Doing “the basics” is not enough

The landscape of IT security has shifted significantly, yet a sense of apathy remains, rooted in the scaremongering sales tactics of the past decade. Today’s reality is starkly different: every firm and individual is a potential target, and the consequences of lax security are not just damaging but potentially catastrophic, leading to public embarrassment, hefty fines, and severe business disruptions.

Alarmingly, many professional services firms are not adhering to even the basic tenets of Cyber Essentials, a fundamental cybersecurity framework. Worse still, some firms rest on the mistaken belief that compliance with such frameworks alone guarantees security. Cyber Essentials really is ‘just the basics’ – not a badge of being secure.

Technical controls like advanced firewalls and detection systems are prevalent but often give a false sense of security. The analogy of a fortress with an open back window is apt; firms have robust protections in certain areas but unknown critical vulnerabilities in others. The security measures are not as integrated and comprehensive as they should be.

A glaring gap in many firms is the absence of a solid GRC framework and an Information Security Management System (ISMS). IT security is not just about technology; it’s about ongoing processes, risk management, evaluations, reporting, and testing.

Implementing an ISMS, particularly one aligned with ISO 27001, is essential for establishing a strong cybersecurity posture. Utilising key elements of this standard can significantly bolster a firm’s defence against cyber threats, even if you don’t certify against the standard. There’s no reason why every firm shouldn’t at least have a risk register and details of the security controls associated with countering those risks. It seems odd not to do it when you understand how much common sense it makes.

Despite the technical aspects of cybersecurity, the problem is not confined to the IT department, it is a challenge that must be tackled at the board level. Many firms still erroneously view Information Security and Cyber Security as IT issues when they are, in fact, most certainly broad organisational concerns.

It is vital for the business and IT to have a clear understanding of the organisation’s risk posture; identifying all risks faced by the business and the controls necessary to manage them. Regrettably, this level of understanding is often absent within a number of IT and business leadership teams, leading to insufficient risk management strategies. As an example, I’d argue that a significant number of firms don’t appropriately assess the security of their supply chain. This is almost as if they’ve delegated accountability to their suppliers for their firm’s operation; that’s a big statement to make i.e.  ‘we are going to close our eyes and hope they’ve got it under control’.

The issue is compounded as many IT teams are currently overwhelmed in firms. They were historically tasked with maintaining operations but are now also burdened with managing numerous transformation projects post-COVID, along with a vast information security landscape to get control of. Many are really struggling, yet the board won’t assign the necessary focus or budget to really get hold of it.

Reassessing IT Security in Professional Services

Conclusion

Professional services firms must urgently re-evaluate their approach to IT security, transitioning from outdated perceptions to a holistic, board-level governance model. This shift is critical not just for the integrity of their IT infrastructure but for the survival and competitiveness of the firm in an increasingly digitized and threat-prone world.

Resolution

In response to the demands of professional service firms, QuoStar’s CISO service has been built to manage all of the key areas highlighted, from the ground up. It’s a comprehensive support service to give the IT team and the firm’s board real confidence that they are managing cyber security appropriately and effectively. In addition, it delivers:

As we all know, the legal sector is changing and changing fast. Several emerging challenges in the sector are driving this change, namely: globalisation, shrinking margins and innovation. But whilst change can be uncomfortable, failing to adapt means you die.

This may seem like a scary prospect (and it is) but the legal sector has the advantage of not being the first to go through these challenges. The world of manufacturing has suffered from the exact same problems of globalisation, shrinking margins and innovation and what separated the winners from the losers in that sector was their ability to leverage a set of principles known as Lean.

Manufacturers who both used technology to provide a competitive advantage and understood and implemented the principles of Lean become experts at adjusting to rapid change – something that law firms have traditionally resisted. However, as the pace of change increases in the legal sector, it’s something you will need to start doing.

So, to keep you interested, how will Lean help your legal firm? In short, you’d use proven business tools and strategies to allow you to survive and thrive in shifting sands, by:

What is Lean?

Lean was born in manufacturing and was originally developed and used by Toyota engineers in the ’40s. Now, as you’d expect with continual improvement Lean has changed and matured. Generally, today when most people talk about Lean they are talking about Lean Six Sigma. This process was developed by Motorola in the late ’80s and is still widely used by all sectors, from finance through to retail. You’ll know that it’s not common in the legal space, very bizarre.

In short, Lean was born for the ‘systematic’ elimination of waste (“known as Muda”) in a process. Lean also seeks to identify and eliminate waste through overburden (“Muri”) and waste created through unevenness (varying) workloads. There is also a focus on the client who consumes a particular product or service around “value”. So it’s about reducing waste internally and increasing value for the client.

