TLOMA Today

The Business Services Compensation Survey and the Associate Compensation Survey are live.

Participate now and get a free access to the Merit Increase Survey report!

Due to the challenges brought by COVID-19, the questionnaire submission deadline has been postponed to June 12, 2020. While the economy remains uncertain these days, the Merit Increase Survey will be postponed until further notice.

The 2020 surveys feature; 

• Optimized questionnaires, including all the relevant information required for participation
• Enhanced job level descriptions to simplify the job matching process
• Condensed report layouts
• Secure online platform from which you can retrieve all the necessary documents to complete the surveys and download the results

For more information about the surveys or to confirm your participation, please contact Normandin Beaudry at tloma@nbac.ca.

You may also refer to the 2020 TLOMA Compensation Surveys Pricing Structure for more information.  

We look forward to your participation! 

I have a new view today.  Office view, I mean.  The last 10 weeks have had me cooped up in my “office” at the back of my house.  Trying to keep the door shut to drown out the kids, dogs and hubby’s conference calls (is it just my spouse that doesn’t understand you don’t need to YELL when on a conference or Zoom call?), however, hungry children never let a closed door stop them 😉 

With the weather finally getting warmer, I have moved my “office” to my backyard patio.  Being outside, in the fresh air (and just out of the house period) is such a nice change of not only scenery but also a great boost to my mindset.

Speaking about warmer weather, I have some exciting news to share about TLOMAToday. Normally this would be my last message until September, as TLOMAToday usually gets summer vacation. However, we have had such an abundance of articles received for TLOMAToday, that we decided to do a bonus Summer Edition this year.  Thank you to everyone for sharing their knowledge and ideas, keep it up!  If you are interested in contributing to this additional issue, please contact Mary DaRosa. 

A communication was sent out a couple of weeks ago about the Best of TLOMA Award.  Given the current pandemic, we are adding a new twist considering the challenging times we are living in.  We are welcoming COVID-19 related content including articles, helpful tips, and/or memes – anything to inject humour into our lives!  I’ve included one that gave me a good chuckle here:

Get your nominations in!

I would also like to encourage all firms to participate in the compensation survey, even if your firm is not purchasing a survey this year.  It is important to have consistent data.  The deadline to complete the survey has been extended to June 12, 2020.  For more information or questions about the compensation survey, please contact tloma@nbac.ca. 

Lastly, I would like to remind everyone that the Nominating Committee has started the process to recruit 2021 Board and non-Board vacant positions. If you ever felt a calling to volunteer – now is your time!  Contact me, Karen or any one of the current Board Members and we would be happy to answer any questions you may have.  Feel free to reach out!

Here’s a list of our upcoming webinars!  Don’t forget to register!

Jun 10, 2020 - TLOMA Technology SIG - The Data Driven Law Firm: Succeeding In An Experience-Driven World

Jun 19, 2020 - TLOMA Marketing SIG - Professional Social Media - Organic and Paid

Jun 26, 2020 - TLOMA Facilities SIG - The Real Estate Market and What to Expect Once We Return Back to Work

Aug 27, 2020 - TLOMA Facilities SIG - The Undiscovered Power of Unwritten Rules

As I sign off today, I am thankful for the sunshine and fresh air that has helped boost my mood and mental well-being. 

“To plant a garden is to believe in tomorrow” – Audrey Hepburn.

The COVID-19 pandemic has changed nearly every aspect of our lives, including how we socialize, shop, exercise and work. As governments implemented quarantine and social distancing measures to prevent the spread of the virus, businesses moved to a virtual work model. Working from home, accessing company documents remotely and attending virtual meetings became part of the new reality.

Due to the urgent need to accommodate remote workers, organizations had to provide access to internal networks and in many cases, overlooked adequate security measures and user training. The emphasis was on speed instead of security.

Unfortunately, cyber criminals have taken advantage of this situation. The industry is seeing a 600% increase in phishing and end point device attacks. While this may be manageable for some organizations in the short-term, it significantly increases the risk of a breach affecting the confidentiality, integrity and availability of sensitive information.

How can organizations maintain security while working remotely?

