by Bill Ho as featured in Law Journal Newsletters, an ALM publication
Is Your Email Secure?
Email was first introduced into the workplace more than 30 years ago — and the platform quickly became the de facto way for colleagues to communicate and share data, documents, and information among one another. With the mass adoption of smartphones and devices, email is one of the easiest and quickest ways to communicate.
Specifically, in the legal community, professionals have embraced the tool — coming in directly behind healthcare as the industry that leverages email the most for sending and sharing information. However, as increasing concerns and regulations around data security continue to evolve, the future of digital communication via email may not meet the more stringent requirements.
The Dark Side of Email
Trust, in the legal industry, has become the foundation between maintaining relationships between lawyers and their clients. But, with the increase of cyber hacks, phishing, and mistakes — such as accidently sending information to the wrong person — the conveniences of email are putting the most sensitive data, and client confidentiality at risk. Today, most law firms recognize this issue, and there’s been a major increase in investment in solutions that provide security, encryption and auditing. But while many firms have deployed secure messaging systems and secure file transfer tools to help protect external communication and documents, a recent survey by Biscom shows the downside of those investments.
A whopping 80% of legal employees admitted to using insecure email to share sensitive data, including private client information such as medical and financial dat
The report reveals that 88% of firms invest in data protection with secure information and sharing tools. However, a whopping 80% of legal employees admitted to using insecure email to share sensitive data, including private client information such as medical and financial data.
Additionally, the survey found that a majority of legal employees didn’t even know using email to share confidential information was a problem. In fact, 69% of legal employees believed that email was actually a secure way to share information, and 50% use whatever is easiest to share confidential data, with 75% believing email to be the easiest method.
Let’s try to unpack this. Almost 9 out of 10 survey respondents claim their firm utilizes secure sharing tools. With high profile data breaches, General Data Protection Regulation (GDPR) concerns, HIPAA, and business associate agreements, in addition to similar regulatory requirements, firms are responding to the need for more secure communications. Additionally, there’s an expectation of trust and confidentiality between an attorney and his or her client. But, while a majority of firms have implemented solutions to try and secure their communication channels, more than half of their employees are still unaware of the risks of email, and ultimately, resort to whatever is easiest — no matter the security risks. The survey also found that employees were using Google Drive, personal Dropbox accounts, and other “shadow IT” applications to share information both internally and externally.
Some of the reasons behind employees’ non-compliance? Thirty-seven and a half percent of employees expressed not using secure data transfer/sharing tools because of a lack of consequences when it came to following their firms’ security policies. This was true throughout organizations, regardless of their role or seniority. Additionally, two out of three junior and midlevel employees simply believe that compliance “doesn’t matter” when it comes to risky behavior. Noncompliance was also found among senior employees — with half of senior management and partners admitting they don’t believe compliance lessened a firm’s security risks. In addition, the survey found that employees aren’t motivated to follow security policies, with more than half reporting that a lack of reward for following their firms’ security policies reduces their motivation to comply.
How Legal Firms Can Improve Data Security
It’s a good sign that so many firms have made the investment to use secure sharing tools. However, it’s not enough to simply put the tools in place. It’s up to the firm to ensure every employee knows about the secure tools available and how and when to use them. As new employees are on-boarded, their initiation should prioritize training around information security policies and how to use the provided tools. Beyond on-boarding, training and education should be performed on a regular basis to keep things top of mind.
For those firms that have provided secure solutions yet seem to have low adoption, it’s important to understand the root cause. An internal questionnaire can help gauge employees’ understanding of cybersecurity best practices.
One of the biggest reasons for low adoption rates when using secure sharing and communication tools in law firms has been complexity. Biscom’s data revealed that, on average, it takes employees eight additional minutes per transaction to perform a task when using a secure tool compared with their “normal” method, which is most likely email. Not including the time to write an email, it usually takes only a few seconds to address and send an email. Eight additional minutes to use a more secure method is quite a bit of time that people would rather use performing their primary job function.
Biscom found that ease-of-use is paramount in increasing those adoption numbers. In addition, minimizing changes to existing behaviors, creating a good user experience, and providing
additional capabilities that are otherwise unavailable also increase adoption. Understanding this data, firms can better implement tools that meet the needs of their employees, while knowing sensitive data remains secure. For example, implementing a secure messaging tool that easily integrates with employees’ existing email platforms is simple to use and complies with policy rules for automating the delivery — all while providing tracking and auditing — will help meet all of these needs of employees and employers, while also only marginally adding to a worker’s time.
On the other hand, complexity is an issue that goes both ways. Firms work with a diverse group of clients, and as some may not be technically savvy, ensuring an intuitive client experience is also important. Being able to receive communications that are not only secure, but also easy to access, can make all the difference in customer satisfaction.
With stricter regulations such as GDPR, as well as the costly impact of the loss of a firm’s intellectual property, and breaches of confidentiality, it is now more vital than ever to make sure your firm clearly understands threats and how to address them in the form of policies, processes and tools. While vetting a solution, security is often the most important requirement, but ensuring the solution also has a great user experience can help with better adoption and compliance. Once you’ve selected your secure sharing solutions, providing regular employee training, oversight, and accountability can ensure you’re achieving the level of threat protection you’ve invested in.
Bill Ho is CEO of Biscom, a secure document and messaging solutions company that enables firms to share and store documents securely. Over his 20 year career, Bill has worked closely with various companies in the legal, healthcare, financial services, and government spaces. Recognized as a security expert, Bill speaks frequently, including recent engagements at Secure World and Harvard Business School.