TLOMA Today

September was a truly great month for TLOMA. Our first in-person conference was a huge success, with many saying it was the best conference they had ever been to. It was encouraging to see so many new faces. Nearly 37% of attendees were participating for the first time and over 60 Business Partners shared news on what they have been working on over the pandemic. We also announced that the 2023 conference will take place at the Westin Hotel in Ottawa on October 11 - 14!

The Nominating Committee is working hard to fill the last couple of positions for 2023. Once the committee has finalized the selections, they will be presented to the board and shared with our members for ratification.

We have several exciting SIGs in October including:

• Facilities SIG – The biggest challenges and the desired future outcomes for the hybrid workplace – October 6, 2022
• Finance SIG – Client Verification Panel Discussion – October 18, 2022
• Human Resources SIG – Total Rewards Trends, Priorities and Themes – October 27, 2022
  
  

Finally, we are making the final arrangements for the holiday party which will be held on November 25 at Biagio Ristorante. Invitations will come out soon but for now, don’t forget to mark your calendars!

Cybercrime has been on the rise, especially in the past couple of years. Criminals find Small and Medium Businesses (SMBs) especially attractive targets. It is not surprising due to a simple reason there are so many of them. In the USA and Canada, SMBs represent more than 99.8% of the total companies on the market. Another factor contributing to hackers' focus on SMBs is the lack of the security infrastructure that large companies have. And yet, SMBs do have all the "goodies" that can be traded for profit, like customers' and employees' sensitive data, financial information and, of course, business system data or system availability that can be used as leverage to extort ransomware money.

According to Cyber Security Ventures research, 60% of Small & Medium Businesses that became victims of a significant cyber attack are going out of business in 6 months following such an event.  

Why your company needs Cyber Insurance?

Being a victim of a cyber-attack can result in hefty fines, loss of reputation, high legal fees, and specialized repairs fees. It is very unpleasant and stressful to go through with a potentially high impact on your firm's ability to operate. Often, it imposes high direct and indirect costs that are very hard to anticipate.

Cyber insurance can help your business cover a significant part of those costs.

What Is Cyber Insurance?

Cyber Insurance is designed to protect your business from the high costs of the cyberattack, including ransomware payments, legal fees, forensics, and cleanup fees associated with the attack.

What Does a Typical Cyber Insurance Cover?

Not all Cyber Insurance coverages are created the same. Good Cyber Insurance covers the damage your business suffers from a cybersecurity attack. Here are a few examples of the coverage: 

• Forensic services – Technical services involved at the time or post cyber attack.
• Breach coach – Typically a very experienced person who helps you navigate the time of crisis and orchestrates all involved parties to achieve the fastest and most cost-effective recovery.
• Data and identity recovery associated costs.
• Fees associated with the damage repairing the impact on your customers or business partners.
• Legal fees.
• Customer notifications and settlement costs.
• Ransom payments.
• Customer and employee lawsuits due to privacy breaches.
• Loss of income because of network outages.
• Regulatory fines.
• Public relations costs to restore your company's reputation.

As a business owner or executive, you should ask yourself questions:  Does my business have cyber insurance? Do I have a clear understanding of what my cyber insurance coverage includes?  When was the last time when you reviewed the cyber insurance policy lately? Was the policy "pick-the lowest-price" philosophy driven, or does it reflect the real risk to your business?

Reviewing your Cyber Insurance policy to ensure proper coverage might be a good idea. We see all kinds of policies on the market, and some companies think they have good coverage until the moment their insurer denies them. 

Who Needs Cyber Insurance?

We strongly recommend having Cyber Insurance for everyone. Like you have a home and car insurance, you should have cyber insurance for your business. There is a limited number of thieves in your area who can break into your home; however, to commit a cybercrime, there is no physical limitation. Hackers can target anyone around the globe if the victim has an Internet connection. It makes it much easier to commit a crime, as hackers do not have to be close to your business physically. Hence the chance that cybercrime will happen is significantly higher, as seen in empirical studies. Attackers have a worldwide and year-round "open season" on any business connected to the Internet. It is not a question of "if." It is a question of "when" you will be attacked.

