James Elmer is an IT consultant with over 28 years of experience and is known for his collaborative, innovative and commercial approach to improve the efficiency and effectiveness of technology for business benefit. He will be one of the keynote speakers at Securing the Law Firm in London on January 25, 2018. We caught up with him ahead of the event to hear about his wide-spanning career, his take on the evolution of cyber security, and his advice for managing the varied and complicated risks to the modern-day law firm.
Thanks so much for taking the time to talk to us today. Can you please tell us a bit about yourself and your professional story?
I am a child of the ZX81 era and my early IT experiences include hacking my school network and servers (for which I earned a week of lunchtime detentions). My corporate IT career started by converting Kalamazoo accounts ledgers into Lotus 123 spreadsheets and a bit of SAS coding. I have now been in IT for professional services for 28 years, spanning insurance, fund management, property and legal. I have worked in support, training, market data systems, infrastructure, projects, management, and now consultancy.
How has the security landscape changed and evolved throughout your career?
The evolution of IT and information security has moved in-line with the realisation that data is an extremely valuable commodity that needs protecting. When I started out in IT in 1989, there were very few malicious actors. As systems became connected to each other and the outside world, so grew the risk of unauthorised access. Throughout the ‘90s we started to see a rise in attempts to infiltrate systems to gain access to information and to alter systems to move and steal money. With the creation of the World Wide Web in 1990, people could remotely connect to and potentially attack systems. In the early ‘00s, the breadth, depth and complexity of threats grew considerably and people were trying to destroy information and compromise government agencies and large organisations. We started to see a change in attacker profile from the lone-operating ‘geek’ to highly organised, possibly state-backed, teams of hackers.
More positively, as these threats have grown, we now see a healthy market of IT security suppliers, experts and consultants offering cyber security solutions, from perimeter and endpoint security to everything in-between. The importance of information security these days drives innovation to the extent that a well-known document management system uses quantum physics randomisation to encrypt data, as opposed to software-based randomisation relying on decipherable algorithms.
We also see clients demanding more and more from firms on how data is secured, accessed and disposed of. Everyone is sharpening up to fight the threats.
You have a unique insight into the challenges facing law firms from an IT perspective, both as a Director of IT and now as a consultant. What do you feel are the most pressing IT issues for law firms, especially when it comes to security?
I think the challenges facing firms at the moment are three-fold and involve ensuring that: 1. Tools are configured properly and regularly maintained to provide the best level of protection possible; 2. Processes are relevant, operated at appropriate frequency and having results reviewed for opportunities to improve; 3. Awareness programmes are thorough, delivered frequently and kept current.
The cyber threat landscape is constantly evolving, both in terms of threat actors and methods. Are there any threats you feel are unique to the legal industry, and what would be your advice for addressing them?
Threats to the legal industry aren’t different to other industries – attackers want money and they will attempt to get it in a simple way or a complex way. What’s different is that attackers have woken up to the fact that law firms handle considerable amounts of money for their clients, hold valuable and confidential data, and are reliant on their reputation. As a result, the legal industry is simply being targeted more often than before.
When it comes to the types of attacks we see in law firms, the general theme is that attackers are exploiting a potential lack of awareness amongst time-poor employees. Phishing and whaling succeeds when busy, pressurised people overlook obvious signs of a dubious email. It’s the same with ransomware – someone in a hurry is more likely to click on a well-disguised link, which could contain malicious content.
What advice would you offer CISOs in terms of how to best convey their findings and expertise to those who are not necessarily technically minded?
Communication is key. CISOs need to use appropriate language and appropriate means – such as the company intranet, speaking slots in business team meetings, posters in dwell areas, breakfast presentations and so on – to increase awareness of threats and risks. Utilising well-documented examples of past attacks on other businesses can help to highlight the potential risks to their own. CISOs need to take a risk-based approach by engaging with the business to make appropriate recommendations. They should also collaborate with IT managers when suggesting changes to operational processes, as well as speak with each other to share information about emerging threats. You don’t have to do it alone!
What do you feel will be the most pressing security issues for law firms in the coming year?
We will see a continuation of phishing and whaling, but with much improved accuracy and targeted at large firms with global operations where people might not know each other and may, in the heat of the moment, act as requested in an email. In addition:
- There will be more ransomware attempts as the coding evolves.
- Mobile devices will attract ‘attention’ in response to the sustained increase in flexible working, rather than sitting at a desk using a PC on a corporate network.
- Maintaining and delivering awareness material and encouraging people to operate in a security-conscious way will continue to be a challenge, especially when serving demanding clients.
- The huge growth of the ‘Internet of Things’, ‘connected’ devices for homes and offices, brings new risks, such as capturing conversations.
- Cryptocurrencies may increasingly be a target for attackers to make money.
As an IT consultant, how are you helping organizations manage acceptable levels of risk? How would you define acceptable risk?
I’m helping firms to take a fresh look at their cyber protection systems, processes, and awareness material to help them to evolve and develop a continuous improvement approach.
The bar of acceptable risk has risen in line with the growth in the variety of attack methods. You cannot assume that systems are protecting the firm, that processes are right and being operated, and that awareness material is being read and digested. You must know for certain that everything is as it should be and be prepared to offer evidence to your own management team, your clients and auditors to support that.
We’re looking forward to having you as a keynote speaker at Securing the Law Firm. What can we expect from your talk?
The key themes of my talk will be continuous improvement, embracing change and using a collaborative approach.
Find out more about James Elmer on LinkedIn.