Consilio has long been known as a global expert in eDiscovery and document review services. Increasingly, and not least since its acquisition of Huron Legal last year, it is extending its reach into the wider field of law firm and corporate information management with a particular eye on the risks inherent in holding data.
Although there is no evidence yet as to the cause of the Panama papers leak (or hack), that has focused attention on these risks, which makes it a good time for Consilio to publish the results of a survey which it undertook earlier this year.
The findings are set out helpfully in a graphic headed Cloud-based data security risks thrive in the workplace and are summarised also in a parallel press release called Inadvertent disclosure of sensitive data is greatest risk of cloud-based applications, Consilio survey finds.
The survey responses were collected from law firms, in-house legal departments and government-affiliated entities who were asked a range of questions – about the level of their concern at potential security risk from cloud-based applications, about the frequency with which data collected for legal or investigation matters is stored in the cloud, about the importance of migration of company data to the cloud, and about the extent to which companies were addressing security risks.
The results yield interesting potential collisions. Data is increasingly being moved to the cloud both for everyday corporate matters and for the conduct of investigations and yet 64% of the respondents said that “inadvertent disclosure of sensitive data” is the biggest risk of using cloud-based applications.
If that is a problem where data is moved as part of a process sanctioned and controlled by IT and security departments, it is very much more a problem where cloud application use is informal and unsanctioned. John Loveland, managing director at Consilio, said that the usage has “vastly outpaced the risk and compliance measures needed to adequately manage risk for the protection of intellectual property, compliance, data privacy, records retention, among others”.
Obvious risks include theft of intellectual property, regulatory and compliance failures and the inability to identify relevant data for discovery. Put at its simplest, if an organisation does not even know that it has data, how can it protect it and fulfil its obligations in relation to it?
One of the particular subjects covered by the survey is what is known as “shadow IT”, that is, hardware or software used within an enterprise that is not supported or administered by the IT department.
While the focus at the moment may be on terabytes of data such as those lost by the Panamanian law firm, there is as much potential danger in the loss or misuse of relatively small pieces of information. Documents copied to Dropbox for convenience, a loosely-worded post on Facebook or a LinkedIn link with the wrong stranger are everyday examples of uncontrolled and potentially damaging software use. A laptop left in a cab or left open in a public place is an all too common example of a failing in respect of hardware.
I cannot now remember who first described law firms as “the soft underbelly of cyber security risk” but it is an apt phrase. Organisations need to be thinking at two levels here: one is the acquisition and rolling out of enterprise-wide hardware and software protection designed to prevent incursions were possible and to identify and track them where not; the other is the much more mundane business of devising policies aimed at eliminating human failure and inadvertent breach by careless employees.
The Consilio survey shows both that the problem is growing and that awareness of it is increasing. Now for the next step….