Having the right Cyber Insurance will ensure you can recover faster in the event of a cyber incident. At the same time, the insurer covers a large portion of the financial costs associated with the incident, making it significantly cheaper.

Among our clients, we see the following industries most benefiting from having cyber insurance:

• Legal Firms 
• IT Professionals
• Accounting Firms 
• Medical Clinics
• Technology Companies 
• Consultants
• Marketing & Media Companies
• Real estate agents
• Retailers
• Manufacturers 
• Food Producers
• Wholesale and Distribution Companies 
• Logistics companies 
• Non for profits organizations

How to maximize the value of Cyber Insurance? 

Some cybersecurity insurance policies will exclude some coverage due to technical deficiencies in the client environment and look for "negligence" or any means that will take them off the hook, basically will allow them to avoid a payout. Here are a few examples of what underwriters are looking for in purpose to hedge their risk, and as a result, you may pay a higher premium or get a less favourable coverage policy:

1. Poor Security Posture - Poor cyber posture in your infrastructure is "inviting" hackers and hence can be used as an excuse not to pay or reduce the payout amount.

2. Prior breaches - Breaches or events occurred before an organization purchased a policy.

3. Human error - Any attack or data loss because of a mistake made by an employee.

4. Insider attacks - Loss or theft of data made by an employee.

5. Pre-existing vulnerabilities - Data breach because of a previously known vulnerability that wasn't addressed proactively and on time.

6. Untrained Staff - Lack of cyber awareness training.  

Can Cyber Insurance Take the Place of proactive Cyber Defense?

There is a misconception that cyber insurance is the "silver bullet" and that it replaces the need to defend the business. The fewer defences you have, the higher the insurance will be (if you can even get it all), and the more exit points the insurance company will have not to pay! Even the best insurance does not cover all the costs and does not account for many of the impacts on your business and the loss of reputation. They will always look for reasons not to pay, and when paying, it will be the minimum which will not always align with your business needs.

Like with home insurance, we first lock the doors and windows and take precautions to ensure no one breaks in. You also install an alarm at your home that actively monitors for break-in signs. You want to have enough sensors around your house to identify break-in as early as possible, and dispatch responders on the ground that will minimize the damage; only after the active scene is stabilized and damages minimized you might call your insurance to cover the cost of the damage.

The same should be done with your business from a Cyber protection perspective – You should have enough sensors and protection in your environment so you can identify and potentially prevent cyber incidents as early as you can, only then call insurance to cover hopefully minor damage if at all.

Not having adequate protection can mean significantly larger damages to your business that will take years to recover or can push you to go out of business.

What can you do to reduce the impact of the next cyber-attack?

Unfortunately, no one can guarantee that cybercriminals will not attack your organization. As I mentioned, this is just a question of "When" your turn is. More pragmatic assumptions should be that your business will be attacked. Preparing your organization proactively to deal with such an event by placing modern adequate cyber defences and having cyber insurance in place can make the difference between a major business disaster to an event with minimum implications. 

Here are a few practical steps where to begin:  

• Be proactive in preparing for different scenarios based on your specific business risks. 
• Understand the effects of a potential security incident on your company and quantify it in terms of the cost of each day of being down (average breach is two weeks downtime).   From our experience, quantifying the impact in $ value can be a sobering exercise. 
• Get help assessing your Cyber Posture to identify the gaps and develop a comprehensive organizational mitigation plan.
• Your IT support staff are not Cyber Experts– Augment your IT team with capabilities beyond your IT systems' security. Work with cybersecurity experts to help you understand business risks associated with cyber and build this organization's comprehensive Cyber Resilience program.  
• Review insurance policies and premiums that will further reduce residual risks. Understand the requirements for claims and renewals.
• Implement the multilayered protection needed to minimize the possibility of exposure, breach, or any other form of cyber attack.

