Computers, Servers and Clouds: Law Firms Surviving In the Wonderland Age of Computers, COVID, Subscriptions and Cyber Risk
Managing a defense litigation firm has always been challenging – often leaving me with a feeling that I was walking along the Yellow Brick Road in Wonderland and The Wizard of Oz. I remember being in my offices in West Lake Village, North Hollywood, Irvine and Woodland Hills arguing with staff, lawyers and partners about the transition from typewriters to memory typewriters and then large floppy disks to small floppy disks. Change is always difficult.
Those same feelings resurfaced when we were discussing our limited in-house and on-site servers and whether to go to a cloud network – prior to COVID. The desire to have central control and ability for remote access sounded interesting but a little scary and expensive. At the time we had little comprehension of just how much would be at stake even with a “thinkology degree” from the Universitartus Committiartum E Plurbis Unum.
After a lot of internal complaining about costs, inconvenience and monthly payment plans – and some consultation with Electro America – we took the jump and upgraded computers and went offsite with a cloud even though the technology scared us a little. But to quote The Wizard of Oz – “Frightened? Child, you’re talking to a man who’s laughed in the face of death, sneered at doom, and chuckled at catastrophe. I was petrified.”
None of this could have happened without the guidance and hand-holding of our friends at Electro America and their law firm IT/Network expertise and to this day we strongly recommend that any law firm seeking to migrate or change retain a trusted and knowledgeable network management firm to guide you along the way. Back pre-COVID these computer and network discussions – often with other lawyers and law firms with limited knowledge and experiences – resulted in a lot of conflicting opinions and recommendations which seemed to confirm what the Scarecrow said in OZ – “some people without brains do an awful lot of talking … don’t they?”
Not to mention that interviewing a plethora of computer professionals or engineers – each with their own sales pitch – was a painful process. The “worst” of these pitches was to simply cede total control over our systems to the contract vendor and “pay no attention to that man behind the curtain.” Thankfully we eventually remained in complete control and found a partner to help direct our systems and network.
By the time of the COVID shutdown we were already 90% percent there – a little short on confirmed personal home computers for everyone – but totally cloud based and accessible remotely including TABS, Word and Practice Master.
We were lucky.
But we learned how important it is to have coordinated programs among new and old software all working with backup and redundancy and with solid security features including multi-factor authentication.
While part of me resents how business software programs and cable television/movies have transitioned everyone from traditional owned systems to a never ending set of subscriptions – there have been some benefits to the operation of our law firm.
We also learned that memory, training, capacity and WiFi strength are fleeting and transitional in this new world and require constant attention and updates along the way. But it is an increasingly more expensive proposition.
But once we accepted that reality we learned to appreciate that evaluating systems and hardware regularly (preferably with a long-term management plan and budget) and consulting with our system team at Electro America periodically is crucial. Planning for updates and system improvement helps us budget and plan and balance between wasteful spending and being prepared for the next stage of computers – all of which seem to be on a five to eight year aging timeline.
Law Firms have a unique obligation when it comes to security and access especially with the new norm of remote access and shared databases. With professional and support staff engaged in some version of 3 or 4 days in and 1 or 2 days out we are clearly a different business than before COVID.
Personally, I believe that Zoom meetings and access – whether for office working, depositions or court appearances – is wonderful. But there is a tangible loss. The collegiality and teamwork that comes from being at the office at the same time and the personal relationships that come from a traditional practice cannot be replaced by screen shots and video. But we believe that we have managed the competing interests, security and risks and are a better firm for this exercise.
But none of this would have been possible without a plan for management of data and communications and having a partner in this endeavor. With future consolidation of networks and clouds like Microsoft – it will be even more important that law firms retain some independent backup and server control including an ability to return to operations when the inevitable shutdown happens with a national cloud like Microsoft. Complacency as we head towards 2024 is no longer an option.
I also will never forget how, after the Northridge Earthquake (I was working in North Hollywood and living in Woodland Hills in those days) law firms whose buildings were demolished with their on-site servers in them had to borrow our conference rooms and recreate their files manually because they did not have offsite backups. And it was before cloud networks were the norm. But todays cloud with a back-up can prevent that from happening again – and that is good!