Maintaining appropriate levels of security is a challenge with an anytime/anywhere/any network type of employee. Working from home introduces new challenges when it comes to identity and access management, physical security, unsecured remote networks and infected systems.

The good news is there are strategies organizations can adopt to improve their security posture:

1/ Establish Shared Responsibility

It's important to communicate that every employee has a role to play in ensuring ongoing security of the organization's operations, data and resources. A vigilant mindset is required. Cyber criminals monitor industry trends and devise new scams or social engineering tactics that continuously adapt to an evolving landscape.

Providing additional security awareness training and performing simulated phishing attacks are great ways to arm remote workers with the knowledge required to combat new threats.

2/ Implement Layered Security

Allowing remote connectivity often requires allowing additional access on the corporate network or exposing applications publicly. This increases the surface available to attackers. Additional controls should be implemented to protect sensitive data, including:

• Secure VPN connectivity with adequate access controls to encrypt data in transit
• Multi-factor authentication for externally accessible and critical business applications
• Next-generation end point protection products to protect against zero-day attacks and ransomware.
• End point data backups to minimize impact of accidental data deletion, corruption or hardware failure.

3/ Security Testing and Anomaly Monitoring

With IT infrastructures becoming more and more complicated, the importance of regular security assessments and user activity monitoring cannot be understated, particularly during these unprecedented times. Systems and applications are often rushed to production without properly evaluating the security implications. The following programs can protect your organization from cyber threats:

• Vulnerability Assessment - a vulnerability scan identifies and qualifies security issues. It is designed to yield a prioritized list of vulnerabilities and, more importantly, key recommendations to mitigate risks and improve the overall security posture of an organization.
  
  
• Penetration Testing - penetration testing takes a vulnerability assessment to the next level. In addition to identifying vulnerabilities, the assessor attempts to exploit these vulnerabilities to gain privileged access to a system, network or application. This simulates a real-world scenario and outlines how an external attacker would gain access to the network and steal sensitive information.
  
  
• Anomaly Monitoring - most organizations lack in-depth visibility into their networks and usage patterns. Modern attacks are very clever. They mimic legitimate user activity making them extremely hard to detect using traditional methods. Organizations that implement Anomaly Monitoring are much better equipped to identify and handle malicious activity and threats.
  
  

During these uncertain times, organizations have been under pressure to remain fully functional and productive under challenging conditions. With the majority of employees working remotely, the threat of security breaches and loss of company information has never been more prevalent. By adopting these IT security strategies, organizations can ensure business continuity while keeping their employees safe in the “new normal” working environment.

As provinces make plans to reopen the economy through a phased approach, many of you have questions about how this is all going to work.  While we all want to snap our fingers and wake up from the bad dream that is the COVID-19 pandemic, it is foolish to think that we can just go back to how things once were.

The term “new normal” is being thrown around and as cliche as it sounds, it’s as accurate as we can be.  What is now normal and what will be normal will be new in many ways.  There will be some fundamental changes to how we live our personal, social and working lives.

There are many obvious things that will need to happen to ensure everyone’s safety in the workplace.  In theory, ensuring physical distancing is easy to achieve; make sure everyone’s spread out.  In practice, this is a new challenge since established offices have people situated to maximize use of available office space. 

Here are some points to consider as you make your Return To Work plan for your office:

• Continued remote work
  • Team members who can effectively perform job duties remotely should continue to work remotely as long as possible.
  • Schedule a couple days every so often for in-person meetings if necessary
    
    

• Split teams
  • Consider splitting your teams up so there is a 50/50 rotating schedule where only 50% of your team is in the office at any given time
    
    

• In office physical distancing
  • Consider keeping a full desk space between team members.This is difficult since, if everyone is in the office, it’s not possible to double the amount of space you have, hence the importance of continued remote work and split teams
    
    
• Common areas:
  • Limit the number of employees in common areas (kitchen, copy room, etc.)
    