For more information and advice on how you can better protect your business and reduce cyber insurance costs, contact Armour Cybersecurity team here. 

Among the many consequences of the global pandemic, one was that it drove many law firms to embrace digital transformation. And in the course of enabling remote working, many introduced cloud-based systems and took the opportunity to scan existing paper records. This has led firms to believe that, to the necessary degree, they’ve “taken care of” their records. But is that entirely true? I’d argue that even though many paper records have been digitized, now is not the time for firms to be complacent about data and records. You should continue to ensure you’re managing information governance with appropriate controls on retention and destruction, because when holding onto excess data in whatever format, several pitfalls remain.

The costs of storage

The obvious first problem with keeping excess data is that it’s expensive. The costs of physical storage are well understood. But now the costs of electronic storage are emerging and it’s becoming clear that there’s a price on every excess gigabyte. This is especially apparent when firms transition to cloud-based document management systems, and it’s something that firms should control rather than accept.

Privacy regulation

The next problem with excess data is that there’s a growing body of data privacy regulation and legislation for firms to negotiate. They’re impacted because virtually all firms will hold some Personally Identifiable Information (or PII) including dates of birth, addresses, social security numbers and banking information in anything from property deeds to the due diligence done on directors in the commission of M&A work.

In Canada, people are widely familiar with the Anti-Spam Legislation (CASL). Europe has its various national incarnations of the EU’s General Data Protection Regulation (GDPR), while in the US, a tapestry of state data privacy legislation is emerging, making it all the harder for firms – or anyone else – to stay compliant.

The issue in relation to data retention is that most of this legislation includes requirements that data is retained for no longer than necessary for the purpose for which it was acquired. It means that if firms hold on to PII for too long they risk compliance breaches, which in the case of GDPR can cost up to 4 per cent of a company’s annual global revenues or 20 million euros (c. Can$3 million), whichever is the bigger amount.[1]

Cyberattack

A third problem with carrying excess electronic data is that you’re increasing the attack surface and thereby making cyberattack more likely. We already know that law firms are considered rich pickings for cyber criminals because of the quality of your data. Also, post-pandemic, incidents of cyberattack are increasing. Nor should the impacts be underestimated. They can include anything from a temporary business disruption to major systems failure and shut down. To that you can add the costs of paying a ransom or ransoms to retrieve data, the reputational impacts, and the costs of remediation, such as hiring data security specialists. Not to mention potential regulatory fines.

Doing business

The final problem with excess data is that it impedes the efficiency of the firm. Time is money, and excess time is expended searching when there’s more data held than there needs to be. There’s also a cost when things can’t be found or found quickly enough. Firms can incur the costs of replacing things they can’t locate or, in a worst-case scenario, can be fined for failing to produce documents requested by a court quickly enough.[2] There’s also a real danger that poor records and data management has a knock-on impact on client service levels, client confidence and even client retention.

What is the conclusion? That firms will benefit if they commit some effort to rationalizing the volume of data they hold. This means creating a retention and destruction policy that everyone signs up to, and locating all the firm’s data, doubtless in a range of media and places. Firms must then produce and enact a retention and disposition schedule that keeps track of what needs to be returned to clients or destroyed, and when. Firms are also well advised to use specialist software to help them manage data retention and disposition, so that they can control data costs and risks much more cost-effectively.

To find out more join us for our ILTA Masterclass ‘Retain, or destroy (data)? That is the question!’, where we will deliberate the growing pressure on firms to manage data retention and disposition efficiently and compliantly. Click here to register.

[1] https://www.cnbc.com/2022/01/18/fines-for-breaches-of-eu-gdpr-privacy-law-spike-sevenfold.html

[2] https://www.ft.com/content/e2620e22-9593-4781-89f0-3b91a6bce694

You’re thinking about changing something about how your office works, but do you dare?

Here are some tips on change management best practices, or how to make technology changes less painful.

