Category Archives: Technology

Big Banks Increase Cybersecurity Investment to Stop Data Breaches

 

FinanceA recent article in Forbes Magazine reports that big banks including Bank of America and J.P. Morgan Chase are pulling out all the stops when it comes to their cybersecurity budgets. According to the article, B of A CEO Brian Moynihan has declared that cybersecurity is the only area of his company that has no budget constraints whatsoever. Another financial giant, J. P, Morgan reportedly doubled its budget in 2015 from $250 million to $500 million.

The increased investment in cybersecurity should come as no surprise. As Infosecurity Magazine reported last year, the financial services industry is 300 times more likely to be the target of a data breach than any other sector. In another study, insurance company Lloyds of London found that cyber-attacks can cost organizations as much as $400 billion a year.

Putting more focus and dollars into data security is a wise move. However, increasing security posture depends as much on what you invest in, as it does on how much you spend. Like all industries, financial services is facing an increasing number of threat vectors and security challenges, including dependence on cloud-enabled services, an explosion of mobile devices in the workplace, and BYOD, to name a few. These vulnerabilities are being exploited by increasingly sophisticated and connected criminal hacker syndicates and nation-state attacks bent on thwarting whatever security solutions are put in their way. One only has to survey the high profile data breaches in 2015 to realize that throwing more money at blocking threats from gaining entry won’t necessarily solve the problem.

The answer is not to abandon critical preventive measures such as AV/heuristic indexes, sandboxing and IPS. These are important technologies that have a place in a sound cybersecurity strategy. But organizations need to consider adding technology that can protect the network after the evasive malware bypasses security, but before they have to call in the disaster recovery team to assess their losses. One way to accomplish this is to add traffic anomaly detection. This is technology that continuously monitors all outbound network traffic to detect anomalous behavior and contain suspicious data transfers before an active infection is discovered. Such technology can augment preventive measures like sandboxing, but it requires that banks and other organizations first accept that no security tools exists that can stop 100% of malware. Even with unlimited budgets, stronger cybersecurity readiness can’t begin without that acceptance.

NSA Chief Hacker Reveals How He Can Be Kept Away – Part 2

CIA-flag

This is the second entry in a two-part series covering the NSA’s chief hacker’s recent talk at a security conference. Rob Joyce, the head of the Tailored Access Operations program put in place by the NSA to conduct cyberespionage operations on foes and allies alike, briefly revealed how state-sponsored hackers infiltrate their targets’ networks, often successfully.

Rob Joyce quickly ran through a list of to-dos for those who are looking to make his job harder. He could be forgiven for cutting short this particular portion of his talk.

Speaking candidly, the NSA hacker-in-chief explained that special access privileges to critical systems ought to be restricted to a select few. This inherently makes the NSA’s task difficult as the number of targeted are lowered. Furthermore, he nodded toward segmenting networks and vital information and data. Such a move makes it harder for hackers to gain access to what they’re looking for.

The NSA employee also recommends patching systems regularly. Application whitelisting is also important for trust. Hardcoded passwords are a strict no-no and ought to be removed. So too should legacy protocols that aren’t updated and are still functional. More specifically, protocols that transmit passwords in the clear, should be curbed.

Joyce also pointed to roadblocks that make his job significantly harder. One such roadblock is an “out-of-band network tap.” This is a device that continually monitors network activity and maintains logs that can record anomalous activity. When these logs are being looked and read into regularly by a system administrator the game is up.

Another insight revealed by Joyce goes against popular opinion that state-sponsored hackers via the NSA or other agencies around the world. He claimed that the NSA does not rely on zero-day exploits, not extensively anyway. He says the NSA doesn’t heavily look at zero-days, simply because they don’t have to.

“[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days,” he says.

There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.

NSA Chief Hacker Reveals How He Can Be Kept Away – Part 1

NSA-seal

The National Security Agency’s hacking chief reveals insights and tips to block the world’s best hackers.

