Search practiceblawg posts:

Did you know there is more to practicelaw than just forms?  practicelaw is designed to be a repository of resources intended to help your practice.  Similarly, the MSBA’s practiceblawg is a blog for the Association to share with you how the MSBA can help you improve your efficiency and grow your practice.  The MSBA offers members a number of products and services and is always looking for ways to better serve its members and provide greater value.

Got questions, complaints, suggestions, or any thoughts in general?  Let us know:

With digital security, is it possible to have too much of a good thing?

by Joe Kaczrowski | May 29, 2015

Much has been written about the need for lawyers to get serious about security. Examples abound in corporate America of data breaches and compromised systems. The ABA Model Rules now include language concerning a lawyer’s duty regarding tech competence. Past practiceblawg posts and numerous other sources have discussed the importance of two-factor authentication and secure client portals. But is there a point where social engineering and human nature eclipse computer engineering and technological innovation?

Earlier this week the MSBA’s Corporate and Antitrust Sections hosted a panel discussion on cyber security. Among other insights from the panelists was the observation that some of the more notorious government data breaches were due not to security flaws but rather to human action to avoid cumbersome security procedures and systems.

The effectiveness of any system is due in no small part to its adoption and acceptance. Having a secure file sharing system built on the latest and greatest technology is only effective if people actually use that system to share their files. If the process is too complicated or time-consuming, human nature suggests many people will try to find a simpler way, avoiding the system altogether.

For the sake of argument, let’s assume there’s a direct correlation between the security offered by a system and its complexity.

security vs complexity

Let’s also assume that there’s some relationship between the complexity of a system and the adoption rate for the system, or, more specifically, that as a system grows in complexity that burden will lead to fewer users of the system.

security adoption dependent on complexity

Anecdotally the assumption seems to hold true. Despite the benefits offered by greater security, the added cost leads many to avoid implementing or using the system. Have you opted against using a secure client portal because you didn’t want to set up another account or access another system? What about skipping two-factor authentication for an account because you didn’t want to have to get a text message every time you want to check your email? And how about not reading an article or downloading a whitepaper because the site asked for your email address? (The last one still being a security concern but arguably more of a privacy issue.)

However this analysis assumes that the security offered by the system plays at most a small part in the decision. Even if that is in fact true, the issue is perhaps not a disdain for complexity and indifference to security but rather a lack of understanding of and appreciation for the benefits of and need for greater security, or even more to the point, of the cost of not adopting better security practices and systems.

One common complaint against using encrypted email is that it requires another step or system, which takes time. Programs like Citrix ShareFile make this easier through Outlook Plug-ins, but there will always be a cost, for the recipients who don’t have the plug-in if nothing else (i.e. your clients). Proponents of such systems will tout the robust security offered, and may point out that with a lawyer’s obligations under the Model Rules encrypted email systems are a necessity not an option. That may adjust the intersection somewhat, but there is still a point where the cost will likely outweigh the perceived benefit.

Lowering the cost (i.e. the complexity) of the system is one way to increase usage, albeit one generally outside the control of most lawyers. A more realistic approach, however, is to change the other side of the equation. When evaluating digital security specifically, or technology in general, a greater understanding of the technology can increase the perceived benefit and its relative value when weighed against the perceived cost.

The benefits offered by Citrix ShareFile carry greater weight if one understands the value offered by “SSAE 16 audited datacenters and AES 256-bit encryption.” Similarly, the extra ten seconds required for some two-factor authentication systems is less onerous when one appreciates how the “what you have” factor protects against a compromised “what you know” factor (i.e. stolen password).

As previously discussed, there is no such thing as a “digital native.” Whether it begins (very) early in life or further on down the road, technical fluency is an acquired and cultivated skill. And, as with any service industry, lawyers face the additional challenge of not only educating themselves but also their clients.

FN: Speaking of technical fluency, if you haven't checked out some of the built-in features of MS Word, here's a reminder. The readability score of this post is 40 with a grade level of 13.