But first: do you need to make a change? News ways of working and digital transformations are everywhere, but sometimes it’s worth it to use old technology if it works for you. You don’t have to change just because there is something new out there.

Instead of starting with the new product or thinking about how to change, ask yourself: why? Why are we changing? Sometimes changes are driven by IT departments or other providers whose priority is to reduce their workload or move to the latest, greatest software.

Get back to the business need. Is it going to save you time on invoicing or time tracking? Will it help you communicate better with your clients or your team? Will it make your lives easier somehow?

Whatever it is, there needs to be a real business need and a concrete upside to doing it.

So, if you’ve decided to make a change for the good of your business, here is some guidance and lessons learned from our years of experience helping people with technology changes.

What to do first

Accept that change will be outside many people’s comfort zones. It is hard. Even for those of us who do this every day. Be empathetic. Make sure you’re allocating time and space for every individual in the organization to make the change.

Understand that the change might increase work for some initially. For instance, a billing system change may come with a 30-40% increase in workload for the people who do your billing while you make that change. Make sure those people are on board with the change, so it happens in the best way possible.

Name a point person, such as a subject matter expert, project lead, or executive who will be an internal advocate for the change. If you leave it all to an outside consultant, it’s easy for them to become “the enemy.” Pick someone who knows your internal culture to help drive changes.

There is no such thing as a stupid question. Approach learning from different angles. Make sure everyone knows they are part of the change, and that these tools are ultimately being put in place to help them. Show them at least one thing about the new technology that will make their work easier right away. Involve them in the process.

What not to do

Don’t suddenly decide to make a change, and simply send out an email blast with only technical information and expect everyone to learn it right away. People learn differently. They need information before, during, and after the change.

You’ll need to present information in multiple different ways. This could be videos, in-person learning, webinars, documentation. Do not assume people will just use the new system. People will find ways to revert to old systems. You must support your team, encourage them, and provide resources well after making a change to make it effective.

People generally resist change because we are scared. We are used to doing things a certain way, and don’t want to lose our workflow. Talk to your team, understand their concerns, show them how the new technology helps their work.

Getting other leaders on board

Help other leaders at the organization become advocates for the changes you are envisioning. Explain in business terms why a change is needed.

If a change is being driven by IT for security or support reasons, explore whether there could be another way to keep using your current systems but in a more secure way. This was the genesis of our Cloud Office and many other private cloud solutions: allowing businesses to keep using “legacy” software that is still a better fit operationally than “modern” equivalents. Sometimes the increased IT costs of maintaining software such as PCLaw are, when considered holistically, much lower than the costs of a software change just for the sake of keeping IT budgets down.

Make sure all technology changes make sense for your business. When you decide to move forward with a change, start with the “whys” and the “whats,” then the “hows” will follow. Best of luck!

Feel free to download my slides from a webinar we held on this topic along with Tim Morton, founder and CEO of Prompta Consulting Group. Or, watch my 5-minute video recap.

Introduction

We at Gallagher believe that retirement programs, if deployed correctly and effectively, can play a critical role in employee retention strategies. Our clients have continuously raised concerns about their ability to retain top talent and have asked for our guidance to stave off what has now become known as “The Great Resignation”. In addition to retention, attracting fresh talent has also become a much more competitive environment leading to further challenges for employers across Canada.

Industry buzzwords and social media clickbait only tell half the story of why staff are leaving their employers. Gallagher’s client experience and Benefits Strategy and Benchmarking Survey data provides key metrics and insights as to why employees are leaving their employers at such staggering rates.

What does the current employment landscape in Canada look like?

The pandemic gave people time to reflect on, and re-evaluate, their personal, professional and career lives. Within this decision-making period, many employees began looking for new jobs. A notable trend was that employees were finding similar jobs to their current role with better compensation and more comprehensive benefits. Data shows that new hire salaries are 7% higher, on average, than the median pay for people already employed in similar positions. ^[1] This means employees who join new companies, are doing so at a higher salary than any raise they would likely receive from their current employer.