Here’ how NSA’s hacker-in-chief Rob Joyce began a recent security conference in San Francisco.

I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done

My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard.

As the head of NSA’s Tailored Access Operations – the team tasked by the government to infiltrate foreign adversaries and allies’ computer systems and networks, even Joyce made light of the awkward situation. He was in a room packed with security professionals, journalists and academics, telling them exactly how they could keep state-hackers like him away from their computers and networks.

The NSA Trap

The NSA isn’t one to look for the login credentials of any targeted firm or organization’s management. Instead, the agency looks for the credentials of network and system administrators, those with high levels of network access and privileges. The NSA, as reported by Wired, also seeks to find hardcoded passwords embedded in software. Similarly, the agency also sniffs for passwords transmitted and used by legacy protocols. Basically, the entire sphere where it detects a vulnerability, none of which goes unnoticed by the agency.

Joyce said:

Don’t assume a crack is too small to be noticed, or too small to be exploited.

If users ran penetration tests of their network and infrastructure to see 97 devices pass the test while three failed, Joyce claimed that those three seemingly harmless vulnerabilities are the ones that the NSA or other state-sponsored attackers will see as sweet spots.

We need that first crack, that first seam,” explained Joyce, noting that every single vulnerability matters. “And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

If a user is approached by a vendor to open the network, however brief, to fix a concern remotely, Joyce advises it. Such a situation is just one of the many opportunities that nation-state hackers are looking for as vulnerabilities, he added.

Surprisingly, Joyce also pointed to personal devices such as laptops that are used by office employees that are running gaming platform Steam, as a favorite attack target of the NSA. When the employee’s kids load Steam games on to the laptops and the works subsequently connect to the organization’s network, an attack vector is opened.

Basically, the NSA and state-sponsored spies and hackers in general are well equipped to get into a user’s network, simply because they know more about the network than most users do.

We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” he stated. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”

New Law on Sharing Threat Info Aimed at Preventing Data Breaches

Gavel_copy

High profile data breaches seem to occur in an almost predictable cadence and no industry is immune. This has frustrated organizations who want to believe their security is strong enough to keep them from experiencing the bottom-line-bashing data theft they see in the headlines. The fact that the majority of both business and government functions have gone digital opens up doomsday scenarios of which government agencies, from state and local up to the federal level, are well aware.

Another factor that should be cause for alarm is that some of these breaches are generated using malware that’s been around for a while. For instance, reports at the time allege the Home Depot and Target data breaches were caused by variants of the same malware. This goes a long way in validating that organizations aren’t sharing threat information, which is the issue behind some recent legislation, The Cyber Security Information Sharing Act (CISA). The new law is designed to incentivize private industry to share cyber threat information with the Department of Homeland Security (DHS). The incentives for participating include ensuring liability protecting any trade secrets of businesses that choose to participate.

The information being sought includes security vulnerabilities, malware code, damages from past breaches, and the steps the organization took to mitigate known or unknown threats.

While a move to more information sharing as a way to increase cybersecurity seems like a good idea, a recent article in Forbes Magazine entitled, Big Decision Time for Business As Cyber Security And Privacy Collide Again, points out a couple of reasons businesses might resist participation.

  • Proponents of the law can’t point to a single data breach that this legislation would have prevented, begging the question, why do we need this law?
  • Business may be concerned that the information they provide to DHS could be given to NSA, the agency whose history displays a decided lack of concern for privacy rights.
  • Companies may feel compelled to ignore these concerns because not participating in the CISA sharing programs may deprive them of critical threat information they need.

As the Forbes writer points out, making the sharing of threat information a law, is a small but critical step in supporting an atmosphere of intelligence sharing that will benefit everyone in the long run. He also points out that businesses in some industries are already sharing this sort of information which is encouraging. Each of these steps represents an advancement in the war on cyber threats in which we all participate, whether we know it or not. Any action that moves us forward, no matter how small, should be welcomed.

