As the legal industry embraces cloud and mobility, it also inadvertently exposes itself to security risks such as data leakage, data breaches, malicious apps, software bugs and account hijacking, to name just a few. Lawyers tend to be more concerned about getting the job done in the most efficient billing timeframe, rather than worrying about how safe it is to access the office servers to download confidential client information and files.
A major portion of a banking lawyer's job is based on extensive searches and document sharing, which leaves little or no time for complex security policies set by IT departments. In the day-to-day matters, and in an environment where higher outputs are demanded in shorter timeframes, productivity takes precedence over security. The latter is left to the IT departments and service providers to tackle.
However, in the age of the cloud, there is another new practice of shadow IT (unsanctioned use of the cloud) that takes IT departments out of the picture, potentially exposing confidential and sensitive information to significant risk. So, how can banking lawyers ensure that they can achieve their productivity goals while protecting corporate and sensitive client data from security breaches without laborious and complicated processes?
The disruptive paradigm shift
In the legal services sector, cloud technology is creating a disruptive paradigm shift. Lawyers are finding new ways to create differentiation in a highly competitive industry with offshore firms, especially from the United Kingdom and the United States, entering the Australian markets via mergers and acquisitions. As the cloud market matures, the concerns about the security of cloud-hosted data either ease or are addressed by vendors. This has helped the cloud foray into the more conservative industry sectors, such as financial, legal and government.
The increasingly mobile lawyers are now able to leverage software-as-a-service (SaaS) applications to enhance productivity, maximise billable hours and increase client interaction, thereby adding value for their clients. However, for banking lawyers, search and discovery tasks make up a bulk of time that does not add tangible value for their clients. The more innovative lawyers are, therefore, exploring and utilising new tools that facilitate agility, collaboration and productivity, avoiding cumbersome IT department approvals, the installation of hardware and the cost of constant upgrades.
Australians, in general, are becoming more mobile, with 90% of the population using smartphones or tablets by mid-2014. Mobile phones, especially smartphones, are no longer used only for calls, text messages and emails, but have become a means of collaboration, research, networking and access to social media. In March 2014, the LexisNexis Mobility Survey revealed that eight out of 10 lawyers in Australia and New Zealand are using mobile devices for work and nine out of 10 rate their mobile phone as the most important item they pack for their trip to the office, showing what an integral part of a lawyer's life mobile devices have become.
Given that mobile devices are mainly used for content curation rather than content creation, and banking lawyers heavily focus on sharing and reviewing documents, contract negotiations and extensive searches, the reliance on mobile devices is no surprise. Australian analyst firm Telsyte has reported that most organisations are already using some variant of cloud computing, with SaaS applications becoming prevalent across industries.
Even the most risk-averse players in the financial services industry -- the big four banks -- have been in the process of deploying private and hybrid clouds since 2012. Smaller banks are also making the bold move to cloud, with ING having recently moved its entire production IT infrastructure to a private cloud. Cost cutting, improvement in productivity and customer engagement have been the main drivers of cloud adoption across the banking and finance industry. In addition to these drivers, lawyers are also using the cloud for easy back-ups and faster access to information.
The risk of stormy cloud
While mobility and the cloud have fundamentally changed the way banking lawyers work, they have also brought to the fore issues about the protection and security of data. The common misconception about mobility is that mobility enables people to become more mobile. The fact is that mobility enables people to become more connected and more stationary while the data becomes more mobile.
Most financial institutions are now demanding that lawyers take reasonable steps to protect sensitive information in the face of rising threats. The high profile breaches of 2014 have made even the most complacent organisations review and enhance their network security. The PricewaterhouseCoopers 2014 Global Economic Crime Survey for Australia ranked cybercrime in the top three threats for organisations.
In certain situations, data in motion is more vulnerable to breaches than data at rest -- that is, data stored in servers protected by firewalls and stringent IT department policies. When mobile lawyers connect to office servers and download information from their network to store on their devices, they have taken sensitive data out of a secure environment. Unless proper measures have been put in place to protect the mobile devices and data, lawyers have exposed everything they have stored on their phone to security risks.