How are employers reacting to The Great Resignation?

Some employers are attempting to offset this trend by offering more in bonuses to seasoned employees to counterbalance the pay gap between new hires and tenured staff. ^[2] These bonuses however, only address the issue of pay gaps between new hires and tenured employees. What these employers require is a tool to close the gap in compensation while also encouraging seasoned staff to remain onboard. At Gallagher, the tool we’re promoting to achieve this is retirement plan design reviews. There is an old industry adage we’re trying to turn on its head, which states “group benefits attracts fresh talent, and group retirement retains top talent” — we believe that retirement programs can serve both purposes.

How do retirement programs help retain top talent?

As tenured employees begin to reach their retirement runway (10-15 years leading up to it), they must begin to pick up speed with their plan contributions. Employees in this demographic tend to be the most experienced and seasoned talent and when organizations lose these individuals, it has a greater impact on business continuity. Implementing plan enhancements which are specifically designed to retain seasoned talent will have an impact on business overhead, however, these expenses are typically more digestible than the cost and disruption of losing a top sales professional or senior executive and the fiscal impact of recruiting, hiring and training replacement talent. The below table includes some examples of plan enhancements that can be implemented to assist in retention:

Plan design strategies to retain talent
Enhancement	Benefit
Tenure based contribution matching	To assist tenured employees in preparing for retiring, offering a larger match on their contributions is effective in encouraging them to remain with the company right up to their retirement date. This strategy can also mitigate the pay gap between new hires and tenured employees.
Bonus allocations to retirement programs	Allowing your employees to allocate all or a portion of their bonuses directly to a retirement savings plan offers convenience and tax sheltering strategies. Some employers have gone even further to match a portion of their employee’s bonus contributions. Another effective solution in mitigating the pay gap between new hires and tenured employees.
Adding Income Guaranteed Investment options	Some carriers offer investment funds that are tied to an annuity which guarantees a minimum return and guaranteed investment income in retirement. Members invested in these funds are more reluctant to break their contracts and lose out on financial security through retirement.

How do retirement programs help attract fresh talent?

While most young professionals are typically focused on securing employment that offers extended health benefits, there should also be a focus on offering financial security to this younger demographic. A large portion of young professionals are emerging from college or university with student debt which limits their ability to save for a new home or begin saving for retirement. Luckily for employers, there are innovative new options in the retirement landscape which cater to this demographic and encourage regular saving to ensure financial security. This table outlines a few plan enhancements to assist with attracting fresh talent:

Plan design strategies to attract talent
Enhancement	Benefit
Student Debt Repayment Plans	Insurance carriers now offer employer sponsored retirement programs that allow employer contributions to be made as a match to an employee’s student debt repayments. This allows recent graduates the ability to pay down debt while also saving for their future.
RRSP and Home Buyers Plans	Contributing to a RRSP on behalf of an employee can allow them to build up their balances in an effort to do a First Time Home Buyers withdrawal. With the latest federal budget, the Canadian government outlined a new savings plan which allows employees to take advantage of tax-sheltered growth in efforts to save for a home. We expect these plans to be rolled out by insurance carriers in the near future and will consult on their use and implementation.
Registered Education Savings Plan (RESP)	Some carriers have begun offering a savings plan to help save a child’s education within a group plan. An RESP is supported by the federal and some provincial governments. It helps you save money for a child’s future education, where the investments inside the investment account grow tax-free.
Short-Term Savings Plans	Introducing alternative tax-sheltered savings plans that employees can contribute via payroll deductions can assist members with shorter period savings goals like a new car or vacation while still taking advantage of lower group investment fees.

