Law firm IT teams had to adapt quickly to a new set of work rules
Catarina Conti
Media Operations
28 May 2020 (Paris, France) – In a series of early articles on COVID-19 in The Lawyer , The Legal Gazette, and Legal Week, the Chief Technology Officer for Bird & Bird, Karen Jacks, noted she had a meeting with the firm’s leadership in February to talk about the issue of coronavirus as it was spreading throughout Asia. Remote working had become a necessity in the firm’s outposts in Beijing, Shanghai, Hong Kong and Singapore.
What she could not imagine as she was guiding executives through the risks posed by the health emergency, was that only a few weeks later it would reach the UK, and then the entire world. In mid-March, she found herself catapulted into a state of crisis. When the UK government announced a lockdown, she gave the thumbs-up for Bird & Bird’s entire staff to work from home indefinitely.
She was not alone. Across the legal world, the rapid spread of coronavirus globally over the past two months has forced firms to evacuate their offices and enforce widespread work from home policies. The emergency meant that decisions needed to be taken quickly and that there was little room for error.
In the ensuing weeks, it has become a testing ground for large-scale investments in Magic Circle IT infrastructure and a way to experiment new working practices that might redefine the very nature of the workplace. As I reported in an earlier article, many firms are planning to have a 50% at-home and a 50% on-site work staff. Herein is a mash-up of recent pieces from The Lawyer , The Legal Gazette, and Legal Week, plus chats with our UK IT contacts.
The show must go on
When Covid-19 reached the UK, an escalation of government resolutions culminated in the Monday 23 March instruction to stay home, along with stricter measures nationwide. At that point, it became clear that firms needed to see remote working not as a temporary solution but a potentially long-term condition. Said Jacks: “You never plan for a global pandemic, but you always operate on the assumption that one day you might have a major disruption affecting business continuity”. From an article in The Lawyer:
That Monday night, firms held crisis meetings involving business continuity teams made of executive and board representatives as well as operational squadrons. At 6.30pm, Gowling WLG held a meeting between a ‘gold’ executive team made up of chief executives and the firm’s GC, and an ‘instant management team’ that involves IT director Tony McKenna, the HR director, the head of operations and logistics, and the head of facilities. While the gold team looked at changes made by government and kept on top of legislation to ensure changes were documented and shared across practices, the instant management team was tasked with meeting daily and reviewing feedback from IT service helpdesk and operations teams.
Most of the law firms interviewed over the last few weeks have said that, when the lockdown was enforced, they resorted to a set of previously created guidelines to tackle the emergency. The so-called ‘business continuity plans’ are a collection of internal instructions that allow businesses to operate under circumstances of disruption, emergency or high stress. The plans may vary, but they include responses to scenarios like fires, floods, calamities and even civil unrest. IT and technology are major components of these plans as they define the capability of working efficiently when access to the office becomes impossible.
In the context of coronavirus, the emergency forced firms to quickly implement remote working policies. By the time the virus arose, most IT directors had already made considerable investments in agile working, an environment where lawyers and other staff can connect to the firm’s data and virtual programs by using remote key access on laptops and telephones.
Switching to a full remote working policy left firms’ headquarters completely empty or with only a handful of staff driving operations. From The Law Gazette:
At Gowling, the announcement led to 75 per cent of staff working from home by the Tuesday. It implemented social distancing measures and reduced attendance to security people only. Even switchboard and reception would operate from home.
While staying home, most lawyers still have remote access to their firm’s intranet and database by connecting to virtual private networks (VPN). Once logged in, they can use the whole suit of tools adopted on most transactions. Most firms boast document management systems such as iManage, and tools that allow staff to conduct business acceptance procedures for new clients and matters. The idea is to ensure that the working experience feels just like being in the office. Fee-earners can collaborate on client matters, oversee workflows and store files by using platforms such as HighQ or practice management system Aderant. Massive review processes can still be conducted through machine learning systems for contracts review and document comparison – an example being Luminance. Upon completion, transactions are usually signed off using tools like DocuSign.
While the goal is achieving a ‘business as usual’ environment even under challenging circumstances, getting there for most firms was not straightforward. It required regular testing and advanced planning.
Scaling up
The health emergency that forced the wide adoption of work from home strategies has prompted firms to make quick adjustments. Six weeks ago, the IT team at Herbert Smith Freehills (HSF) reviewed the firm’s technical road access capabilities and completed capacity upgrades. One of its remote access solutions is the ability to remotely connect from PC, Mac or laptop by using virtual desktops that run into the firm’s data centre. The main method of connection is the AnyConnect system from company Cisco. To ensure consistency on a large scale, the team increased the number of allocations of remote access to data centres, which entailed reconfiguration of existing software.