Just imagine leaving your mobile device containing confidential emails with classified attachments in a café or taxi or on a plane. Telstra reports that over 200,000 phones are lost or stolen every year in Australia. The screen-lock passcode is not enough protection to prevent hackers from getting access to what is stored on your mobile device. With the growth of internationalisation in the past few years, banking lawyers are also increasingly engaging in cross-border collaboration when advising on and investigating extremely sensitive corporate information.
While the cloud services models comply with Australia's privacy laws, banking lawyers need to be mindful of the new Australian Privacy Principles (APPs), especially APP 8 (cross-border disclosure of personal information) and APP 11.1 (security of personal information) that put the onus of security on senders of information and the organisations they represent. These APPs hold Australian senders of information liable for the actions of overseas recipients and require organisations to take reasonable steps to protect personal information.
Three simple steps to prevent the stormy cloud
- Change your passwords very regularly
The rising use of cloud applications and services has created new opportunities for cybercriminals. Passwords are no longer adequate protection for any mobile device or for any cloud subscription service. Some of the major high profile breaches of 2014 -- including the eBay hacking, where cybercriminals were able to steal millions of passwords – are evidence of how easy it is to acquire passwords and how critical it is to ensure that they are changed regularly.
Hackers use a number of ways to find out passwords, including the English dictionary, names dictionaries and foreign words. In addition to changing passwords regularly, it is recommended that passwords:
- have 12 characters;
- include a combination of capital letters, numbers and symbols such as exclamation marks, asterisks or ampersands; and
- not be made of common words or names, or representative of birthdays.
In a security breach where 38 million passwords of Adobe accounts were leaked, analysts discovered that the most commonly used password of those 38 million was 123456.
Mobile devices are not secure by default. Many people have the misconception that their mobile devices are safe with the screen-lock passcode. This is not true. The only way to protect a mobile device is to ensure that some form of mobile security solution is installed. The most commonly known secure mobility solution is known as mobile device management (MDM).
This allows a device lockdown and remote wipe from the IT department of an organisation in case the device is lost or stolen, or the employee has left the firm. Most telecom service providers also offer some type of MDM solution for mobile devices and can provide advice on what will best suit the needs of the individual user.
Another way to protect the corporate data on mobile devices is containerisation. This means creating a partition between corporate data and the rest of the device. Creating a partition allows lawyers more flexibility to get on with using their personal apps and personal emails while protecting and encrypting corporate data. The container can be easily wiped out remotely without impacting the rest of the apps and data on the device.
There are enterprise solutions available for small and large firms from various vendors. Some cloud-based containerisation solutions are available at very reasonable per-user-per-month subscription costs that are well worth the investment, given the extremely sensitive nature of the data banking lawyers handle -- especially in cross-border communications.
These days, there is an app for pretty much anything -- except, of course, one that can make us a cup of coffee in the mornings. Most organisations are now focused on building in-house apps to enhance customer experience and allow customers to access their services from mobile devices no matter where they are. Apps such as those that allow us to annotate PDF documents on our mobile devices, share files with our clients and peers, video conference and invite people to participate in meetings enable us to get on with our jobs from anywhere, anytime. However, not all apps are secure and it's now always clear how the information stored in and passing through these apps will be used and protected.
When lawyers use unauthorised cloud services --such as Dropbox, Skype and Viber --to conduct their jobs, it puts sensitive information at risk since IT departments no longer have any control over monitoring the security of the data passing through these apps. If there is a need to use apps that are not built in-house, it is important to conduct proper research to ensure that those apps are secure and to implement two-factor authentication where necessary.
While the cloud makes life easy and helps lawyers increase efficiency, there is also an abundance of malicious apps around. Cybercriminals are always on the lookout for new and creative ways to get their hands on sensitive information because such information is considered digital gold, selling on the black market for a handsome sum.
In addition, we are all human and losing our mobile device or having it stolen can never be ruled out as a possibility -- no matter how careful we are. Banking lawyers, in particular, are privy to corporate secrets, major banking deals and sensitive financial information that, once leaked, can cause major -- and, in some cases, irreversible -- financial and reputational damage. Therefore, in this era of growing cloud adoption and the proliferation of apps, vigilance is the best defence.
Note: Originally published in Australian Banking & Finance Law Bulletin February 2015 Volume 31 No 1