Conclusion

Employers in Canada with effectively designed retirement programs can rely on those programs as an attraction and retention tool. It is important to review your plan design comparatively against your existing employee demographic to ensure the plans you’re offering cater to your employee demographic. Offering your employees annual engagement surveys can assist in gauging the perception of the plan and whether it’s viewed in a positive or negative light. Generally speaking, employees who feel their employer takes interest in their financial future will be more satisfied and less likely to depart. Gallagher’s Workforce Evaluation, Benchmarking Data, and Plan Philosophy can be a vital tool to assist you and your benefits team in addressing and closing any gaps in your program. We would be delighted to work with you in reviewing your program and assisting your organization in making any necessary enhancements to bolster employee retention as well as appeal to fresh talent. 

Like all other public and private organizations, law firms are also dealing with digital security challenges and growing costs of cybersecurity insurance. It is expected that cyber insurance premiums will continue to increase 40% year on year. Insurance providers are also mandating that their clients put in place a process to identify, detect, and protect against internal and external threats.

Canadian IT solutions provider Compugen has partnered with Arctic Wolf to launch Security Operations Centre (SOC) as a service. A global leader in delivering Managed Cybersecurity solutions to organizations, Arctic Wolf has more than 300 law firms under management in the Canada/US territory. The following two case studies identify challenges that two different law firms faced and needed to address to ensure the safety of their respective IT environments. The solution not only helped elevate their cybersecurity posture but also helped them meet obligations to regulatory bodies and their clients.

Case Study 1:

The legal firm has 150 lawyers and support staff in 9 locations across the country. Their work requires conforming with corporate clients’ risk management policies.

Significant data breaches that originate through work with subcontractors have driven awareness among large corporations of the potential risks vendors pose. Corporations now require legal counsel to adopt more robust security measures; what were initially questionnaires evolved into a combination of questionnaires and review sessions. Corporate clients frequently need signed attestation from the firm stating that they’ll follow specific cybersecurity policies, so the firm must have a comprehensive solution.

Finding the Right Managed Detection and Response Solution

An internal audit of their security practices revealed glaring gaps related to their ability to detect and respond to threat indicators. Through this process, the firm discovered that migrating to a managed detection and response (MDR) platform was a crucial security need.

The firm evaluated three vendors in the space to improve its MDR capabilities – TruShield, eSentire, and Arctic Wolf – and ultimately selected the last. Arctic Wolf provided the robust functionality and skilled expertise that the firm needed, and its subscription-model pricing provided the firm with business flexibility, allowing it to scale security requirements as required.

Taking the Toil Out of Vulnerability Assessments

The firm regularly performs third-party vulnerability assessments, the results of which became difficult to manage and address. Seeking a more continuous approach to managing their digital risk posture that would offload the toil of working their third-party vulnerability assessments, the firm added the Arctic Wolf Managed Risk solution.

The Managed Risk solution provides 24x7 continuous vulnerability scanning managed by security experts. Beyond vulnerability scanning, the firm also gains visibility into system misconfigurations against globally-accepted critical security control benchmarks and the account takeover risk exposure that they weren’t receiving before.

Outstanding Results Across the Board

The firm deployed the Arctic Wolf security operations solutions over a year ago. Since then, the firm’s IT team has seen improved security across its network and has met clients’ requirements in several ways:

• 15-minute notification and resolution from when a high-level user provides law firm credentials to a known phishing site
• Greater frequency of vulnerability scans to accommodate customer requirements
• Increased log retention timeframe to meet changing customer requirements
• A quantified risk score that measures and benchmarks digital risk against industry peers

Arctic Wolf helps secure the firm’s sensitive data by flagging suspicious events. And by eliminating events that turn out to be false positives, Arctic Wolf’s Concierge Security Team gives the firm a greater ability to scrutinize its existing security controls, tighten policies, and validate how Arctic Wolf monitors its operations.

Arctic Wolf Managed Detection and Response and Managed Risk have enabled customers to improve their security posture for far less than had they continued with their third-party vulnerability assessments or hired internal security experts and established an in-house SOC, reflecting exceptional return on investment. Firms reduce costs by not needing an internal SOC team and infrastructure while getting a higher level of service than would be possible from an internal security resource.