    
• Video-meetings, video-calls, etc.
  • Leverage these tools to your advantage to have “face-to-face” meetings in the most safe manner possible
    
    
• Consider additional physical safety measures like:
  • Plexiglass partitions between desks and walkways/halls
  • Virtual reception areas, if in-office visitors are absolutely required
    • These should be transitioned to video-conferencing as much as possible
      
      
• Company social events
  • Unfortunately these should be on hold for now
    
    
• Cleaning and Disinfection
  • Provide your team with access to hand sanitizer
  • Increased frequency of sanitation for high traffic areas such as door handles, buttons,
  • Encourage your team members to wash their hands frequently
  • Ensure a stable supply of cleaning products.
    
    
• Personal Protective Equipment (PPE)
  • If your team members absolutely MUST meet with clients in person, provide them with masks and ensure the meeting takes place where they can maintain physical distancing.
    
    
• Team building events
  • There are companies providing virtual group health and wellness sessions now.
  • These serve both as team building events AND help your team stay healthy and connected while working remotely.
    
    

Ultimately what will dictate the success of your return-to-work plan is the same thing that plays an integral role in all successful organizations: GREAT COMMUNICATION. 

The Best Approach:

Talk to your teams and managers to get their input, gauge their comfort levels and see what they suggest for returning to work and re-opening your office.  Giving everyone a voice and input in this company-wide decision will keep your team unified in your approach to re-opening your office and working together to keep everyone healthy.

During this time of pandemic compliance, please don’t become invisible and fall off the business radar.

Keep meeting, but make it virtual:  Lockdown doesn’t have to mean locked out.  Right now, the idea of business networking might feel like an impossible, even outlandish task. However, if you keep an eye on your end-game, being proactive, resilient and resourceful now will place you in a stronger position when we all cautiously get back to business-as-unusual later this year.

Conferences, seminars and events have evaporated from calendars. Meeting prospects, referral sources or clients for breakfast, lunch or a drink won’t happen any time soon.  Here’s how to be creative and use this unique lockdown period to maintain and expand your professional network.

How many years have you worked to build up your business network to where it is today? Please don’t let it start to rust.

Do Not Underestimate The Impact Of A Phone Call: Business/Social connections need to be continually reinforced to be long-lasting. Here is a suggested strategy: Set aside up to 30 minutes each day to focus on connecting those contacts with whom you are not currently engaged on active files. Every Monday morning identify a specific group of individuals you plan to reach out to.  What about your partners and other lawyers at your own firm? When was the last time you even said “Hi!” to them? Add the identified names, one or two per day over the week, to your Outlook or any other calendar you might be using. For each contact, think briefly what you intend to say. You have options - Email, Twitter, Facebook or LinkedIn.  Try the phone. Remember you are not seeking to engage in a deep and lengthy discussion. You are both sitting in isolation, perhaps with the children and or pets roaming the house. ‘Work’ is no longer the social event to which you commute every day.

It’s Been A While. How Should I Start? : Always have a contact Objective in mind: Why am I calling? What do I want to accomplish with this single email or phone call? This will set clear parameters for you and keep you on track and on time. This lockdown is a universal and very unifying situation. Maybe start by checking in with how they, their families and their colleagues are coping with the situation. Then segue into how they are adjusting from a professional perspective, and share something that you have discovered that has been useful for you in your workday. If you feel that it might not be appropriate to discuss professional matters, be a good listener. We’re living through a period where some business and professional protocols are being rewritten.

LinkedIn: Before you start, take a critical look at your profile and fix it! Have you explored the networking opportunities afforded by LinkedIn? Filter your search to find relevant people, groups or companies based on name, location, industry, issue etc. There is a common purpose to being on LinkedIn - to connect. So don’t be reticent about reaching out to interesting individuals. 

Pursue Prospects at Virtual Events: These are the most recent type of networking on my list. This is a direct alternative to in-person networking events whilst we are in lockdown. Virtual Events are a digital platform for professionals to share knowledge, market their services and develop business relationships. In most cases, they are the closest thing to meeting in-person. Explore how you can participate, present at, or host an event. There are three common types of virtual events:

•   Webinars
•   Virtual Conferences
•   Virtual Roundtables

Engage in the Q&A sessions at the end to provide you with the opportunity for visibility. There are two openings for this.  Ask a question or pick up on someone else’s question making note of the person’s name and company. This will give you the ideal conversation starter when you connect with them later.

The Art of Cold Emailing: This is the ‘Chamber of Horrors’ of networking - and for good reason.