Here are some examples of how waste elimination can work in relation to Lean Six Sigma in a law firm. This can easily be remembered with the acronym: DOWNTIME

Now, if the potential here isn’t exciting you, you may be in trouble. If you also think you are already all over these elements, then I’ll almost guarantee that you aren’t. There is always room for improvement, everything can be improved. It’s about prioritisation. Prioritising what improvements deliver the greatest gain to the firm and ultimately the client. I’m a big believer in win-win relationships and that means the client has to be your partner, not simply a bill payer.

How does lean deliver improvements?

Lean uses the acronym DMAIC to structure improvement, generally continuous improvement, which is of course absolutely essential in a law firm in this day and age. DMAIC is always applied in the order shown below and stands for:

Define

Measure

Analyse

Improve

Control

The above obviously goes around and around in a continual cycle. It’s surprising how many firms don’t have live documented processes and procedures. If you don’t have SOP (Standard Operating Procedures) then you are going to have to start. If you don’t have processes defined, how can you evaluate them and improve them?

Why is Lean particularly relevant in law firms?

This is the biggest issue – legal firms, in essence, are simply a business, predominately a service business and a consulting firm. Individually, they aren’t particularly different in what they do (although the individuals inside a firm of course have their specialisms). This means that a client choosing between one firm which hasn’t adopted Lean and still has a lot of waste (and thus, higher costs) and another firm that has adopted Lean, the client will choose the Lean firm every time.

A significant number of law firms have been way behind the curve in innovation for a long time and some who believe they are innovative are not. Not when you look at the advanced systems, processes and structures in other sectors. To begin making some real forward change, law firms need to start at the beginning and audit their existing systems to identify waste.

For Lean to be effective, firm leadership must embrace the principles. You can’t delegate and forget – leadership must be responsible, passionate and championing the reduction of waste and continual improvement in a firm. If you don’t do this then your competition will be, or an entity that isn’t even a competitor right now will be. Change in the legal sector isn’t a threat to those who embrace Lean – it’s an enormous opportunity and one you’re missing out on right now.

QuoStar launches Legal Ignite cloud platform

We’re excited to announce the launch of Legal Ignite – our new cloud platform, designed specifically for small to mid-sized law firms. Backed by our ten years’ of experience in cloud and our in-depth knowledge of the legal industry, Legal Ignite is designed to help law firms benefit from the security, scalability and convenience that cloud computing can provide.

Combining a robust mix of best-of-breed hardware and legal software, Legal Ignite has been built specifically with the legal sector in mind and can be adjusted to fit each firm’s exact requirements. It can even be delivered onsite for those firms which are wary of moving to the cloud.

Firms can use their existing software or opt for our chosen partners, for everything from time recording and practice management systems, through to CRM, email security, document management and case workflow. Other hardware and other IT related services can be delivered on a simple operating expense model.

The new cloud platform has been built to boost efficiency by being simple to use. It’s completely customisable and scalable, without compromising on security. Legal Ignite is hosted in the UK’s most secure data centres, which are operated to military standards. They also have ISO 27001 and other security accreditations and come with 100% uptime guarantee.

Legal Ignite also offers a built-in IT manager-on-demand and CIO-on-demand services to provide law firms with board level expertise to help them make business-focused decisions that support continual business improvements. Helping your law firm make the best business decisions as new issues, priorities and challenges arise in this rapidly changing sector.

“With competition in the legal sector more fierce than ever before, firms need to employ IT systems that help them work faster, smarter and more efficiently. Cloud computing can offer all of these benefits and more – but it’s vital that firms choose a mature, custom-built cloud solution that has been developed with the specific needs of the legal sector in mind,” comments QuoStar CEO, Robert Rutherford.

“Legal Ignite ticks all of these boxes by offering an easy-to-use solution that helps firms to compete more effectively, without compromising on security. We run a 24x7x365 operation, manned by seasoned and qualified engineers, to ensure constant uptime and availability. This way, firms not only benefit from having a modern flexible IT system that can help boost productivity, but also a strong support network of industry-focused experts.”

Discover the benefits Legal Ignite for your law firm. Book your free, no-obligation demonstration today!

Do you know how much your firm spends on printing? It’s okay, most firms don’t. Even they think they do it’s pretty much guaranteed that their actual spend is a lot higher. After all, there’s a lot of hidden costs when it comes to print, which many people don’t consider.

Luckily it’s easy to transform this environment and straightforward to get started. MDS – or Managed Document Solutions – can help to not only reduce your print budget but help you to better understand and allocate it. Along the way you’ll also be improving processes for employees, increasing efficiency and helping your firm to become more productive.