The firm no longer has to deal with excessive alerts, and when there is something anomalous, they are notified. The Arctic Wolf service improved the firm’s security and allowed them to meet increasingly stringent client security requirements.

Case Study 2:

The legal firm has 160 lawyers and support staff across the country. Their work requires conforming with corporate clients’ risk management policies.

The firm must secure sensitive client data as well as its confidential information. The firm has ethical obligations driven by external bodies to ensure the security of client data. Additionally, many of the firm’s enterprise clients require the firm to complete vendor risk management questionnaires as a prerequisite to doing business. Client security assessments have become increasingly frequent, particularly from large banks and healthcare companies which house tremendous amounts of sensitive customer data. Active monitoring is a requirement, and the firm must ensure they have the tools and resources to find potential threats 24x7. Another example was meeting their client’s HIPAA requirements. They frequently possess their customer’s data, and the onus is on the firm to implement the necessary precautions to secure that information.

Making the Case: Finding the Right Approach to Cybersecurity Detection and Response

Keeping the status quo was not an option, given the client’s concerns and the potential business impact of not adequately monitoring the firm’s environment. To help optimize its security posture and satisfy client risk management concerns, the firm evaluated different ways to monitor its environment systematically and analyze log files for security threats. It considered deploying a security information and event management (SIEM) system but quickly concluded that the cost of staffing and managing a SIEM would be prohibitive.

Having ruled out an in-house SIEM solution, the firm zeroed in on managed detection and response (MDR) as the optimal approach. Arctic Wolf’s Managed Detection and Response was the best fit, with a straightforward business case made to the firm’s technology and budget committees. With pressing security assessment questions around networking monitoring and log analysis, the firm decided that the solution met all their needs at a cost far below that of an in-house SIEM.

The Verdict: Exceptional Results

Today, Arctic Wolf ingests over 46 million observations per week from the firm, with only a handful resulting in security investigations. As the firm transitions to Microsoft Office 365, they intend to add Office 365 coverage to the resources that Arctic Wolf monitors. The firm’s IT team has seen improved security across the network while satisfying client requirements in a number of ways:

• The Arctic Wolf console provides insights and reporting on both on-premises and SaaS applications used by the firm
• Out-of-the-box reporting benefits internal and external constituents
• Visibility into suspicious network traffic enables the firm to avoid potential security pitfalls

The firm’s cybersecurity policies and processes satisfy corporate clients’ requirements and ensure its practice continues to thrive. The Arctic Wolf service provides two solutions in one: technology and people. It provides the technology to collect and aggregate the log information and provides people with the necessary security expertise to evaluate that information. The key benefit for the firm’s IT team was Arctic Wolf Concierge Security Team’s advisory services, allowing them to respond quickly to potential incidents.

To learn more about how Arctic Wolf can meet your cybersecurity requirements, please join the free webinar hosted by Compugen & Arctic Wolf on October 19th at 12 noon. At this lunch and learn webinar, we will have a panel of subject matter experts that have worked with the industry to solve security challenges specific to the legal business.

https://pages.compugen.com/30744/awsecurity

For all participants who register for the webinar, we will be providing a $25 Uber Eats voucher so you can order lunch while you attend.

Revenue has historically been used as the metric for measuring timekeeping performance. However, when you take a step back, that does not actually make too much sense.

When it comes to performance strictly on a results-only basis, you forget the mitigating factors. Consider your drive to work, for example. During the summer holidays on a dry day, you’re likely to be a lot faster than you are during term time where there is more traffic, or in the wet when drivers on the road are slower.

The fact is, performance comparisons are only valid in isolation when conditions are the same.

Firm revenue has been seen for a long time as the right way to measure timekeeping performance. Typically a calculation is made using the number of timekeepers multiplied by their respective rates. A total is arrived at. This is then used to benchmark the performance of a timekeeping solution. If the net revenue goes up, the solution works; if it goes down, then it doesn’t.

