Death by email

Forward-thinking lawyers can turn email security to advantage with a simple web hosting package and log-in database

The Journal, June 2004, page 32

All involved with lawyers’ use of technology recognise a sad but limiting truth. They are only interested if they can see a clear benefit in terms of improved efficiency. And “efficiency” is defined strictly: increase fees or reduce overheads. The Law Society of Scotland’s PKI project, Lawseal, recently foundered, in my view, as a result of professional apathy. After months of marketing hype and promotional material we were informed that Lawseal had to be abandoned as there was “unlikely to be sufficient demand to launch the product”.

Lawyers were being encouraged to use PKI as it was groundbreaking and secure. Incorporating PKI into their methods of working would mean that they would no longer leave sensitive information contained in an email vulnerable to interception and that they could verify the identity of the sender.

Fatally, there was no mention of how PKI would improve their fees and reduce overheads. It was perceived as an onerous application which would require time to get used to; something that could be left until it was absolutely unavoidable. This is why I believe the PKI project failed.

For secure technology to get on the agenda at partnership meetings it has to perform a role secondary to efficiency. “The proposed development can do x, y and z to reduce overheads and increase fees. By the way, it is also secure.”

Blessing in disguise?

The failure of Lawseal could be viewed as a short term blessing for future secure communication projects. In a letter published in the Journal in December 2002, I quoted statistics from Ferris Research, which stated that staff can spend up to four hours per day composing and reading emails. Under the Society’s PKI project, a user would encrypt an email/document using his or her private key. The encrypted email/document would then be decrypted by the recipient, using the sender’s public key. The problem, as far as I saw it, was that encrypted emails could not be virus checked until they had been unencrypted (i.e. opened). By that stage the virus payload, whatever it might be, would be free.

Judging by the sheer number of virus-ridden emails which I have received lately, purporting to come from individuals in law firms and/or regulatory bodies, the virus checking measures and email policies presently in place would not be sufficient to ensure that encrypted emails are virus free. The integrity of the PKI project relied upon the existence of a mutual belief that parties involved in the scheme would be sufficiently well versed in the approach to be taken when opening emails with attachments. At this stage, such trust cannot exist. Users continue to double click attachments on emails as and when they arrive, irrespective of the file extensions and uncharacteristic sender messages.

Reliance on email as a method of communication is widespread: popular in large, medium sized and small practices. But digital infections have hit an all time high.

In January 2003 the Slammer worm infected nearly 75,000 servers in 10 minutes. In the summer a flaw in Windows was exploited by the Blaster worm and this was followed swiftly by the Sobig.F virus. That virus moved so quickly that at one stage one message out of every 17 was a copy of the virus.

In late January 2004 one out of every five email messages was a copy of the Mydoom.A virus.

The UK security company mi2g recently estimated the worldwide economic damage caused by the Netsky.B worm to be at least $3.12bn.

Who cares about security?

It could be concluded from the apathy displayed towards the Society’s Lawseal project that communication security is an issue which law firms consider relatively unimportant. A simple explanation for this may be that their clients have not pressed them about it.

When a “network worm” collapses a client’s network as a result of an email emanating from your firm’s i.p. address, secure communication may move up the priority list.

I truly believe that this general apathy represents an opportunity for progressive firms, of all sizes, to look at how they communicate with their clients in general and to factor in communication security as part of their overall IT strategy. Doing so can mark you out from the mass of other, less stringent firms.

Some may suggest that communication security can only be the domain of larger practices due to the costs inherent in IT development, but this is untrue. The costs involved are not great.

Firms already use extranet technology to bring clients to them. As well as creating an image of superior service for the client, it transfers communication and printing overheads from the firm to the client.

Adding information to your website, or issuing an email newsletter for example, is all well and good. The trick is to issue the newsletters, or indeed general email correspondence, in such a way that they only contain a part of the information which the recipient wants to read. To access the rest of the information they are required to click on a link contained within the email and access the area of your site where the information is hosted.

Using one of the many basic web hosting packages available will mean that, already, you are beginning to gather user information on your clients and you can use this information to tailor further services. You are also beginning to get your clients used to coming to you. A recent hosting account that I opened for a client, at a cost of £89 per year, offers free weekly reports detailing: daily, weekly and monthly statistics, visitor host details, site referrer details, user agents and geographical access.

Showing you mean business

By adding a basic database to your site and a user login script, very quickly, internal staff will be able to create client users, articles and content sections. Information, requests, cases or updates on particular items of interest can be disseminated at the click of a button. The difference is that the content, or documents, are not contained within, or attached to an email. The email only contains a link to the login page. The recipient clicks on the link, logs into the site, enters the secure area and downloads the relevant files. This will not take much longer than the client actually receiving an email with an attachment and is far less likely to result in the transfer of viruses or worms.

Additionally clients will probably not open an email, with an attachment, purporting to come from you when your emails generally have the same subject heading and never contain attachments.

Usernames and passwords can be via letter or during a face-to-face meeting.

Bring the client to you! Using web analysis reports together with username and password functionality means that you can start to use your website properly. At the same time you are beginning to decrease the vulnerabilities you expose yourself to by relying so heavily on email.

Your clients will begin to believe that they are receiving services from a firm not only committed to the use of technology, but also committed to risk avoidance.