Firms must face up to IT risk

According to Charles Sandison, if you’re anything like most businesses, probably not many. In fact, he suggests “in many cases, security can be so poor that some businesses might as well put their filing cabinets on the street.”

Having worked as a commercial litigation lawyer in private practice, he has recently completed a degree in management, central to which was a thesis on legal risk management and information security.

Many of his conclusions should serve as a warning against complacency and his message is that this is an issue that firms need to deal with from the top, not leave in the hands of IT support staff.

“Information security needs to be integrated into a proper risk management policy. This includes a properly thought out disaster recovery policy. Without a partner level understanding of how the risk issues affect the firm’s business in general, there is no possibility of having effective security for critical data.”

Part of the problem is the difficulty in “making the logical leap” to understand that information stored on computers isn’t necessarily secure. “There can be a failure to grasp the concept that information may no longer be secure simply because a physical copy of that information is physically locked away.

“As the necessity to increase revenues and client base are matched by external pressures for competitive service and lower costs, the challenges facing all businesses, including law firms, becomes greater. IT is a less attractive proposition if one of the effects of implementation is to compromise organisational effectiveness.

“All too often firms make decisions to make an investment in IT without giving any consideration to security issues or they simply assume that the people they have hired to install their IT systems will implement a security policy.

“Whilst the ability to share data and connect computers undoubtedly brings benefits, there has been limited understanding of why this should necessitate any special focus on security.

“A theme common to many businesses, regardless of their industry sector, is a rushed adoption of IT in order to maintain competitive parity, as opposed to innovation. Many organisations simply have not had the time or resources to consider any risk issues raised by new technology.”

Too many firms also adopt the attitude that security is something that only affects large multinationals. “Many firms think that as they are so small in the grand scheme of things they are never likely to be the target for hackers. In fact, if they have systems storing confidential information they need to take precautions commensurate with the risk they are running.

“The effect of a security breach can be serious – either direct financial loss through fraud or indirectly as a result of systems failure, theft or corruption of proprietary information. Additional issues such as breach of confidentiality, loss of goodwill and a loss of productivity may all arise as a result of information security breaches. Research indicates that the majority of businesses tend to treat information security risk management as an “add-on”, when in fact the importance of information security cannot be overstressed.”

Sandison emphasises that information security is actually more concerned with human management, such as making sure e-mails are going to the right people. “Technology is not the solution, the problems come from people not being told what the organisation’s protocol is. There is often too much assumption that people know what to do.”

Recent surveys indicate between 40 and 60 % of businesses have suffered at least one security breach in the last 12 months, with average losses suffered sometimes reaching into tens of thousands of pounds.

“Even apparently minor breaches can cause hidden losses in terms of lost productivity.”

Attitudes to information security issues reflect a generally “glib” approach that is typical of how many firms perceive risk. “Too often the approach is ‘it won’t happen to me’ and businesses start to think about changing things only when it goes wrong.

“Firms have to think about the effects of what would happen if confidential information appears somewhere else, it could be the nightmare scenario for a firm’s reputation.

“As more reliance is placed on electronic systems, so the potential effects of a security breach become more severe. Without identification of the most important risks, firms are potentially blinded to critical risk issues. Information security requires to be driven from partner level. Anecdotal evidence from many organisations suggests that management is often not willing to accept information security as part of their remit. In many cases this attitude is only revealed in the aftermath of a security breach.”

Worse than no security policy is often the piecemeal approach. Firms might have passwords or virus checking software, but that can lead to a false sense of security, says Sandison.

“Some organisations believe that with the deployment of one or two technical solutions they have solved any security issues. Technology can only provide one part of a proper information security strategy. It will not, of itself, prevent all security breaches.

“Too much time is spent on non-critical risks. It’s important that firms keep an eye on the major risks that could put them out of business, and that’s harder with IT than traditional risks.”

Nevertheless he’s keen not to scare those considering investing in IT systems away from making that commitment. “The aim is not to have a security policy that stifles business, or impose vast levels of bureaucracy, but to give firms an idea as to how to keep confidential information as safe as they normally would. Used properly IT is of great assistance in streamlining how firms do business at a time when there’s so much pressure on fees.”

Sandison now seems to have found the natural home for his evangelical cause, having recently joined Law Society of Scotland Master Policy brokers Marsh UK as a risk consultant involved in managing risk issues resulting from new technology, including assessing how legal practices deal with information security.

“Part of the difficulty is that in other areas we have claims experience going back 20 years, like insurance, risk management operates on a historical basis, and can deploy appropriate risk management measures. But as technology moves on, new risk issues are thrown up, analogous to existing risk issues.”

Sandison’s research indicates that even pro-active solicitors are playing catch-up in IT terms.

“People might read this and think what is being said is blindingly obvious. It would doubtless be a relief to busy solicitors to believe that firms could ignore information security issues when considering risk management. This attitude can barely be sustained now and increasingly it will become an untenable position.

“The best response to the risk challenges of new technology is one that addresses all of the real security and risk issues without stifling the use of information. The real function of information should be seen as one which assists the business to effectively compete by maintaining confidentiality and reputation, whilst avoiding direct or indirect financial loss.”

For those who still prefer not to take heed of Charles Sandison’s message, then this statement issued by Norton Rose in the aftermath of Bradley Chait’s indiscretion might come in useful.

“Norton Rose takes a robust approach to e-mail abuse. The firm has clear rules that specifically prohibit the sending and receipt of non-work related material; in particular obscene, discriminatory or defamatory material and junk mail. These rules are included in the terms of employment for all our employees. Implementation of the firm’s disciplinary procedures began as soon as the firm became aware of the circumstances.”