Going forward the same metric is applied to gauge performance year-on-year, or when a new timekeeping element is added. The bigger the revenue, the better the timekeeping performance, right? But on analysis, that doesn’t really stand up.

Firm revenue is also the result of a large number of variables. There are external factors such as the economic and regulatory climate, which will influence how much business a firm handles. Maybe the economy is booming so you’re very busy. Maybe it isn’t, so you’re not. It’s nothing to do with timekeeping.  

Similarly, there are internal factors. Perhaps the firm has upset a big client and they’ve found alternative legal representation. Or perhaps the firm’s work is delighting clients, who are pushing more and more business your way and more timekeepers are hired. Again, nothing to do with timekeeping performance. 

Across the board, in fact, there is no actual correlation between firm revenue and timekeeping performance. So there ought to be a better and easier way to measure it – and fortunately there is.  

Introducing velocity

The starting point has to be a measure that isolates timekeeping performance from other contaminating factors. That’s why revenue is not good as a standalone metric without further context. As noted above, too many other elements corrupt the result. 

In addition, timekeeping should be measured in a way which actually reflects the amount of value delivered. So it’s not sufficient to look only at quantity of time, i.e. hours, it’s also about quality.

This is why velocity – a metric first introduced in the early 2000s by Peter Zver when developing a best-of-breed timekeeping system called TimeKM – is the critical thing to measure.  

Velocity is the single number which reflects how quickly work is being captured in a system after the work event. If I do the work on Monday and record it on Friday, this equals a velocity of 4. If I do the work on Monday and capture the time instantly, the velocity is zero. In fact, velocity is very diagnostic because it is a simple and precise reflection of reality. 

It follows that high velocity is bad because no one can remember with complete accuracy all the things that they did many days ago, especially if they’re under pressure. By Friday, what an attorney did on Monday is inevitably something they’ll have to piece together. Maybe with notes, a calendar and some emails to go on. Or maybe they just recall spending all afternoon on one piece of work. But that might be a distortion of reality.

The point is that for the firm it results in leaked time. Some of it in small increments and some in big chunks: an attorney speaks to the client in an airport lounge for twenty minutes but by the time they get off the plane and head home, it’s completely forgotten. This typically happens outside of the office and outside office hours.

The solution to leaked time is to achieve zero, or near zero velocity by adopting systems which enable very quick, easy, painless, contemporaneous and mobile time recording. Such systems allow time to be entered in increments which previously seemed too small to justify the effort. But even more significantly, they have the power to completely flip leaked time into “new found time”, which is really impactful.

The way forward

Firms need to emphasize that low velocity equates to high quality, which really matters because of its large impact on both realization and trust. Realization is something attorney’s should really care about because who wants to work for nothing? Yet inaccuracy, vagueness and padding creep in when velocities are high, giving clients more opportunity to question their bills and right them down.  

Meanwhile, perception of value is like a bottle of milk left in the sun: it spoils quickly. Clients are pleased and happy the day a dispute is resolved, a merger safely delivered, or a claim settled – but two months later, those emotions have dissipated. So your very slow bill becomes one they feel more inclined to scrutinize and query. The longer it takes to submit time and thereafter produce a high-quality invoice, the higher the likelihood that the realization will go down. 

Hand in hand, inaccurate bills and unclear line items also erode the client’s confidence and trust in the firm. Which is serious. An established track-record of immaculately presented and prompt invoices will better position you come panel review time. You’ll look like a firm that delivers consistency and accuracy, and with whom clients can confidently collaborate. Meanwhile slow, poor-quality invoices may make a client wonder if it’s getting slow, poor quality counsel. 

Finally, firms need to be clear that velocity is the metric which reflects true timekeeping performance and gauges the value of time inventory. Yes, revenue and hours still matter to the firm. But the salient point is that they are business metrics, not timekeeping ones. It’s a flawed equation if these are the measures used to evaluate timekeeping performance.

Click here to learn more about Advanced’s time recording and capture software, Carpe Diem.