First step: Collect email addresses of target contacts. Just a few, very relevant addresses will do.

Next:  Give lots of thought to your Subject line, because that will trigger the recipient to either immediately Open or Delete your message. Always have a contact Objective in mind: Why am I emailing? What do I want to accomplish with this single email? What reaction do I want to provoke?  Of course, personalize the message to the recipient and make your message short and relevant.

It’s Not Complicated: Please don’t drop off the radar screen. You have worked too hard, ate too much and watched too many hockey games to get to where you are.  Practically speaking, it’s probably going to be a long, lonely summer.

Stay well. Stay safe. Stay visible.

They say that necessity is the mother of invention. Perhaps necessity is also the mother of transition? Because undoubtedly, over the past few turbulent weeks, many hundreds of thousands of professional services personnel have transitioned, virtually overnight, and entirely out of necessity, to the status of “home worker”.

In so doing they’ve accelerated the adoption of remote working at a speed considerably beyond that which in any other circumstances would have been thought possible. In addition, in making this transition, lots of people who were resistant, or who at least had reservations, have found that the new reality of remote working is entirely doable.

We are indeed living through an acutely unique set of circumstances. In the ordinary course of events, any firm contemplating its wholesale migration out of central offices and into a “remote working” model would almost certainly have taken many months at least to execute the manoeuvre. Business cases would have been written, feasibility studies done, plans laid, training conducted.

Meanwhile, lots of hand‐wringing would have accompanied every senior partners’ meeting on mitigating the impact on firm revenue and perception for employees and clients. And each transitioning individual would, most likely, have received an appropriate amount of hand‐holding, both in terms of the technical aspects of the move, along with some sort of acknowledgement that such a radical reconfiguration would be likely to incur some psychological impacts as well. But we’ve hardly seen any of that.

On the contrary, every last soul in the firm has more or less been taken to a great height and dropped straight into the chilly deep‐end of a metaphorical “remote working” swimming pool. What’s more, after some flailing, spluttering and moments of panic – everyone pretty much learned to swim.

So much so that Josh Baxter, CEO of NetDocuments¹ reported that one month on from the beginning of lockdown, his service saw the volume of activity on its servers rise from a pre‐pandemic average of around 980m transactions per week to just under 1.2b transactions in each of the last two weeks – a 20 per cent increase. “Users went home, they plugged in and they just started to work”, said Baxter. So where does it take us?

The end of remote working

First, and perhaps perversely, I think it suggests that the term “remote working” has probably become redundant. Now that everyone is remote, no one actually is! And this is not such a bad thing. Because for the longest time, the term “remote worker” has attracted a vague stigma. As though such people had limitations and were compromised by their physical distance from the beating heart of the organization. They were seen as outliers, peripheral and maybe even a bit rogue. But when there’s no core any more, that goes away. (In any case “the core” was already a myth. Today’s firms are often distributed: their IT and their IP probably held remotely; their employees entirely capable of putting in a solid shift irrespective of location.)

Second – and importantly – it’s likely that many of the hesitations felt over extending remote working will have been dispelled. The NetDocuments data indicates that, contrary to some expectations about the distractions of home working, productivity has in fact not taken a hit. To be sure, working from home does have distractions, but so does working in an office.

Experience is also dispelling the concerns of those who worried about not having a sufficient grasp of technology and that they would struggle out on their own, beyond the help of an assistant, or IT services. In fact today’s technology is designed to be fairly intuitive, even for the tech‐averse. Plus when individuals have run into issues, they’ve found that IT support can help them remotely and just as effectively as if someone was standing over their shoulder.

Nor is working from home less secure than working in the office. Indeed when data is held in the cloud, its protection is exponentially more sophisticated and more secure than any single law firm – even the biggest – could resource on its own.

In summary, people’s reservations about remote working have been overtaken by events. Their own experience is showing them that, by and large, working away from the office is actually both viable and sustainable. It will have long‐lasting repercussions on what comes next.

Competitive advantage

People are now living a real‐time, real‐life demonstration of how the firm can function away from the office. So a new understanding will be taking hold: that access to services matters much more than location. This realization would have taken much longer without this crisis. But the key point is that it calls the value of physical offices into question.