PROPOSED STATE BANS ON PHONE ENCRYPTION MAKE ZERO SENSE

 

Lock_Case
American politics has
long accepted the strange notion that just a pair of states—namely Iowa and New Hampshire—get an outsize vote in choosing America’s next president. The idea of letting just two states choose whether we all get to have secure encryption on our smartphones, on the other hand, has no such track record. And it’s not a plan that seems to make much sense for anyone: phone manufacturers, consumers, or even the law enforcement officials it’s meant to empower.

Last week, a California state legislator introduced a bill that would ban the retail sale of smartphones with that full-disk encryption feature—a security measure designed to ensure that no one can decrypt and read your phone’s contents except you. The bill is the second piece of state-level legislation to propose that sort of smartphone crypto ban, following a similar New York state assembly proposal that was first floated last year and re-introduced earlier this month. Both bills are intended to ensure that law enforcement can access the phones of criminals or victims when their devices are seized as evidence.

If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones?

Those two proposed crypto bans have put another twist in an already tangled debate: The privacy and cryptography community has long opposed any such “backdoor” scenario that gives cops access to encrypted smartphones at the risk of weakening every device’s data protections. But legal and technical experts argue that even if a national ban on fully encrypted smartphones were a reasonable privacy sacrifice for the sake of law enforcement, a state-level ban wouldn’t be. They say, the most likely result of any state banning the sale of encrypted smartphones would be to make the devices of law-abiding residents’ more vulnerable, while still letting criminals obtain an encrypted phone with a quick trip across the state border or even a trivial software update.

Crypto Has No Borders

If the New York and California smartphone encryption bans passed, a company like Apple that sells encrypted-by-defaulted iPhones would have three options, argues Neema Singh Guliani, an attorney with the American Civil Liberties Union: It could cease to fully encrypt any of its phones, contradicting a year of outspoken statements on privacy by its CEO Tim Cook.  It could stop selling phones in two of America’s richest states. Or finally, it could create special versions of its phones for those states to abide by their anti-encryption laws.

The last of those scenarios is Apple’s most likely move, says Singh Guliani, and yet would result in a “logistical nightmare” that still wouldn’t keep criminals from encrypting their phones’ secrets. She compares the laws to state-wide liquor regulations: “People will travel over the border to buy alcohol in states with the standards that suit them,” she says. If consumers will cross borders to fill a booze cabinet, what’s to prevent New York criminals from foiling surveillance with New Jersey iPhones? “Nothing would stop those who wanted a more privacy protective phone to get one from out of state.”

In the hypothetical future where the state bills have passed, fully encrypting an iPhone might not even require buying an out-of-state device, but merely downloading out-of-state firmware. After all, it’s unlikely Apple would go to the expense of manufacturing different hardware for its phones to disable encryption in some of them, argues Jonathan Zdziarski, an iOS forensics expert who has worked with police to decrypt phones. “That would be a massive technical change to support this kind of device,” Zdziarski argues. “It would be literally cheaper for Apple to stop selling phones in California altogether.” Instead, he says, it would likely sell the same hardware for all of its devices and merely disable full-disk encryption through a different version of its firmware activated at the time of the phone’s purchase. And nothing in the current bills would prevent Apple from making the fully encryption-enabled version of its firmware available to anyone who restores their device from factory settings.

The technologically savvy will find ways to get encryption, while the average smartphone user’s data will be left more vulnerable.

In other words, that would make the New York and California crypto bans statewide bans on software, an idea roughly as practical as policing undocumented birds crossing the Mexican border. And if Apple were to try to accommodate the spirit of the law by preventing customers from restoring their phone with full-disk encryption inside California or New York, Zdziarski is confident iPhone owners could circumvent any location tracking, proxying their IP address or putting the phone in a Faraday bag to block its GPS. “This legislation is going to be technologically useless,” says Zdziarski. “Anyone who wants a device that doesn’t have law-enforcement-reversible encryption will be able to get one.”

