IT Security vs. Users

Are you feeling the squeeze between your firm’s clients and your users? How are you dealing with it?

img_Petry-Scott_3058x2447Ed. note: This is the first post by Scott Petry, co-founder and CEO of Authentic8. Scott also pioneered the software-as-a-service space as founder and CTO of Postini.

For the past year, I’ve been hearing that legal IT professionals feel trapped. That’s because they face two opposing demands. On the one hand, clients want their law firms to implement robust network security measures — like blocking access to personal web content — in order to protect privileged information. On the other hand, attorneys and staff demand access to the web in order to maintain a work-life balance.

Demands to restrict web access are especially common with firms that serve the financial markets. Similar to healthcare providers forcing business associates to adhere to HIPAA guidelines, clients are starting to hold their vendors to the same standards that they must meet themselves. But financial service clients aren’t the only drivers, because client fears about their law firms’ security aren’t just hypothetical.

According to Bloomberg Business, 80% of the biggest 100 law firms have suffered a security breach. And law firm hacks grab headlines when data thieves infiltrated legal networks to gain information on their clients. The stolen intel was used by the crooks to make illicit insider trades on Wall Street.

Meanwhile, law firm employees and partners don’t want restrictions on their web access, which isn’t just for watching cat videos or buying new shoes. In many cases, workers need it: LexisNexis can only get them so far. Attorneys and staff often use the regular Web for research, communicating with peers on issues, and more.

Beyond that, legal staff are known for keeping LONG hours. It’s reasonable that an attorney or paralegal who’s shouldering 16-hour days will need to jump online to pay a few bills or email their spouse.

Everyone I’ve talked to feels caught in this squeeze. They know they have to do something, but taking drastic measures like turning off the web for personal use creates its own mess.

For starters, there’s the problem of angering everyone at the firm. Nobody wants to be the jerk who turned off the Internet. And let’s be honest, workers are a crafty bunch. If IT blocks normal web access, employees will find workarounds. There have been many cases of employees bringing in their own unmanaged devices, switching their work machines to the open guest WiFi, or even bringing their own hotspot into the office. All of these secret solutions create gaps in a firm’s network security.

In one conversation, the firm was planning to turn off web mail altogether. They assumed that users would be fine just using their iPhones or iPads, but that created a revolt among the associates who spend the majority of their lives in the office because switching from one device to another proved to be disruptive to their workflow. In addition, those mobile devices might still have sensitive data like email and client data, and a BYOD policy for personal use leaves that data unprotected.

Another firm was playing whack-a-mole at the firewall by blocking access to some sites and putting restrictions on allowable content. While not as draconian as a complete block, this approach did neuter content to the point that websites were unusable. At the other end of the spectrum, I met with a firm that is publishing a virtual desktop just so their users could access a browser. This is conceptually a great idea, but in reality, it is costly and complicated.

Instead of managing the entire VDI stack, we see more firms using virtual browsers that give employees web access while protecting client data and firm resources. It’s a great way to balance the need for IT security and the sanity of your users. You can read more about the details of what to look for in a virtual browser in this white paper Authentic8 published this month.

Are you feeling the squeeze between your firm’s clients and your users? How are you dealing with it?


Scott Petry is the co-founder and CEO of Authentic8, maker of Silo. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007. You can contact Scott to discuss internet security, F1 racing, or adult beverages at scott@authentic8.com.