1. Reduce the number of devices

Personal printers may seem like the cheaper option but they’re probably costing you a fortune in ink. Even worse, you have no way to track who’s spending what. Reduce the number of devices by migrating users over to larger multi-function devices (MFDs), which allows printing, scanning, copying and faxing within one machine and are also durable enough to meet the needs of several users. Less equipment means fewer costs and fewer problems.

2. Create a digital environment

How many boxes of documents do you keep in your offices? What about in your offsite storage? For some firms, it’s going to be in the thousands per year. Offsite storage is an overhead which is ever increasing, plus then you have to add on the transportation costs of sending employees back and forth to collect necessary documents and the time they lose doing that. Rules-based scanning and routeing make it easy to transform your paper documents into digital ones – increasing security and search capabilities while reducing ongoing storage costs. Clients, other law firms and even courts are now accepting digital files in place of hard copies – for some a digital copy is now expected as the norm.

3. Think before you print

How many times do you print a document just to proofread it and shred it? How many times do you print an article just to read it and bin it? How often do you print a file in colour, only to realise you need it in black and white? These seem like insignificant costs individually, but if everyone follows these practices then the costs soon mount up. Detailed reports and analysis will allow you to see exactly who’s been printing what. You can break these reports down by office, department or individual to see who should be footing the bill. Some solutions can also be configured to display popup notifications when employees try to print certain documents to remind them: “do you really need to print this document?”

4. Stop printing twice

It’s a common occurrence, you finalise a document, press print and then spot a spelling mistake on the first page. They’re no way you can hand this off to a client now, but never mind because you can just print it again. Usually, when you hit print, the document is sent and printed automatically at the device linked to your computer. With a “follow-me” solution documents are held in a virtual printer queue, and are only released when a user signs in to the device and hits print. If you realise you’ve made a mistake, simply sign and delete the document. You can also configure your device to automatically delete documents in the queue after a set time period.

5. Track the paper trail

Somewhere in your office is an employee who feels the need to print everything. You don’t know why and, more importantly, you don’t know who they are (so you can’t track them down and stop them). How much is this wasteful printing practice costing your firm? When people are aware of how much their printing costs, then the amount they print usually declines. Start tracking and analysing how much each individual is spending on printing, and share these reports with individuals.

6. Prevent colour printing

Colour is sometimes necessary but it doesn’t need to be a part of everything you print. You can’t rely on users to check that grayscale box every time they print, but you can rely on colour printing rules. Deny colour printing from certain applications, like email, automatically route jobs to a lower-cost colour printing or prevent certain employees from printing in colour altogether.

7. Convenient Printing

MFD’s can be just as convenient for users as personal printers. Centralised software means that users can print from any devices on the network, as their files and documents are stored on a server and are only released once they sign in at a device. Yet the device isn’t the only thing standing in the way of convenient printing, workflows are. Custom designed workflows will allow employees to complete their most laborious or recurrent processes in a matter of clicks, improving their day-to-day activities and reducing printer-related frustration.

8. Reduce calls to the help desk

The centralised software allows for easy maintenance, by letting administrators easily see what happening on every device on the network, with the need for site visits. You can remotely schedule your devices to undergo maintenance, all at the same time, and ensure that each one is running the latest software version, helping decrease costly downtime. The virtual printer queue also ensures that at least if one device is down and unusable, then employees can simply sign in at another and print from there.

9. Recover printing costs

Do you charge your clients for printing costs? So many of the old Managed Print outfits sell ‘cost recovery’ solutions and also claim firms can profit from print. Honestly, there are not many clients who will swallow this and it will generally reflect negatively on your firm. You can, however, use the technologies for understanding where you are printing, i.e. against particular matters and clients. This is useful and can potentially aid you to address costing and identify workflow and process changes to protect your margins. You should be looking to reduce print, not profit from it.

Any device where data is downloaded or stored is at risk of being accessed by a third party once it is no longer in your possession. Devices at risk range from the obvious hard disks, right through to printers.

The basic principle is: if data is written it can be retrieved unless it’s encrypted. Therefore, if you’re in an industry where your clients’ data is sensitive (which is to say, every industry), if you can encrypt the data you should always do it. Of course, you need to factor in performance overheads in relation to encryption but that is becoming less of an issue now with the entry of technologies such as solid-state disks and self-encrypting storage arrays. Encrypting data effectively removes a lot of the concerns around the disposal and/or loss of a device.