Pressuring Congress

Neither Apple nor Google, which followed Apple’s lead last year by declaring that all devices running the latest version of Android will have default full-disk encryption, responded to WIRED’s request for comment on the California or New York bills. The office of New York Assemblyman Matthew Titone, who introduced the New York bill, tells WIRED that the state-level bill is meant to pressure Congress to follow with its own legislation. “When there’s no national legislation, states take efforts on their own to solve an issue,” says Titone’s chief of staff Chris Bauer. “That can speed the process along to make the federal government take steps.”

Skyler Wonnacott, the director of communications for the California bill’s sponsor Assemblyman Jim Cooper, offered a similar argument. “California is leading the fight…It’s got to start somewhere,” Wonnacott says. “Just because you can drive into Nevada and buy a phone or download software doesn’t mean there isn’t an issue and these phones aren’t used in crimes.”

Congress has yet to introduce legislation to limit full-disk encryption in smartphones, despite several congressional hearings over the last year in which officials, including FBI Director James Comey and New York District Attorney Cyrus Vance, warned of the dangers of allowing criminals access to devices with data they couldn’t decrypt. (Vance said at the time that New York police had been stymied by smartphone encryption 74 times in the nine months before the hearing, out of roughly 100,000 cases it deals with in a year.) A spokesperson in Vance’s office writes to WIRED that the DA’s office pushed for state legislation, and still hopes to find a compromise with device makers. “When Apple and Google announced the switch to full-disk encryption…with no regard for the effect it would have on local law enforcement and domestic crime victims, they left us with no choice but to seek legislative solutions at all levels, state and federal,” writes the district attorney’s director of communications Joan Vollero. “If the companies have a solution, we encourage them to engage in a productive dialogue.”

Constitutional Questions

But even if state laws do put pressure on Apple and Google to cave on encryption, they may do so unconstitutionally, says Andrew Crocker, an attorney with the Electronic Frontier Foundation. He says statewide smartphone encryption bans may fall under the “dormant Commerce Clause,” which gives the exclusive right to regulate commerce between states to the federal government. “States don’t have unlimited power to enact regulations to burden interstate commerce,” says Crocker. “If I’m Apple, this seems like a huge burden on my business.”

Congress, on the other hand, would have the power to ban default full-disk encryption in smartphones—though they’d do so against the advice of nearly every technical expert in the field of cryptography. In July of last year, for instance, 15 renowned cryptographers published a paper cautioning against any deliberate weakening of encryption for the sake of law enforcement. “New law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the paper reads. “The prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.”

And Crocker reiterates that state-level bills wouldn’t be just problematic or risky, but “wildly ineffective,” as those who want encryption will easily get it from out of state—in either software or hardware form. The technologically savvy will use it to defeat police surveillance or to protect their phone from hackers and thieves, while the average smartphone user’s data will be left more vulnerable. “The ones who will actually be impacted are the less sophisticated people who don’t know how to get this protection,” says Crocker. “You’re looking at a cost that falls on innocent people, not criminals or terrorists.”

Organizations Still Paying Breach Costs After Remediation

290x195securityworry2A new report from SANS Institute examines the costs that organizations deal with after they clean up from a breach.

Data breaches often result in myriad costs for victimized organizations and individuals. A new study from SANS Institute, sponsored by Identity Finder, found that even after organizations remediate the immediate cause of a breach, there will still be ongoing cost consequences.

Barbara Filkins, senior analyst at SANS Institute, wanted to take a different tact to the analysis of data breach costs than other reports, notably the Ponemon Cost of a Data Breach and Verizon Data Breach Investigations Report (DBIR). (The 2015 Ponemon Cost of a Data Breach report, sponsored by IBM, found that the average cost of a data breach is $3.8 million.) In Filkins’ view, the other reports focus on the front-end costs of data breaches as opposed to what can be done to mitigate the damage after an attack.

