual event to talk to InfoSec pros who work at law firms. Just about all our conversations centered around to the same theme:
Law firm IT departments feel trapped.
That’s because they face two opposing demands: On the one hand, clients want their law firms to implement robust network security measures -- like blocking access to personal web content -- in order to protect privileged information. On the other hand, attorneys and staff demand access to the web in order to maintain a work-life balance.
To satisfy clients, legal IT teams are considering every option.
In one conversation, the firm was planning to turn off Web mail altogether. We’ll see how popular that decision is when it goes into effect. Another firm was playing whack-a-mole at the firewall by blocking access to some sites and putting restrictions on the type of content that can transit the Web. While not as draconian as a complete block, this approach does neuter content to the point that the websites are unusable. At the other end of the spectrum we met with a firm that is using Citrix as a method to publish a virtual browser. This is an conceptually a great idea, but in reality, it is costly and complicated.
Demands to restrict Web access are especially common with firms that serve the financial markets. Similar to healthcare providers forcing business associates to adhere to HIPAA guidelines, clients are starting to hold their vendors to the same standards that they must meet themselves. But financial service clients aren’t the only drivers. In many cases, clients have government-mandated security rules, so it follows that their legal teams must meet the same standards.
Client fears about their law firms’ security aren’t just hypothetical.
According to Bloomberg Business, 80% of the biggest 100 law firms have suffered a security breach. And last year, law firm hacks grabbed headlines when data thieves infiltrated legal networks to gain information on their clients. The stolen intel was used by the crooks to make illicit insider trades on Wall Street.
Meanwhile, law firm employees and partners don’t want restrictions on their Web access.
In fairness to employees, their Web access isn’t just for social media and casual browsing. In many cases, workers need it: Lexis-Nexis can only get them so far. Attorneys and staff often use the regular Web for research, communicating with peers on issues, and more.
Beyond that, legal staff are known for keeping LONG hours. It’s reasonable that an attorney or paralegal who’s shouldering 16-hour days will need to jump online to pay a few bills or email their spouse.
Everyone I talked to at ILTACON feels caught in this squeeze. They know they have to do something, because doing nothing creates an opportunity for hackers.
But taking drastic measures like turning off webmail or shutting down all personal Web use creates its own mess.
For starters, there’s the problem of angering everyone at the firm. Nobody wants to be the jerk who turned off the Internet. And let’s be honest, workers are a crafty bunch. If IT blocks normal Web access, employees will find workarounds. There have been many cases of employees bringing in their own un-managed devices, switching their work machines to the open guest WiFi, or even bringing their own hotspot into the office. All of these secret solutions create gaps in a firm’s network security.
What can a legal IT pro do?
Find an escape valve. The firm that was evaluating a virtual browser via Citrix was on the right path. But instead of managing the entire VDI stack and associated components, we see more firms using Silo. Silo is our disposable, cloud-based browser that gives employees Web access while protecting clients by running insulated, disposable Web sessions exclusively.
Silo’s secure, self-destructing Web sessions keeps all malicious code in a separate, virtual computer and prevents any unwanted data from persisting across sessions. Users only see a secure display of the browser session. We call it “perfect insulation.” In addition, Silo makes it easy to manage workers’ online access. Built-in URL filtering rules let you grant Web access while blocking undesirable activities (porn, gambling, etc.) and dangerous sites. If you want to ratchet up control even more, Silo gives you the option to log and audit user sessions. And if you want to extend Silo into a mainstream workflow, like revenue-side activity, Silo includes single sign-on for Web apps and policies that can enable or restrict things like copy-paste and download.
And it all comes in a centralized design. Silo lets you manage Web access and security from your own Web-based console. No more running around, installing updates on every machine’s local browser. With Silo, you get secure Web sessions that prevent users from infecting their machines, while you maintain complete control.
That’s my suggestion, but I’m interested to hear from you. Are you feeling the squeeze between your firm’s clients and your workers? How are you dealing with it? Share you feedback in the comments below.