A number of firms scaled up their bandwidth to allow smooth connection across their network. Hogan Lovells needed to increase its security and VPN licences to be able to handle such a large remote working population. With the lockdown, 6,000 people globally were working from home – the system was designed for around 1,000. The firm increased its existing 1,200 licences for security system Citrix up to 4,000, and the VPN licences were increased to 7,000. The internet bandwidth, similarly, was subject to a tenfold increase, a process that would take a couple of months to complete.
Similarly, Mayer Brown set up 10 additional virtual servers for internet connection and database access. It also increased the number of its security and intranet tokens, with mobile phone applications that link up to the firm’s virtual environment through a second-factor authentication login. It bought around 300-400 additional tokens worldwide.
Gargantuan processes
Increasing capacity is a big part of the response to the emergency, but these upgrades are a drop in the ocean when considering the large-scale IT projects that firms have previously embarked upon to boost their own infrastructure. Coronavirus came as some firms had invested in expensive projects to upgrade their IT ecosystems.
In early 2020, Bird & Bird was in the midst of a big refresh project to implement the latest version of Microsoft Office, document management system iManage and transaction management software Workshare. After completing installation in its international offices, London was supposed to be the next one in line. The project – systems are upgraded every three to four years – is now going to be on hold for a while. Jacks again:
“We were working office by office, so we were a third of the way through.”
Ashurst saw the crisis emerge at a time when it was almost concluding a multimillion-pound programme to refresh the firm’s technology infrastructure. The project, called Kratos, saw the firm implementing new security standards, investing in remote working and new platforms and upgrading its global document management system. With the crisis looming large, the focus quickly shifted to maintenance work on the existing infrastructure, ensuring everything worked properly. This all happened as the firm was concluding one the last phases by rolling out new systems across its five Australian offices.
Simulations and stress tests
With increases in bandwidth and major projects on hold, firms took time to organise stress tests and simulations to check the effectiveness of their own systems. KPMG held a work from home trial day on 13 March for its Canary Wharf and Bristol offices, with regional offices doing the same in the following week.
In some cases, these exercises were revealing, with Hogan Lovells’ stress test proving calamitous. The firm ran a first simulation in America on 12 March, one day before the KPMG trial. All kinds of things went wrong. The firm realised that its bandwidth needed to be extended and that it had to increase the number of security and access licenses it used.
Many said they were not ready. Many have reported they realised that a number of staff members in business services and secretarial functions were not in possession of corporate computers. A big procurement effort needed to be carried out, quickly.
Laptop (or not)
After the unsuccessful test, Hogan Lovells placed an extensive order that included 110 computers for its European and UK offices, 100 of which were for London, as well as 60 for the Americas. The laptops were sourced in the space of a single week.
For the firm, it was vital that staff had a corporate laptop. But the question of whether each member of staff, even if they are not lawyers, should have a computer revealed different – and sometimes opposing – approaches across law firms. At Bird & Bird, not everyone has them. Jacks:
“We do have some lawyers who don’t use corporate laptops, but it is their choice. 10 per cent of the firm uses personal computers. Business services and PAs belong in that category – an exception was made at the beginning of the outbreak in Europe, when senior professionals in business services and personal assistants were given a few. The firm’s position is that these individuals can use their own hardware as long as they are able to access Citrix, its virtual security system.”
To counteract threats, all firms have maintained that the firm has put in place considerable programmes around security, such as purchasing firewalling technology, and changing passwords regularly. Internal systems constantly scan the infrastructure to prevent data breaches. In addition, existing awareness initiatives involve frequent training and cybercrime response simulations.
And many Magic Circle firms are monitored by BitSight, an organisation that functions as a kind of credit agency for the security posture of businesses.
Similarly, at Osborne Clarke 80 per cent of staff use corporate laptops; admin functions do not. When coronavirus came up, since there were not that many laptops left around and it would have been challenging to order more due to supply chain disruption, the firm resorted to giving some admin staff old equipment – what it technically refers to as “refreshing the fleet”. With a remote desktop system and the right criteria around security, the firm was confident they could work just fine.
But for other firms, leaving even a small segment of a firm’s population without laptops is a big risk. Andrew Keith, chief operations officer at DAC Beachcroft, says: “We delivered laptops to everyone as using your own is a security threat. Personal laptops can carry malware and have not enough antivirus measures.”
