Legal and professional services firms need to adapt their technology and security to fit new ways of working, according to a senior CISO in the sector.
During a Talking Tactics session at Infosecurity Europe 2022, Christian Toon, CISO at legal practice Pinsent Masons, pointed out that law firms are staffed by “intelligent people who get confidentiality.” Yet, that does not automatically translate into an understanding of digital risks.
Firms also face a challenge dealing with high volumes of information across multiple formats. Some courts, for example, still require paper documents with “wet” signatures. “The volume and veracity of documents have been a pain point for us,” he told session moderator Tim Deluca-Smith, CMO at CoSoSys.
Although Pinsent Masons had flexible working in place before the COVID-19 pandemic, relatively few staff worked remotely. Law firms had quite a traditional culture based around being at the office. “We are slowly working through a digital transformation, not just us but the whole sector,” he said. Nevertheless, lawyers remain wedded to printed documents. During the pandemic, the firm “had to have white vans to pick up media to get rid of it,” he recalls.
Providing secure printing to home-based lawyers was just one task Toon’s department tackled during COVID-19. The firm also provides laptops – it does not currently support BYOD – and secure facilities for sharing information. If firms do not continue to invest in these areas, he warned, they are likely to see the continued growth of shadow IT, including the use of insecure, consumer-focused sharing services.
Firms also need to take steps to monitor traffic across their networks and monitor their endpoint devices. However, these need to be done in the context of the business. As Toon points out, staff might need to use USB devices or make large transfers of data out of regular hours in order to meet deadlines for court hearings.
Monitoring also needs to extend to tools such as Teams and Slack to maintain conflict of interest rules.
The firm is also finding that it needs to align its security tools with clients’ requirements. One client, for example, sends keywords for the firm to enter into its data loss prevention (DLP) software. “It is not just frameworks and standards, but the supply chain dictating it,” said Toon.