Preventing Cyber Threats, Now and in Years to Come
Victoria Blake, senior director of product at Zapproved, discusses macro data security trends, and how they apply to the legal realm and beyond.
CCBJ: Please give us a brief overview of the 2020 Wolters Kluwer Future Ready Lawyer Survey. What was your goal in conducting this survey? Victoria Blake: It’s part of a macro trend that’s been gaining speed over the last 10 or 20 years – the move from on-premises installations to the cloud. I did an analysis of our recent prospects to look for security-related issues that come up in sales cycles, and what I found is that while there is still a percentage of folks that have a no-cloud policy, that percentage is decreasing over time. Decreasing, yes, but more slowly than you’d think. Ten years ago, there was a general assumption that everything would be in the cloud by now, but the transition has actually been a lot slower than everybody originally assumed. A big part of the lag is, I believe, the trust – or lack of trust – in the security practices of cloud vendors, despite the massive gains in cost and efficiency that the cloud can provide. Running parallel to that, corporate legal departments are not just responsible for legal operations anymore, but now moving into governance, risk management and compliance, as well as information technology and info gov, those kinds of functions. The growing understanding is that data is an artifact of business – and as an artifact, it is a legal artifact as well. Now, legal still mostly cares about data at a trigger event, but there’s a present and growing awareness of the whole lifecycle of data. And if we’re talking data, we’re talking cloud, and if we’re talking cloud, we’re talking security. 62
SEPTEMBER • OCTOBER 2020
Can you tell us about the types of security threats facing corporate legal teams today? Security threats are not specific to corporate legal departments. Threats are part of the digital landscape. In my analysis, threats can be bucketed into several primary categories – things that are most likely to occur. At the top we’ve got everything related to individuals and identity. The primary threat is phishing and account takeovers. We’re all pretty familiar with that already – who has access to what data and when. Lack of a federated identity management is part of that problem – knowing who somebody is and making sure that they are who they say they are. And, of course, there’s malware. I hate malware. With malware, we all know what that threat is, but the access point is, again, part of phishing and account takeovers. That’s the primary access point for malware. But there are also threats from within, so what we do is build controls to make sure that the data is safe in the event of a breach from within, due to a malicious actor inside the company itself. Talking about data, the concept of data location is really interesting – you start thinking about data ownership and the concept of jurisdictions, and how much jurisdiction specific governments or localities do or do not have over your data, if it’s in transit or in storage. That’s an interesting concept in and of itself. Disaster recovery is crucial as well, so that even when something bad happens, your business can continue to function. Business continuity is so important. Disasters don’t happen frequently, but when they do, companies need to be prepared. Finally, there’s lack of transparency and a lack of robust service level agreements. Those are two different ones, but they speak to the ability of vendors to be open and honest,