If you do have to dispose of a device then it is usually best to have it done by a third party specialist data destruction firm. However, you need to be aware that by choosing to outsource this function, you are not outsourcing all responsibility. If a client’s data were to be stolen from one of your disposed machines, it’s your brand that will be tarnished, therefore you have to do your due diligence. Assess the data destruction firm and assess your risks. Do not simply settle for a van turning up to remove the worry.

Once you identify the risks you should have them signed off at partner level and agree on a strategy to apply suitable control to minimise them. If you can follow these steps you can be pretty sure that your clients’ data and your firm’s reputation will remain safe.

Don’t think that PCs are the only source of data that can unintentionally (or maliciously) disclosed to a third party though. You should also have security and disposal policies covering the following:

Again, all of these items can be encrypted and, arguably, they all should be if your data could cause your firm or a client embarrassment.

Risk of extortion

Never think that your information is not of interest to a third party. A large proportion of data and security breaches are now focused on blackmail and extortion. Hackers hack for money now, not simply for fun. A hacker doesn’t have to come in over the wire, getting hold of a physical device littered with information will give them extortion material and valuable clues on how to breach network defences at a later date.

Your key considerations

So, what are the key things to consider in relation to ensuring data is destroyed after its useful life? In this article, ‘destruction’ refers to physical destruction (shredding) and ‘wiping’ to cleaning the data off securely, to retain some resale value to the firm or a third party.

1. Control access

As you can imagine, it’s possible that, if you leave a pile of hard disks or USB keys in an uncontrolled area, once could go missing. And if this happened it would be open to all risks. When you have set aside equipment for disposal then secure it away from general access.

2. Control / document assets

Make sure your asset lists are up to date so when you wish to ensure any data is destroyed you don’t miss anything. If you aren’t controlling your assets then you aren’t truly controlling the risks. When you do dispose of an asset, ensure the information is logged, including the device, serial code, how it was sanitised, by whom, when, where it went, etc. If you go to a third party it should provide you with a certification of destruction.

3. Destroy the data

If you just format or delete the data on a device it’s relatively simple to pull it back. If you want to ensure the data is irretrievable then you can use specialist tools to do so. You can start by looking at tools such as Kroll Ontrack and Blancco if you want to do it yourself. If you want to go belts and braces, encrypt the device storing the data and then run the secure erase tools. You then, of course, need to factor in the time required to undertake this work. It all comes down to how sensitive your data is.

4. Destroy the device

In some circumstances, the data is so sensitive that the entire device should be destroyed, shredded in fact. Generally, you would outsource this, but you can also buy the specialist equipment to do it yourself. Typically memory and hard disks are shredded, and other parts of the device sold on to retrieve precious metals. There are strict environmental guidelines on disposal of equipment so be sure to familiarise yourself with the current regulatory requirements if you do it yourself.

5. Destroy it quickly

Once you have identified equipment to be disposed of or wiped, then do it quickly. The longer devices hang around, the more chance they will fall out of control or go missing. You would typically expect to have a periodic destruction cycle or pick-up if using a third party.

6. Have a process

Ensure you have a documented process for the destruction of data and devices as required. If you don’t have a rigid structure, things can and will slip through. Generally, legal firms can’t risk that happening so controls and processes must be put in place and followed. Failure to follow procedures must have tough disciplinary repercussions.

7. Check third parties

If you are outsourcing the destruction of data and devices to a third party then ensure that you are careful in your choice. There have been press reports of devices turning up on sites like eBay with very sensitive data on, even on a printer’s internal flash disks. So, when choosing a service provider, you should be looking for companies with ISO 27001 and ISO 14001 certification as a bare minimum. Also, it helps if they are certified to destroy MOD equipment, e.g. CESG and MOD approved. The higher-end secure destructions firms will also have the equipment they can bring to your premises or premises you can visit to witness the destruction of your data devices.

8. Communicate and review

Once you have a process and policies in place to relation to wiping and destruction of data and devices then ensure that it’s communicated and clearly understood. Make sure all relevant areas of the company understand their roles. Also once created don’t just forget about the policies and processes, review them at least annually. Your assets will change, as will the risks. Ensure that you review them regularly and know what they are

Security is changing

As we look back over this tiny area of IT security, the case for ISO 27001 is becoming more and more important in law firms. The risk of a security breach of any kind can have serious implications more so now than ever before. ISO 27001 will give a firm a framework to identify all risks and assign appropriate controls to mitigate them. It will also give your firm a continual improvement methodology that will deliver gains year on year. It should also be noted that many clients are now demanding ISO 27001 certification as a standard before instruction.

As a final note, just do remember that your data is of interest to many people. Don’t take risks, or at least don’t take them without informed sign-off from your firm’s partners.