As a solution to potential lack of equipment, firms including Clifford Chance, Hogan Lovells and DAC Beachcroft have guaranteed an allowance of a few hundred pounds for employees to buy home office and IT support items. Having few last-minute expenses was seen as a preferable option to incurring security threats at a time when firms were looking to protect their systems more than ever.
Security
During the past weeks, firms have stepped up efforts to protect their IT infrastructure from glitches and external risks. One of the first things to consider when going remote is boosting secure access capabilities. The basics for many firms is granting people access to firm’s internal network by logging in through remote desktop portals and by using programs that allow secure access to cloud applications – an example is Citrix.
In some cases, access is granted only through a two-factor authentication that requires users to present evidence of something they know, like a PIN or password, and something they own such as a personal device or credit card.
Since a big part of lawyers’ daily job revolves around documents, under challenging circumstances it is imperative to provide safe storage for delicate files. From Legal Week:
At Travers Smith, chief technology officer Oliver Bethell and head of legal technology Shawn Curran have transferred all of the firm’s documents onto cloud platform NetDocuments, leaving only e-mail on premises. While cloud systems have long been berated for potential security risks, in the past few years they have become the safest route to ensure sensitive files are not kept within a firm’s own environment, but are stored in an external repository. “It is the norm now,” CTO Bethell says. “It comes down to adopting best practices and being careful when organising the transition of your data.”
There are further fronts on which security issues need to be tackled. A number of firms have recorded spikes in the usage of video-conferencing tools. At HSF, Skype for Business remote accesses increased from 600 to 3,500 every day. This means that picking the right system is key to shield lawyers from cyber threats. A number of firms have adopted popular app Zoom, but in previous weeks it has been criticised for its low security credentials. Due to internal requests, for instance, Hogan Lovells added user-friendly Zoom to its existing Webex system. Gowling WLG adopted Zoom back in 2016, signing up for a corporate licence the following year.
But in previous weeks it has been criticised for its low security. The fact that ID access codes are created randomly and the app does not require the use of passwords means that anyone could potentially join a call without invitation. In addition, it has emerged that the company does not provide end-to-end encryption, meaning its servers have access to user conversations. Pinsent Masons’ chief technology officer Nigel Tranter:
“We had concerns about Zoom when it became apparent that you have the ability externally to acquire IDs and enter a meeting. We could set a meeting up and someone could get hold of credentials without little in terms of security. We felt that was a concern.”
Similarly, instant messaging apps like WhatsApp are on the blacklist of every IT director when it comes to daily work; lawyers at the firms interviewed, who use it to manage teams and hold casual conversations with colleague, have been widely instructed to use it only for social communications and not for client business. But ultimately, some IT directors concede, it boils down to what the client requires.
While IT and operations directors deal with day-to-day issues – making sure everyone has adequate home equipment, solving glitches and monitoring the security of their networks – there are broader questions that will find answers only in coming months.
THE FUTURE
One of main challenges faced by these professionals is not knowing how long this situation is going to last. Weeks, months, a year? IT directors are planning for the long haul. Practical issues will arise when laptops, mobiles or pieces of hardware break. Most firms have laid out contingency plans around the fixing, rebuilding and delivery of devices out to staff, teams having carried out some pre-stocking a couple of months ago.
A worst-case scenario could arise if the internet becomes overloaded, as more and more people are home socialising on virtual gaming apps such as Houseparty or simply tuning in on the myriad of fitness online sessions. You have millions of people connecting every day. Everyone is relying on internet for business and pleasure.
In that case, the Government might have to reduce bandwidth for everyone. Firms might be required to find ways to smooth out the amount of traffic by connecting earlier in the day and finishing earlier in the evening to avoid congestion. You might be forced to manage your own internet flow.
For now, the daily schedule of IT teams is a trial-and-error learning process, scaling up systems when needed and finding creative solutions to help the workforce. But the common feedback: it has become the new normal all over the world. And nobody has a playbook to follow. A few firms I spoke with told me they had been “drifting towards an agile future for the past 18 months and that COVID-19 merely accelerated the decision to move away from the office. I heard comments like “do we need to keep employees tethered to their office desks”.
More telling, perhaps, is a comment from an agent with Workman LLP, a major commercial property management and building specialist in London, who told me a number of firms are set to leave choice locations or need to consider pending lease expirations.
I have a sense this is going to get bigger than it looked like at the beginning.
