Duncan Eadie, IT Director at Charles Russell Speechlys, speaks about the risks law firms face from cyberattacks, and the importance of embracing technological innovation.
What were some of the main threats in cybersecurity when you first moved into the sector?
The first computer virus I was aware of was distributed in 1988, and in my first job we had a lunchtime session discussing it! We then had to contend with viruses distributed via floppy disk, which demonstrates just how far the industry has come. At that time, people breaking into computer systems was almost done for fun; now, cyber crime is a major global industry in its own right.
Lawyers and clients alike are now all aware of the consequences of handling data inappropriately. Today, we expect security from every organisation we deal with, not only as professionals but also in our personal lives.
Does security permeate all aspects of your role, or is it effectively treated almost as its own business unit?
My role is essentially to design and deliver Charles Russell Speechlys’ IT strategy. That means overseeing the development of products and services, and then successfully introducing these across the business.
Within the IT department, I’d say that security has had to become more of a specialist requirement in recent years, partly because criminals and tactics are becoming more sophisticated. This vertical knowledge has to be supported by core tools that help us do this more specialized work.
What are some of the challenges around driving change in a business like Charles Russell Speechlys?
In some ways it depends on the change you’re introducing. When we introduce products like Tessian, which doesn’t necessitate huge change to working practices and which doesn’t require lots of training, you can feel people embracing the change in a different way.
From a people perspective, the principal security challenge is really to make sure that everyone around the organization is vigilant, whether you’re a lawyer, a secretary, a software engineer or a marketing professional.
In a broader sense, the entire legal industry is feeling that there’s a significant shift happening right now. This isn’t at the individual or firm level, it’s impacting the whole sector. Firms have to decide at what point they want to catch that wave of change.
For forward-thinking law firms, this is a fantastic opportunity to build on the heritage of the past and embrace the opportunities of the future, something that’s in the DNA of Charles Russell Speechlys.
So why is this technological shift happening now, and what are the knock-on effects for security?
I think there is some frustration on the part of clients that the legal sector isn’t changing and evolving at the same speed as other industries. Changing customer demographics are beginning to disrupt the legal market in the same way as many other industries. In general, customers are more willing to challenge the professions and really engage with their service providers, and that means law firms need to offer a modern experience for clients.
Regulatory changes are also impacting these strategic decisions. We’re now seeing more punitive penalties for breaches of regulation, and that affects the way firms might think about the risks of expanding into a new practice area, for instance. All of this has consequences for security.
What do you wish the average lawyer knew about cybersecurity?
That if their cybersecurity knowledge is not up to scratch, their firm’s reputation could be damaged very quickly. We’re talking about a relatively small investment in time to focus on cybersecurity best practices. In the long run, this could protect a reputation which has been built up over decades. It only takes a moment to potentially destroy all that.
And what would you say to a technologist or security professional thinking about a career in the legal sector? What advice do you have that would help them make an impact?
Too often in the industry, making something more ‘secure’ results in making it harder to interact with. Technologists coming into the sector should empathise with legal professionals and realise that people don’t want barriers, however difficult that might be to incorporate into products. If people build products that combine security with ease of use, you’re onto a winner, and that’s actually what Tessian has done.
The other thing for IT specialists to remember is that much of a law firm’s business still stems from its reputation. Reputation can be a very fragile entity, but it’s also why law firms will survive over the long term. Protecting reputation is absolutely key.
So much important work carried out by lawyers is based on their firm’s and their own reputation. When people or businesses are in extremely sensitive situations, facing very difficult decisions, they don’t want an app, they want to talk to someone whose advice they trust. In this environment, our duty is to preserve and enable this intimate communication as best as we can with the support of technology, while balancing this need with best-in-class security practices.
How is Tessian helping Charles Russell Speechlys tackle threats and manage email security?
Well, the channel that generates the highest number of complaints to the ICO every year is email. Firms can easily send hundreds of thousands of emails every month: when businesses have that volume of communication, you don’t have to be wrong very often for it to really matter.
Misdirecting an email isn’t something someone does intentionally, and I’m sure that your readers have all experienced sending an email to the wrong person at some point. With Tessian, we don’t encounter pushback from within the organisation, so it’s a great way to deliver meaningful change in the firm. Tessian proves that modern technology can support our lawyers and help protect their relationships with clients.
*Interview condensed from Modern Law Magazine supplement, May 2019.