At the top end, the SANS report found that 31 percent of the surveyed organizations incurred post-breach costs of between $1,000 and $100,000 as a result of a data breach, and 23 percent experienced costs of $100,000 to $500,000.

Looking at the root causes of the data breaches, 35 percent of respondents noted that a hacking or malware attack was the primary vector. The study also asked about how long it took organizations to fully remediate a breach, with 38 percent of respondents reporting it took three months or longer.

Going a step further, even after the breach remediation was considered to be complete, most respondents experienced residual issues, including potential litigation, fines and brand reputation concerns. Only 35 percent reported that they had no lingering effects after a breach was considered to be remediated.

As to why some organizations have no lingering effects, Filkins said it all has to do with the nature of the breach and the difficulty of understanding costs. There are some obvious items that are considered to be post-breach costs, including identity monitoring services, but when it comes to the lingering costs, it’s not as easy to quantify the impact on brand reputation and stock prices, for example, she added.

According to Todd Feinman, CEO of Identity Finder, the path to helping minimize the costs of a data breach involves classifying data so that organizations understand where the risks are. The reality is that breaches are now a fact of life and it’s difficult to prevent all breaches from happening, he said. Taking that as a baseline, Feinman suggests that just because there is a security incident, it doesn’t necessarily have to turn into a large-scale data breach.

“If organizations want to minimize the costs of an attack or a data breach, you have to know where the sensitive data is and keep it as small a footprint as possible and make sure that it doesn’t leave the organization,” he said.

Identity Finder develops its own tool for data loss prevention called Sensitive Data Manager, which was updated this week to version 9.0. The new release includes improved data classification capabilities.

“There is no single technology, including ours, that is a silver bullet to prevent data breaches and related costs,” Feinman said. “It’s all about people, process and technology.”

The Danger of Fake Patches

 

chipWe talk a lot about threats to data security on this blog, and personal experience has probably acquainted you with everything from Trojan Horses to phishing.

Here’s a particularly sneaky threat that’s becoming more and more common: fake patches.

Part of what makes them a problem is that, unlike those spam e-mails from people and companies you don’t know, fake patches can look like perfectly reasonable notices from software services or programs you’d expect to receive patches from, like Adobe or Google Chrome. The fake updates display the company logo, so they seem real enough. Just last year, in fact, hackers sent out a fake version of Java Update 11 that contained malware.

How well-equipped you are depends, not surprisingly, on the security measures you have in place. Keeping the auto-update feature on is good practice, provided your software is designed to identify incoming patches and make sure they’re genuine. Even then, it’s possible for malware to use a fraudulent certificate to get around an auto-update program.

There are a number of things you can do to minimize risk. Cutting down on Shadow IT and foreign software on corporate machines makes it harder for hackers to send fake patches. A robust antimalware service is another step.

But at the end of the day, just being smart and cautious goes a long way. Fake patches often look suspicious in the same way spam e-mails look suspicious. They might have misspellings or they just don’t look like a software update you’re accustomed to seeing. They might even ask you to pay for the software they’re asking you to download.

Little things like avoiding pop-ups and scanning and cleaning your computer help, too. And, as always, talk with the IT department and back up your files. Communication and stored, safe files will ensure a small problem doesn’t become a big one.

FTC: Big data and IoT spawn new data concerns

IoTThe ongoing collision of big data and the internet of things raises whole new concerns about maintaining security, privacy, and fairness of personal data, says Julie Brill, member of the Federal Trade Commission.

Brill spoke earlier this month at the Cyber Security and Privacy Summit hosted by Washington State Gov. Jay Inslee.

“The data from connected devices will be deeply personal, and big data analytics will make the data more readily actionable,” said Brill. “Some of these devices will handle deeply sensitive information about our health, our homes, and our families. Some will be linked to our financial accounts, and some to our email accounts.”

However, she added that people won’t change much.