Necessity has catapulted firms from their cosy, traditional premises. Those that had a well-developed business continuity plan have now tested it at scale and found that it works. As a result, many firms will understand that by optimizing service delivery and reducing the firm’s cost base that they now have an opportunity to seize competitive advantage over other, slower to adapt peers; especially given that the cost‐consciousness of many clients will only be exacerbated by the crisis. At the same time, employees, having demonstrated their capacity to maintain productivity from home, may well prefer to stay safe and stay there, at least for the time being.

We know of one West Coast firm that in the early 2000s made the decision to move its admin to West Virginia to take advantage of lower costs. It then moved a number of on‐demand legal services as well. The firm maintains some real estate on the West Coast for client meetings, but has found the reduction in the cost of office overheads very compelling. Among its many, many impacts, this crisis will likely be an accelerator for a lot of other firms coming to the same conclusion.

_________
1 NetDocuments is a cloud‐based document and email management service widely used in the legal sector.See: https://video.buffer.com/v/5e97963a08732d10de0f1906.

Mobile technologies, remote working, and agile workplaces. These are the workaday requests from clients I hear as an interior designer with one notable exception: law firms.

The legal profession has been the bulwark of keeping the real estate status quo.  But the coronavirus has played your hand, forcing firms to pivot hard to work remotely to ensure continuous client service.  For an industry that has been slow to adopt new ways of working, Gensler believes this is the Legal Industry’s great reset button.

PURPOSE

It isn’t possible to predict the future legal workplace post-Coronavirus, but we can use our insight and global expertise to foreshadow the shape of things to come. Pre-coronavirus, many firms were slow to adopt working from home strategies. However, firms have had a revelation more than a revolution realizing the tools they had to work remotely were already there.  This big experiment of distributed workforces in legal firms gives us pause to think when we return to the office and things settle, what’s the purpose of the office?

THE NEW NORMS

Settling into the post-coronavirus workplace will feel different. Hygiene will take centre stage. As Dr. Christina Banks, Director at Interdisciplinary Center for Healthy Workplaces, indicated on a recent webinar, “Clean, clean and be seen to be cleaning”.  It may be clean, but people need to know it has been cleaned; cleaners may need to work during the day wiping down surfaces rather than undertaking this unseen in the midnight hours.  Expect to see disinfectant wipes in the conference rooms and elsewhere.  And of course, hand-sanitizer stations will abound.

Working from home “as the privilege of partners” will become a thing of the past.  Having let the genie out of the bottle, it will be hard to argue that Associates and other staff need to work in the office all the time.  For lawyers attempting to concentrate, working from home or their private office will seem immaterial.  Perhaps for focus work, home will trump the office.

There will be also be behavioural changes.  Some people may not feel safe in large team meetings, and months of isolation may make it difficult to become social animals again after months of physical distancing.

There will be zero-tolerance for signs of sickness in the office.  According to Kate Ledwidge, Senior Associate at law firm JMW, “It is likely to be fear-driven behaviour that is the biggest problem, rather than the illness itself.”  Every cough or sniffle, even seasonal allergies, will be regarded with suspicion.  People may need more sick days to encourage them to stay home and not worry about a loss of salary. 

THE FUTURE WORKPLACE

We will come back to the office “battle-ready” to work from home, so why go to an office?  We believe it will be for connection. It is clear, as anyone isolating will attest, that people prefer to be in the office, maybe not every day, but anecdotal evidence suggests we want to be back.  Looking 5 year’s ahead, having achieved herd immunity or a vaccine, the legal workplace’s role will be a hub for collaboration, mentoring and interaction. It will function like a private member’s club, somewhere to go for camaraderie, to learn, to network. Gensler’s research on millennial lawyers revealed that firm culture is THE biggest enticement for deciding to take a position at a firm, beating out prestige and compensation.  This private member’s club, will be the embodiment of firm culture. 

It will look different; more spaces for collaboration and multi-functional, less area for the individual.  There will be the creation of central spaces underpinned by food, beverage and concierge support.  These spaces will be built for multi-functional use for staff and client. Of course, people will still do focused work in the office, but individual offices will be smaller and between spaces for the many.  When you really need to focus, you just stay home!  The office is for networking and knowledge sharing.