Furthermore, in today’s litigation world you have to have superior E-Discovery software – either within your Cloud/Network programs or through outside software of which there are many such as LexisNexis, Exterro, Nextpoint, Everlaw, Cloud Nine, Casepoint Pvt. Ltd, Logikcull, Lexbe, Relativity, Hanzo and a host of others. Email has, in many ways, complicated discovery and the push/pull of native format discovery and searches versus pdf or static searches will be an issue for businesses, firms and courts for the foreseeable future. While the Federal Courts have in place some proportionality requirements and provisions – Judges still seem to favor productions over bars. State Courts across the country, including New Jersey, New York and California, have similar concepts and procedures but again are biased in favor of productions. So we have to struggle through this process.
E Discovery also means that businesses and employers, both large and small, will need to carefully manage and preserve their emails and attachments in order to meet their direct or informal Litigation Hold, Preservation of Evidence and discovery obligations and in fee-shifting areas of practice such as employment/labor law this will require diligence, training and policies and procedures. This topic is very large and could be a topic all by itself in a later blog.
When you consider your firm’s status as to cloud and remote access with security (such as three-factor authentication and layered and secured back-up restoration) remember that proper prior planning prevents piss poor performance. It really does. This is one of those times when being pro-active is crucial to both business and ethical responsibilities.
For small and large law firms – IT/Computers and Network considerations (and expenses) need to be evaluated, recognized and acted upon regularly. Law Firms tend to fail with these tasks. This will become even more important as we see companies like Microsoft start to exercise their clout/control and start to require that users of their programs also migrate their Cloud and remote access systems through a Microsoft owned Cloud network on a subscription basis.
As mentioned, our preferred contractor/team member for this exercise has been Electro America. With their designed/engineered, installed, managed, monitored and segregated private off-site server and with 24/7/365 help via phone or Team Viewer we have been able to maintain a safe and secure virtual desktop infrastructure which has allowed our employees/professionals to work from absolutely anywhere – whether from home, RV, vacation home, out of state and even out of country. And during COVID that flexibility and prior planning allowed us to continue to perform professionally for all of our clients and carriers while complying with our own Cyber and PL policies of insurance as to security of communications, data and documents and also comply with all of our corporate client’s individual guidelines and requirements.
With our sophisticated multi-layered security and software systems, including Mimecast and others, we have been able to stay abreast of current requirements for HIPAA, HITECH and the RPCs and maintain a solid business continuity and disaster recovery system the equal of businesses much larger than Garrity Graham Murphy Garofalo & Flinn.
At Garrity Graham Murphy Garofalo & Flinn we have a selection of professionals who work by typing their own documents, dictating their work product and a host of processes in between even including a few handwriting lawyers who are leaving the 1970’s grudgingly. But, while we encourage their listening to 1970’s through 2000 rock and roll (classics as they are called now!) we are pushing people into the new generation of everything from computers, dictation, smart pens and tablets. Of late we have been using Olympus Digital Dictation Systems which allows for remote uploading so that any support staff can see the work que and assist any attorney. With only minimal glitches, we have experienced this process positively. However, we are not a fan of these new writing/drafting programs and do not employ them and require old-fashioned direct creation of work product as supervised by our partners.
We have also played with a variety of document management systems such as Practice Master and Worldox and integration with the more specifically tailored E Discovery software/subscription programs allowing for efficient document management and recall as well as superior trial and appearance presentation of documents. Today – even moderate sized firms can quickly expand to the needs of any complex case and easily compete with the 1,000 lawyer firms who charge significantly higher hourly rates. We are considering changing or adding programs in this area and if you and your business or firm has had positive or negative experience with one of the many options out there – please respond and let us know.
On the billing front we have to be prepared to individually bill clients and small business while also being able to accommodate insurance companies and TPA’s or corporate legal departments with monthly/quarterly computer or third party vendor billing. As a result, the aggregate of our security programs, software and network programs are integrated, secure and monitored to assure fair, accurate and compliant billing for a variety of guidelines.