“We as individuals will remain roughly the same. We will not suddenly become capable of keeping track of dozens or hundreds of streams of our data, peering into the depths of algorithmic decision-making engines, or spotting security flaws in the countless devices and pieces of software that will surround us,” she warned.

Faced with a world of uncertainty about which devices are safe and whether they are getting a fair shake in the big data world,  Brill continued, “consumers could use some help.”

Major inroads possible into our lives

This rapidly evolving environment raises issues that have yet to be resolved. Brill divided the issues into the three areas of security, privacy, and fairness:

1. Security

“Because these connected devices are linked to the physical world, device security also is a top concern,” she said. To wit:

No armor. Of the 90% of connected devices that are collecting personal information, 70% transmit the data without encryption.

No expertise or recognition. Traditional goods manufacturers may not have the expertise, or even realize they need such expertise, to secure their new devices.

Cheap as dirt. Many connected devices will be inexpensive and essentially disposable.

Just because the plug fits … Security vulnerabilities may be hidden deep in the code that runs an app or device, which may not become apparent until it is connected to an environment for which it wasn’t designed.

“All of these factors point to the need to take an all-hands-on-deck approach to data security, with security researchers playing an important role in bringing security flaws to light,” Brill said.

2. Privacy

“Consumers want to know—and should be able to easily find out—what information companies are collecting, where they’re sending it, and how they’re using it,” said Brill. She said that information plays an important part in consumers’ decisions about whether to use digital products and services in the first place.

However, obstacles have emerged:

Didn’t know they were watching. Many companies, including data brokers, ad networks, and analytics firms operate in the background with consumer data.

Devices give no clues. Many connected devices do not have a user interface to present information to consumers about data collection.

Queries not answered. Questions have arisen about who should receive disclosures about data collection and use practices; how would consumers or innocent bystanders know when a device is recording images or audio; and how will the collected data be secured.

Brill said that manufacturers of connected devices should recognize that providing transparency will require some creative thinking.

“Visual and auditory cues, and immersive apps and websites should be employed to describe to consumers, in a meaningful and relatively simple way, the nature of the information being collected … and provide consumers with choices,” Brill said.

3. Fairness

 Certain data brokers assemble individual profiles on consumers from various sources which are used for marketing practices.

On such firms specifically, Brill said that “while this kind of information can be used for relatively benign purposes, or even in ways that will enhance financial inclusion, this kind of information has also been used to harm vulnerable consumers.”

Again, pairing big data with internet of things in this area creates new concerns:

Credit scores used beyond credit world. The use of scores, such as credit scores, can go beyond decisions about mortgages, for example, to other major decisions such as whether a prospective employer would extend a job offer to a given applicant, or whether insurance companies would charge higher premiums on auto or homeowners insurance.

Scores grown outside the regulatory zone. The use of many different types of scores has proliferated to make eligibility determinations covered by the Fair Credit Reporting Act, yet they haven’t yet been subject to the same kind of scrutiny that Congress and federal agencies have brought to bear on traditional credit scores.

It all happens in a black box. Scoring algorithms and other forms of big data analytics rely on statistical models and data system designs that few on the outside understand in detail.

“This suggests that testing the effects of big data analytics may be a promising way to go,” Brill said, adding that “companies using scoring models should themselves do more to determine whether their own data analytics result in unfair, unethical, or discriminatory effects on consumers.”

In summary she says, “For now, the rapid changes in big data analytics and the internet of things have made it difficult to meet some of these expectations in practice. The key point, however, is that these are the enduring expectations of consumers, rather than relics of a simpler world.”

That was the year that was – A review of 2015 in Legal and Legal IT

To wrap up 2015 I thought I’d post a review of the Legal and Legal IT news throughout the year.

One of the big trends across law firms this year has been mergers, and the number or mergers and consolidation in the industry continued throughout 2015.