First, second and third year lawyers are still going to need supervision and it is easy to see how working in a combined case room sharing knowledge and information would boost productivity and advance their understanding of the legal profession. The allure for the office will be for that face-to-face mentoring. Applying lessons from tech firms for creating spaces that support a “scrum approach” to solving problems, by having big tables to work together and small spaces to work independently between “scrum” meetings will become more commonplace.

Coronavirus may not stay with us, but its implications to the workplace will have a lasting legacy.

Difficult conversations cause so much stress that most people simply avoid them. That creates a myriad of problems.  A Harvard Business Review article noted that you can generally measure the health of a team or even an entire organization by measuring the average lag time between identifying problems and discussing them. The longer issues go unaddressed, the higher the price you pay in engagement, productivity, quality, diversity — you name it^[1].

If you’re like many people and conflict averse, your inclination is to push this unsavory task to the bottom of your to-do list, resulting in an unhealthy lag time and the negative consequences that ensue. 

Stop Procrastinating

Here are two techniques to spur you into having the conversation.

1.  Send the person an email asking when they have time to chat and then book that time. You’ve now put yourself in a corner and must have the conversation. In today’s climate, being let go is often the first thing on everyone’s mind, so be pre-emptive in addressing that by briefly mentioning the purpose of the meeting – “I want to talk about the Widget Co. file” or “I want to talk about yesterday’s meeting”.

2.  If I’m dealing with an issue about Person A that’s been brought to my attention by a Person B, I’ll commit to Person B that I’ll address it and get back to him/her within a defined time, by the next day, if possible. Again, I’ve boxed myself into a corner and no matter how much I’m dreading having the conversation, I’m now committed.

Prepare for the Conversation

While you may be committed to having the conversation, you’re probably still not looking forward to it. Here’s one theory as to why we find it so hard.

“…we tell ourselves that these conversations are tough because we don’t want to upset the other person, (but) usually the squirmy feeling we’re experiencing has less to do with our counterpart and more to do with our own unconscious anxiety about not being able to handle the conversation well.”^[2]

Let’s examine how to handle the conversation well so that you can rid yourself of some of that unconscious anxiety.

First, adopt a positive mindset. Your purpose in having the conversation is to fix a problem, for example, weak performance. Focus on the fact that after this conversation you will have helped someone perform his or her job better. Reframe it as a constructive conversation rather than a difficult one.

Getting the ball rolling is tough, so take some time to figure out your first sentence. A good start will help ensure a good outcome. You know what you want to say – the rest will tumble out once you’ve said the first sentence. Don’t memorize the balance of your comments. For one thing, it’s hard (and stressful) to memorize a speech and, for another, this is a conversation, not a speech. Last, you don’t know how your colleague is going to react, so you’ll likely go off script in any event.  

Avoid starting your first sentence with “you” or “why”, as in “you didn’t meet the deadline” or “why did you do that?”. Both sound confrontational. Instead, start your sentence with “I”: “I noticed that your memo came in after the deadline; I’d like to hear about what caused the delay”. Or, “I was uncomfortable when you said that to me in the meeting; can we talk about it?”. Notice that in both instances you’re coming into the conversation from a position of curiosity. You need to be curious because even though you think you know the whole story, you often don’t. Be prepared to hear details that more fully inform your understanding and perception of the issue.

Phrasing the conversation in this way shows that you’re open to hearing the other person’s perspective, which in turn creates a more respectful atmosphere.  

Conducting the Conversation

If there’s any possibility that you might touch upon a sensitive topic or if you’re going to give someone a course correction, please do it behind closed doors. Not only is it disrespectful to the recipient, it’s embarrassing to those overhearing it, and it reflects poorly upon your professionalism. 

Be careful with word choice. Strip out any words or phrases that are accusatory. As noted above, begin with a neutral phrase. Instead of “Where were you at today’s meeting?” try “I noticed that you weren’t at today’s meeting”. Then say nothing and wait for an explanation. Start a conversation with a simple statement of fact and then allow the other person to take it from there.  