We recommend management software and off-site professional monitoring which allows the Law Firm to monitor the health and status of its servers, workstations, and other network components. Proactive monitoring finds small problems before they become huge calamities – saving hours of downtime and frustration. We also suggest having a tailored email policy which is very difficult in this modern age. Electro America has reminded us that using company email addresses for personal use puts businesses at risk and therefore requires some controls and policies. The issue has been bantered back and forth over the years as to whether to allow business email for personal use and how to deal with cell phones which access multiple email accounts. It is difficult in this modern carry-it-with-you age. But we do appreciate that email credentials may be inadvertently compromised exposing the firm and its clients to:
Account hijacking: When hackers have both the email address and password for an email account, they are able to change the password and take over the account. They can then use the hijacked account to carry out malicious activities, such as sending spam and distributing malware.
Spear phishing attacks: Cybercriminals often use compromised email credentials in spear phishing attacks. For example, in June 2016, hackers sent spear phishing emails to corporate executives in Germany. To create these emails, the cybercriminals used email credentials and other information (e.g., person’s first and last name) obtained from the 2012 LinkedIn data breach, according to Germany’s Computer Emergency Response Team (CERT-Bund).
Credential stuffing attacks: Since people tend to reuse passwords, hackers sometimes launch credential stuffing attacks, especially if they obtain a large number of credentials from a breach. In this type of attack, distributed botnets try using the credentials on high-value websites. This automated testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.
Accordingly, we have strong layers of protection and monitoring through Electro America, including multi-factor authentication, limited download capacity, Zoom access only outside of the network and a variety of other protections designed to protect against the front and back door risks. However, we are aware that no system is perfect and that risks exist – but we are in the risk management business and with strong controls, supervision and Network team members like Mimecast and Electro America, we continue to put people first and get the job done. Computers and programs are wonderful – but it will be people using common sense that will make the difference.
Some of the operational lessons learned by Garrity Graham Murphy Garofalo & Flinn include taking reasonable precautions to protect our wireless, office network and cloud servers and among those tasks which seem to have helped are:
1. Use a Strong Password for Your Wireless Router’s Administrator Account
Many wireless routers ship with a default password for the administrator account. It is important that you change the default password to a strong one that is at least eight characters long. The password should include uppercase and lowercase letters as well as numbers (but not in a predictable pattern). When possible, you should also include special characters, such as dollar signs and asterisks. We encourage this with remote employee home networks as well as our Cloud network for the business.
2. Change Your Wireless Router’s SSID
A wireless network’s name is called a service set identifier (SSID). Many vendors ship their wireless routers with the same default SSID. Keeping the default SSID might signal to a hacker that your wireless network is not properly configured and vulnerable to attack. Because of this, you should change your network’s SSID to a unique name.
3. Make Sure Your Wireless Router’s Firewall Is Enabled
Most wireless routers have built-in firewalls, but sometimes they ship with the firewall turned off. You may need to make sure that your router’s firewall is turned on. *It is important to check on this with your IT service provider, especially if you have firewall hardware. They can help you determine whether everything is properly configured. We recommend that the Law Firm request confirmation from each employee and firm Network accessing port (cell phone/laptop/tablet/ desk computer). If the employee’s access points do not have sufficient software protections the Law Firm should installs same. Machines found to be lacking in protocols must be ultimately denied remote access.
4. Use WPA2 for Wireless Communications
Every wireless router offers encryption. Encryption scrambles your data and makes it unreadable, except by the recipient. Three common encryption protocols are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access 2 (WPA2). Using WPA2 is best because it employs the hardest-to-crack encryption algorithm. If you have an older router that does not support WPA2, you can use WPA. Do not use WEP as it is outdated and easily hacked. Again, the Law Firm’s IT department manages and reviews access points with remote capacity and we also employ Mimecast software with its disaster recovery and secure data/transmissions protections which we are satisfied are among the best available.
5. Disable WPS If You Are Using a Consumer-Grade Wireless Router
It is not uncommon for businesses to use consumer-grade wireless routers. These routers often include Wi-Fi Protected Setup (WPS), which provides a user-friendly front-end for encryption protocols such as WPA2. With WPS, users can connect a device to a wireless network by simply pushing a button or entering a personal identification number. However, hackers can exploit a vulnerability in WPS to gain access to wireless networks. So, if your wireless router supports WPS, you may want to disable it.