Dentons has been the major news story as its huge growth continued through the year, we had the Dacheng merger in January, talk of McKenna Long & Aldridge joining in April, discussions with Singapore’s Rodyk & Davidson and Australia’s Gadens about tie-ups in November leaving a firm at the end of the year with a possible headcount of around a massive 7000 lawyers. Other large firms continued to grow this year with DLA Piper entering Canada in March and White & Case planning to boost City lawyer count by over 40% as it put London and New York at heart of new strategy in November. BigLaw doesn’t seem to cover these firms anymore, MegaLaw?

Some mergers don’t come off though, in November Eversheds and Foley & Lardner broke off merger talks that could have created a £815m ($1.25bn) revenue transatlantic firm. And there were growing pains in others, in November at Norton Rose Fulbright the firm’s management looked to reconnect with City partners after years of rapid overseas expansion. But still this didn’t stop the merger talk and in November Irwin Mitchell and Thomas Eggar unveiled merger plans.

It seems the final shackles of the financial crisis had been thrown off in 2015 as growth was back on the cards or at least in the published figures, so although still an industry under pressure from clients it doesn’t seem to have affected the bottom line. Growth numbers look pretty good against most of the western economies, with 4%, 6% and even out at 7% rises in revenue across law firms according to a Deloitte survey in March. By December the Deloitte survey was still predicting firm fee income rises of nearly 5% in Q2 of 2015-16. Impressive numbers.

PEP (Profits Per Equity Partner) was also on the up and into the double figures in some firms with 11% and 12% rises coming through in March figures. BLP posted PEP 22% in June! But not everywhere was rosy, some markets clearly still are ultra-competitive and this saw Hill Dickinson and Holman Fenwick both take revenue and PEP hits. As did DWF as their PEP slid 21% and revenue stayed broadly flat in August figures.

The good times though saw the top firms battle for the best associate pay rise around April/May time with 7% at Linklaters, 8% at Ashurst and 10% at Slaughter and May. White & Case then trumped them all in June with a 20% rise in London associate pay! Not to be outcome in December Slaughter and May associates were in line for bonuses of up to 16% as firms also bumped up rewards.

Was this all driven by a growth in client demand? Possibly as in London, for example, back in February TfL announced a rise in legal spend this year, the first in four years. And the Greater London Authority doubled its spend. But also I suspect a hard look at costs also help the profits in firms in 2015. Freshfields started consultation on a low-cost base in Manchester in February and announced further centers in June to create a global network of centers. White & Case mulled opening European support centers in November. And DLA Piper launched a low cost services center  in Warsaw this November, its third such center alongside one in the US and one in Leeds.

Law firms were also looking at growing their business in other ways, putting pay to a few speakers talks in 2016? Dentons launched a tech investment arm (NextLaw Labs) in May. There were moves into the contract lawyer space in June as DLA Piper and Addleshaws moved into contract lawyer market with new ventures. DWF also launched contract lawyer, support center and consulting offerings in June. And finally to top off a changing market KPMG boosted its UK legal capability with a Birmingham launch in September.

Quite an eventful year for law firms in general, what about the Legal IT side of things?

Starting with the stalwarts of Legal IT, Document Management (DMS) and Finance systems.

Back in January SharePoint was on the agenda again as a possible DMS in law firms with Microsoft pushing Matter Centre, by the end of the year though it was open source product. HP Worksite became iManage again with a management buyout and we saw energy back in the firm after many years of being part of a monolith. And Netdocuments continued to grow market share and cloud coverage with Europe and Australian datacenters.

In the finance arena the column inches were mainly full of Elite v Aderant, but in September Baker & McKenzie became the first global law firm to go live with the latest version of the SAP ERP system.

Elsewhere legal project management (LPM) is clearly on the move with a number of products offering support for this discipline, Umbria and Cael as examples. Strange that in the Legal press itself LPM wasn’t hitting the headlines despite strong take up by law firms and interest by clients! Proof again perhaps that contrary to the press and conferences, law firms are quietly getting on with new ways to grow the business?

