Safeguards: more than 60% of law firms polled say they are unfamiliar with Law Society guidelines on Internet security

Law firms are failing to address certain key IT security issues because of a lack of push from clients, the Law Society and from within, it has been claimed.


According to market research conducted for this year's Software Solutions guide, to be sent out next week by the Society, more than six in ten firms quizzed said they were either unfamiliar with the Law Society's e-mail guidelines or were not aware of them at all.


These e-mail guidelines are the primary IT security advice issued by the Society and this lack of awareness is, according to some industry insiders, just the tip of the iceberg.


Research last year by NOP for IT security firm Evolution also found that, of the 100 legal practitioners questioned, one-fifth said their firms had no documented IT security policy. More than a quarter said they never change their passwords.


These types of security gaps are down to several factors, according to legal IT vendors and IT professionals in law firms. Some of the main problems spring from the lack of education about the more esoteric aspects of IT security, the lack of drive towards IT accreditation, and in a lack of arm-twisting by the Law Society.


'The Law Society needs to give more guidance and law firms need to pay more credence to the security of their clients' information,' said one ex-head of risk at a magic circle firm, who requested anonymity. 'While firms are willing to spend money on tangible security controls (up to a point - the standard ones that everybody understands like firewalls and anti-virus), I know of none that spend any real money on awareness or security education.


'The fact is that helpdesks do the best they can and are sometimes in between a rock and a hard place trying to please very awkward customers. Common sense does not always prevail under pressure.'


Social engineering attacks, the IT world's equivalent of a con-trick to gain access to buildings and systems, are by far the most difficult to counter - these occur when, for example, someone pretends to be an employee to obtain a password. But firms are not addressing the ease with which they can be done or the potential impact.


'Many [smaller firms] have the misconception that security is a purely an IT issue, and so it rests upon the IT department's shoulders,' said Sam Luxford-Watts, IT manager at Winckworth Sherwood in London. 'These departments tend to be run fairly lean, with members assuming many roles and skills. The result is that the technical problems get solved quickly.


'But structured approaches to addressing naivety, social engineering attacks and awareness may not be addressed to the same degree as some of the larger firms who have entire teams dedicated to the task.'


Mr Luxford-Watts is of the opinion that law firms should look at getting industry-recognised accreditation, such as ISO 27001, as a way of solving their biggest security challenges.


He is not alone. But if clients do not push for better standards, the impetus needs to come from other quarters. 'Accreditation... is not something that is being driven by legal clients in general,' said Kevin Goosman, IT business services manager at regional firm Cobbetts. 'This has been Cobbetts' experience, although the move towards greater standards and accreditation within the professional services industry as a whole may lead to more client requests for BS7799 or similar accreditation in the future.'


None of this means bigger firms need steal the march on technological innovation and security. Quite the opposite, according to Fiona Ives, who until last week was head of infrastructure at national firm Eversheds.


'I don't agree that they will find it harder to match up to external standards,' said Ms Ives of smaller law firms. 'They may not get the budget, but they might be able to change. It's often easier to effect change in small organisations.'


Ms Ives said she personally backed the move towards accreditation, but said that this could not be blindly applied. 'You have to look at the organisation,' she argued.


Ron Condon, editor of Secure Computing magazine, was sceptical about how active law firms are really being. His thoughts on a recent law firm round-table discussion on IT security were far from glowing.


'It was impossible to escape the feeling that the law firms are doing the least they can get away with,' Mr Condon said. 'They admitted that secure document management had only come about because customers were insisting on it. Their attitude seemed very reactive, and I fear it will take a high-profile security breach to force any radical change in the way they do business or guard information.'


Some say this reactivity is reflected in the Law Society's approach to advising lawyers. Phil Millo, head of Evolution and a long-time IT consultant, thinks the Society should use its power as a regulator to push forward IT security reform in law firms.


'As regulator, the Law Society should go much further [than voluntary guidelines], publishing a comprehensive security standard for the legal profession that is correct, broad, tiered, and enforced,' he said. Of course, an IT security vendor might be thought to have a special axe to grind, but his call for a broader brush is echoed by the greater scope of the latest guidelines from the Council of Bars and Law Societies of Europe (CCBE), for example, which incorporate advice on digital signatures and are dubbed 'E-communications guidelines'.


A spokeswoman for the Law Society said it is 'addressing IT security issues' and 'new guidelines on data protection and information security are in the course of development'.


It certainly seems law firms need good advice on other areas of IT use - informally, IT systems vendors say that at least one in ten firms would be unable to restore their back-up tapes in the event of a disaster.


And, though 65% of firms questioned in preparing the Software Solutions guide said they had a disaster recovery plan, half of the respondents did not know what percentage of their overall overheads went on IT.


Link: www.it.lawsociety.org.uk