All involved with lawyers’ use of technology recognise a sad but limiting truth. They are only interested if they can see a clear benefit in terms of improved efficiency. And ‘efficiency’ is defined strictly: increase fees or reduce overheads. The Law Society of Scotland’s PKI project, Lawseal, recently foundered as a result of professional apathy. After months of marketing hype and promotional material we were informed that Lawseal had to be abandoned as there was “unlikely to be sufficient demand to launch the product”.
Lawyers were being encouraged to use PKI as it was groundbreaking and secure. Incorporating PKI into their methods of working would mean that they would no longer leave sensitive information contained in an email vulnerable to interception and that they could verify the identity of the sender. This is why I believe the PKI project failed.
Fatally, there was no mention of how PKI would improve their fees and reduce overheads. It was perceived as an onerous application which would require time to get used to; something that could be left until it was absolutely unavoidable.
For secure technology to get on the agenda at partnership meetings it has to perform a role secondary to efficiency.
“The proposed development can do x, y and z to reduce overheads and increase fees. By the way, it is also secure.”
Blessing in Disguise?
The failure of Lawseal could be viewed as a short-term blessing for future secure communication projects. Statistics from Ferris Research, show that staff can spend up to four hours per day composing and reading e-mails. Under the PKI project, a user would encrypt an e-mail/document using his or her private key. The encrypted e-mail/document would then be decrypted by the recipient, using the sender’s public key. The problem, as far as I saw it, was that encrypted e-mails could not be virus checked until they had been unencrypted (ie opened). By that stage the virus payload, whatever it might be, would be free.
Judging by the sheer number of virus-ridden e-mails which I have received lately, purporting to come from individuals in law firms and/or regulatory bodies, the virus checking measures and e-mail policies presently in place would not be sufficient to ensure that encrypted e-mails are virus free. The integrity of the PKI project relied upon the existence of a mutual belief that parties involved in the scheme would be sufficiently well versed in the approach to be taken when opening emails with attachments. At this stage, such trust cannot exist. Users continue to double click attachments on emails as and when they arrive, irrespective of the file extensions and uncharacteristic sender messages.
Reliance on e-mail as a method of communication is widespread; popular in large, medium-sized and small practices.
Digital infections have hit an all time high.
· The Slammer worm infected nearly 75,000 servers in 10 minutes. In summer 2003 a flaw in Windows was exploited by the Blaster worm and this was followed swiftly by the Sobig.F virus. The Sobig.F virus moved so quickly that at one stage one message out of every seventeen was a copy of the virus.
· In late January 2004 one out of every five email messages was a copy of the Mydoom.A virus.
· The
Who Cares about Security?
It could be concluded from the apathy displayed towards the Law Society’s Lawseal project that communication security is an issue which law firms consider relatively unimportant. A simple explanation for this may be that their clients have not pressed them about it.
When a ‘network worm’ collapses a client’s network as a result of an email emanating from your firm’s i.p. address, secure communication may move up the priority list.
I truly believe that this general apathy represents an opportunity for progressive firms, of all sizes, to look at how they communicate with their clients in general and to factor in communication security as part of their overall IT strategy. Doing so can mark you out from the mass of other, less stringent firms.
Some may suggest that communication security can only be the domain of larger practices due to the costs inherent in IT development, but this is untrue. The costs involved are not great.
Firms already use extranet technology to bring clients to them. As well as creating an image of superior service for the client, it transfers communication and printing overheads from the firm to the client.
Adding information to your Web site, or issuing an e-mail newsletter, is all well and good. The trick is to issue the newsletters in such a way that they only contain a part of the information which the recipient wants to read. To access the rest of the information they are required to click on a link contained within the email and access the area of your site where the information is hosted. Using one of the many basic Web-hosting packages available will mean that, already, you are beginning to gather user information on your clients and you can use this information to tailor further services. You are also beginning to get your clients used to coming to you. A recent hosting account that I opened for a client, at a cost of £89 per year, offers free weekly reports detailing: daily, weekly and monthly statistics, visitor host details, site referrer details, user agents and geographical access.
By adding a basic database to your site and a user login script, very quickly, internal staff will be able to create client-focused articles and content sections. Information, requests, cases or updates on particular items of interest can be disseminated at the click of a button. The difference is that the content, or documents, are not contained within, or attached to, an email. The email only contains a link to the login page. The recipient clicks on the link, logs into the site, enters the secure area and downloads the relevant files. This will not take much longer than the client actually receiving an email with an attachment and is far less likely to result in the transfer of viruses or worms.
Additionally clients will probably not open an email, with an attachment, purporting to come from you when your emails generally have the same subject heading and never contain attachments.
Usernames and passwords can be via letter or during a face-to-face meeting.
Bring the client to you! Using web analysis reports together with username and password functionality means that you can start to use your Web site properly. At the same time you are beginning to decrease the vulnerabilities you expose yourself to by relying so heavily on email.
Your clients will begin to believe that they are receiving services from a firm not only committed to the use of technology, but also committed to risk avoidance.
The term worm originally stems from “Tapeworm” in John Brunner’s 1975 novel “The Shockwave Rider” and it is the commonly used term for a program that propagates itself over a network, reproducing itself as it goes. (In “The Shockwave Rider” the main character, Nickie Halflinger, uses “tapeworms” to erase his previous identities.)
Today “Network worms” pose the most serious threats, as they aim to exploit a particular flaw in a software product. The Slammer worm is a recent example of this type of worm. These worms continue to alter themselves in order to wreak more havoc on the pcs of vulnerable users.
A virus is a program or piece of code that can “infect” one or more other programs by embedding a copy of itself within them. When these programs are executed, the embedded virus is executed too, thus propagating the infection.
A virus has an “engine” – code that enables it to propagate and optionally a “payload” – what it does apart from propagating. It needs a “host”- the particular hardware and software environment on which it can run and a “trigger” – the event that starts it running.
Tellingly, in an article in the “Review” section of the Observer (Sunday 22nd February 2004) one virus writer is quoted as saying: “A virus epidemic is born of a relationship between people smart enough to write a virus and people dumb enough to spread it”.
Stephen Moore
Stephen@stephenmooresolutions.com
www.stephenmooresolutions.com
Stephen Moore is a qualified lawyer offering IT services to Lawyers. Stephen is also a director of Intersettle.co.uk