6. Disable Your Wireless Router’s Remote Management Feature
Many wireless routers have a feature that lets you manage them from a remote location. Unfortunately, it often leaves routers susceptible to attacks. For this reason, you should disable remote management if you do not need to use this feature. We recommend that employees accessing the Network follow safe practices.
7. Make Sure Wi-Fi Sense’s Network-Sharing Functionality Is Disabled on Windows 10 Devices
Windows 10 and Windows 10 Mobile include a feature called Wi-Fi Sense. Besides helping users find open Wi-Fi hotspots, this feature lets them share their Wi-Fi networks, without sharing those networks’ passwords. Users can share their Wi-Fi networks with their contacts from Facebook, Skype, and Outlook.com. However, users cannot specify individuals within a group (e.g., within Facebook) — the network is shared with all the contacts in that group. Although the contacts can only use the network to get online, you might not want your employees sharing your business’s wireless network. If that is the case, you need to make sure Wi-Fi Sense’s network-sharing functionality is disabled on your Windows 10 and Windows 10 Mobile devices.
8. Consider Using MAC Address Filtering
Each device that is able to connect to a Wi-Fi network has a unique ID called a Media Access Control (MAC) address. You can configure your wireless router to check the MAC addresses of devices trying to connect to it, allowing connections only from the devices it recognizes. Admittedly, it takes time and effort to enter the MAC addresses of all the devices allowed to access your wireless network, but your network will be more secure.
9. Keep the Wireless Router’s Firmware Updated
Every wireless router has firmware. Firmware is software that gives the device its functionality. Like any other type of software, firmware sometimes has bugs or security vulnerabilities. When you keep your wireless router’s firmware updated, known bugs and vulnerabilities are fixed, making your router more secure. For us Electro America monitors for regular updates (preferably during non- prime-time working hours) and provides reminders and periodic checks for those working remotely. At present many attorneys and some staff work three or four days in the office and the rest from remote access. So it remains a work in progress.
10. Log Out of the Wireless Router’s User Interface
Most wireless routers have a browser-based user interface, which people use to configure router settings. If you leave this interface open and someone gets access to your computer, your router is vulnerable. Thus, you should always log out when you are finished configuring the router.
11. Protect the Computers That Access Your Wireless Network
Despite your best efforts, hackers may still infiltrate your wireless network. For this reason, you need to use anti-malware software on all the computers that access your wireless network. In addition, you need to keep those computers’ operating systems and applications updated so that known bugs and security vulnerabilities are patched.
It is a unique time in the history of business, insurance and law. A broader selection of network access points with different hardware manufacturers and different software applications (until you are fully within the Network) continues to present challenges and benefits. We continue to believe that a solid return to the office is around the corner – but with a much greater degree of acceptance for periodic or even scheduled remote working. This will be the new norm.
Some of this new norm is great – allowing for easier work/life balance and quality of life – but with each new benefit comes some degree of risk. With risk comes a degree of responsibility for the employee and employer to monitor and control access and to preserve and protect to data, communications and documents. With a complex system in place and a team of people “working the task” it can be done and comply with appropriate guidelines and rules of professional responsibility.
Lawyers and Law Firms are in a position to be able to draw upon the expertise of sophisticated clients, insurers, businesses or third party claims companies and stay abreast of changes – and there will always be changes! Likewise, we participate often with managing partners from firms or businesses around the country including through CLM, IADC, IRMI, FDCC, NJDA, PLUS, TIDA, TLA, IAPP and others who regularly roundtable and present on topics such as these. I encourage others to get involved, get active and get out front.
But it is scary as we move forward and dream of what the future might become. But to quote Dorothy from the Wizard of Oz: “Somewhere, over the rainbow, way up high, there’s a land that I heard of once in a lullaby. Somewhere, over the rainbow, skies are blue… and the dreams that you dare to dream really do come true. Someday I’ll wish upon a star and wake up where the clouds are far behind me … where troubles melt like lemon drops, away above the chimney tops, that’s where you’ll find me … Somewhere, over the rainbow, bluebirds fly. Birds fly over the rainbow … why, then, oh why can’t I? “