I couldn’t review this year without mentioning AI (Artificial Intelligence), a marketing teams dream with a whole new “disruptive” technology campaign. 2015 was definitely hello AI, goodbye cloud in the Legal IT zeitgeist. The start of summer saw Ravn launch ACE and by mid-September, Berwin Leighton Paisner confirmed that it had become the first law firm to sign up to RAVN’s Applied Cognitive Engine. We also had US legal tech start up eBrevia has just launched its own AI offering, IBM Watson with Clifford Chance joining the growing number of City firms that work with IBM’s offering. September saw the BBC focus on Intelligent Machines, Riverview Law acquire US tech business to advance use of AI in legal market and AI goes mainstream as LexisNexis acquires Lex Machina in November and December.

The fact that cloud is now out of the news could be that finally its maturing and starting to take off, Netdocuments saw growth and Hill Dickinson kicked off a three-to-five-year IT strategy review that is expected to see a significant further shift towards the cloud.

Document automation was back in the news. Becoming more commonplace across the UK, Ashurst in September became the latest City law firm to sign up with Business Integrity’s ContractExpress solution to automate its legal precedents globally and across all practice areas. And at Clifford Chance in March, two finance lawyers were hired with coding expertise to design a template to allow banking clients to generate their own documents.

Social Media in law firms was in the news in summer as DLA Piper discussed the launch of their internal platform Grapevine.

My final thought though for the Legal IT world in 2015 is where is the big push into mobility, business support workflow and “standard IT” that supports lawyers? Law firms are definitely looking at this, but what about the Legal IT vendors? Some show hints of the above and that they’re starting to get it. Will this be the real news in 2016 or will the marketing teams win and continue to sell us the promise of a disruptive world and robots replacing lawyers?

 

A big thank you to Legal Week , Legal IT Insider, ILTA and Legal IT Professionals invaluable resources in researching the news from 2015 for this blog post!

Continued Breaches Show Dropbox Not Secure Enough for Small Businesses

data

I’m just going to come out and say it: Dropbox on its own is not secure enough for businesses. Bugs and open-doors leave sensitive files open for viewing and who knows what can happen if your classified information falls into the wrong hands. If you’re sharing files with coworkers by sharing Dropbox links, cease and desist! You are potentially leaving your files open to the masses.

Problem
Dropbox is currently the top dedicated cloud storage provider hitting 200 million users back in November 2013.  Unfortunately for business users, Dropbox is also the most targeted cloud service by hackers and thieves. Remember when hackers held 7 million Dropbox passwords ransom? Not only is Dropbox prone to cyber-attacks, but they also suffer from bugs and leaving open doors. In October 2014, Dropbox released an update with a bug that deleted user files, making backup on Dropbox inadequate for business. File deletion!? Then what’s the point of storing files in the cloud anyway?

Prior to this incident, a cloud-based file locker, Intralinks, found that Dropbox users were unknowingly allowing private data to be read by third parties as their files were being indexed by search engines.  Links that you may have shared with other colleagues were being indexed by Google, Yahoo! and Bing, and if competitors searched for a matching keyword on your link, they could click and open your files without you knowing. As you can see saving sensitive company information with Dropbox offers significant risk for business users.

Challenge
Many employees already use Dropbox to quickly store company files. The more employees that use Dropbox to store files, the more vulnerable the company is to information leaks. Although Dropbox offers server-side encryption for your files, it is not enough to protect your files if there is a security breach as Dropbox provides and controls your files’ encryption keys. Dropbox already accesses your files to provide a file preview, which opens obvious security holes. Dropbox has even changed their privacy terms to give themselves the right to share data collected from your files. Depending on the sensitivity of your data, you may want to consider encrypting your data with a 3rd party security software even before it reaches the Dropbox cloud. This would allow you to experience the convenience and value of Dropbox without compromising security.