Now comes the pivotal part of the conversation – listening. It’s pivotal because a successful outcome will depend upon your ability to be a good listener. It’s important (and often difficult) not to interrupt, especially if you vehemently disagree. Your listening skills will determine whether the other person leaves the conversation feeling that they’ve been heard. If not, they will be frustrated, perhaps angry and likely discount anything that you’ve said. If that happens it may not have been worth your while to have the conversation in the first place.

What do you say if you disagree with your colleague even after hearing their input? Communicate your respect despite the disagreement but hold fast to your position. For example, “I hear what you’re saying about missing the seminar because you felt it wasn’t relevant, but I can’t agree with you. I’m sorry we don’t see eye to eye on this, but you must attend all future mandatory seminars whether or not you believe they’re relevant. Ultimately this comes down to a difference of opinion.”

Last, while you may be talking about talking about difficult things, if delivered well, it doesn’t have to be a difficult conversation.

Imagine coming into work one day and trying to open your email, but you can’t. In fact, you can’t do anything because you no longer have access to your own computer network and neither do your employees. Nobody in your office is able to get any work done because the files and systems they need are inaccessible. Your IT team is trying to restore the system from a backup, but that’s not working either. 

And then your team gives you the bad news: you’ve been hacked and now the hackers are demanding a huge ransom to give you access to your own network. 

It’s a nightmare scenario for any law practice, but it’s about to get worse.

Unbeknownst to you or your IT team, the hack didn’t just happen that morning. It actually happened six months ago. 

Hacker Evolution

Over the last couple of decades, hackers have grown incredibly sophisticated. It is no exaggeration to say that contemporary hackers run their operations like major corporations. In fact, some of these hacking operations are run better than some of the actual companies I have worked with. 

The rate of technological evolution and the advancement in hackers’ abilities have made it virtually impossible to defend against every threat. Technological giants like Microsoft have gone on record as saying it’s not a matter of if you’ll be breached, but rather when. 

As larger corporations like Microsoft have poured resources into their cybersecurity, hackers have switched their focus to smaller businesses that often have much weaker security measures in place. 

The good news is that you can protect your business. You just have to evolve the way you think about cybersecurity.

Assume You’ve Been Breached

Small business owners tend to assume their in-house or third-party IT teams have everything under control when it comes to cybersecurity. But, the truth is that if you’re a small business owner, it’s actually better to assume that you are about to be breached or you’ve already been breached. 

It’s known as “Assume Breach Mentality” and it could save your company. 

Most people believe that when hackers infiltrate a network, they go for high value targets like computers that handle your finances and immediately make their move and start shutting things down and demanding money. 

 But, that’s not actually the case. 

Rather, contemporary hackers will find a way into your network using a low value target like a printer, an old computer in your shipping department that is only used for creating labels, security camera systems, a smart fridge that is hooked up to your network or even an employee’s unsecure phone, for example. They do this because these targets usually aren’t going to be well protected and they’re easier to infiltrate. 

Once they’ve made their way into your network through one of these soft points, they will sit in there for months and gently “probe around” in your network. They will observe the way your business runs and they’ll learn as much as they can about the people in your company, your processes, your vendors and generally how you run your operation. 

One example of how they gain information is by reading your emails and then sending someone in your organization a fake “spear phishing” email that looks like it comes from a vendor or a supervisor and asks for information. Since the email looks legitimate, the employee provides the requested information and the hacker is that much closer to their high value target. 

Then, once they’ve got the information they want and have compromised your backups, they drop the bomb by fully activating the malicious software and you are caught. 

An “Assumed Breach Mentality” is meant to keep you vigilant about your cybersecurity. Obviously, you hope that you aren’t breached and you carry on working as usual, but assuming that you are always on the verge of being breached (or are already harboring malicious software) will make sure that it is at the forefront of your mind. 

Instead of assuming you’re safe, you can create a plan, develop the necessary processes, and purchase the required technology that will find out when a breach occurred as early as possible, and then eject the attacker from your network with the goal of limiting the breach as much as possible.

Physical Security vs. Cybersecurity

The reason hackers are able to infiltrate small businesses so easily is because there are so many different ways for them to do it now and those ways continue to multiply as technology gets more sophisticated. Also, many small business owners tend to treat their cybersecurity as an afterthought. 

Think about the physical security you have at your business right now. 

You have locks on your doors and maybe you also have a fence, bars on your windows, motion sensors, security patrols, a monitored alarm system and cameras.

These can be broken down into three categories:

• Prevention
  • Locks, fences, bars.
• Detection
  • Sensors, cameras, alarm system
• Monitoring
  • Security patrols, alarm system monitoring
    
    

Your level of physical security will depend on different factors. If your building is in a fairly remote place on the outskirts of town that doesn’t get much traffic, you may feel that locks on the doors are good enough. If you’ve heard there has been an uptick in crime in the neighborhood over the past few months, you might also get some bars on your windows. If the next office over was broken into and had a bunch of equipment stolen the week before, you might feel the need to get some cameras and security monitoring.

It’s a process of balancing the cost versus what you believe you need to keep your building safe. 

Cybersecurity is similar. 

You need to truly know where you are right now in terms of cybersecurity and do some calculating to figure out what level you can afford to be at.

First, let’s look at the different levels of cybersecurity in the same way we discussed physical security:

• Prevention
  • Firewall, anti-virus, multi-factor authentication, up-to-date software security patching, employee security awareness training programs
• Detection
  • Detection and response platform, Network sensors, Log aggregation
• Monitoring
  • Security operations centre
    
    

Most law firms are at the Prevention level. This is where you have your basics in place to prevent hackers from getting into your network. 

The problem is that many small and medium-sized firms think that are only at the Prevention level actually believe they are at the Monitoring level. They think their in-house or third-party IT teams are detecting and monitoring for hackers, but most do not, or cannot, offer this service. 

This leaves law firms vulnerable. 

Let’s take a closer look at what each of the items in the Detection and Monitoring levels are: 

Detection and Response Platform

This is software that is meant to detect suspicious activity that has already infiltrated your network and is doing the aforementioned probing to gain access to more valuable information. 

Network Sensors

Network sensors collect data from various points in your network and allow you to determine if you have activity that looks suspicious and should be checked into. They come in a variety of formats. 

Log Aggregation

A simplified explanation of log aggregation is when all the various logs in your computer network are collected in one place and are made easily searchable. This means your cybersecurity team can easily view your network logs to see if there is any suspicious activity.

Security Operations Centre

As the name implies, a security operations centre is a monitoring service that analyzes an organization’s activity on networks, servers, databases, applications, websites, and other systems for anomalous behaviour that might indicate a breach. The security center's goal is to detect and analyze cybersecurity threats and respond to them using a combination of technology and strong processes that eradicate any problems.

Choosing Your Level of Cybersecurity

As previously discussed, you will have to do some calculating to figure out what level of security you can comfortably afford while staying as safe as possible. It would be great if every business could be at the Monitoring level and have the services of a security operations centre, but that may not be possible for smaller law firms. 

Regardless of how confident you feel in your current cybersecurity situation, if you’re running a law practice you should get a full assessment of your preparedness. You may find that you are completely prepared, but chances are that you are going to find some huge gaps. 

Because your own IT team has a vested interest in making you feel like everything is secure already, it is best to hire a third-party cyber security specialist to analyze your setup and identify areas of improvement. 

When hiring a specialist company, keep these guidelines in mind:

• They should make everything as clear as possible so you can understand it. It’s easy to make things sound impressive when using industry jargon. A reputable cybersecurity company will use everyday language to make sure you fully understand what they are proposing. 
  
  
• They will have no problem giving you a list of current clients that you can call and talk with. It’s easy to put a testimonial on a website, but getting a reference you can have a conversation with is invaluable.
   
• They should be able to walk you through the procedures they have in place to protect themselves. One of the best ways to ascertain what a cybersecurity company can do for you is to see what they do for themselves. 
  
  
• They will have no problem giving you the names of the tools they use so you can research them for yourself. Not all cybersecurity companies like to “pull back the curtain” and let customers really see how they do things. A good company will have no problem with transparency. 
  
  

No matter what level of security you get, it is imperative that law firms of all sizes start evolving their way of approaching cybersecurity. Assume that a breach is inevitable or has happened already. The future of your company may depend on it.