Insuring against a security disaster

Having the security tools in place is not enough for TSMP Law Corporation. The right policies need to be set and followed.

It is not only court documents and loopholes that Stefanie Thio, the corporate head and joint managing director of TSMP Law Corporation, casts a legal eagle's eye on. IT security is another area the lawyer takes extra caution in.

In her own words, Thio would rather an earful from a client whose e-mail has been blocked by her company's servers than risk a virus sneaking into the network.

Stefanie Thio,
corporate head and joint managing director,
TSMP Law Corporation

The Singapore firm, which has under 50 employees, takes a serious and "conservative" view when it comes to protecting three areas--client documents, financial accounts and e-mail.

The company's attitude is shaped by both industry developments and a previous experience. In 2001, TSMP suffered an attack, during which a virus propagated itself and disrupted its e-mail system for two days. Contacts from the employees' address books received e-mail messages purporting to be from TSMP, and the millions of sent messages jammed the system.

Recounting the incident, Thio said that besides the immediate downtime caused by the attack, the company's credibility was affected. Several large organizations, such as financial analyst Solomon Smith Barney, blocked incoming e-mail from TSMP, and the law firm had to write in to explain the problem and reverse the decision.

TSMP's response time to its clients was also impacted. "There was also the concern that people sent us e-mail and they thought the e-mail had come through, but we had not actually received them," Thio said.

However, the good news was "there were no implications from a legal perspective", she said. But although the firm did not lose any client information and its documents were not accessed or affected by the incident, it was all the more convinced that its data and records had to be safeguarded.

When the company expanded and moved to a new premise that year, it seized the opportunity to review the technology they had and upgraded its hardware and security systems. Security and data integrity were, and still remain, a key concern, as TSMP cannot afford to lose their clients' information, noted Thio.

"We looked at it comprehensively--we didn't just want to buy a platform that would work for us at our size then, which was in the mid-10s of lawyers, we wanted something with which we could grow," she said.

"We didn't just want to buy a platform that would work for us at our size then, which was in the mid-10s of lawyers, we wanted something with which we could grow."
--Stefanie Thio
Corporate head and joint MD, TSMP

The new plans appeared ambitious, compared to what TSMP had in place in 1998, when it was first set up. "In those days we didn't really have e-mail; we had one standalone computer that we would check e-mail once an hour," Thio explained. "Security wasn't really that much of [an issue], because there was no external connectivity, except for that one standalone machine, and most [of our peers] practised that too."

To make sure the company was well-cushioned from any possible breach of security, Thio went as far as to reject the advice of the company's systems integrator (SI) at that time.

Thio mused: "Our SI at that time said one server is enough, but we said 'No, we want three'--one for each of the three areas, hopefully as standalone as possible so that if somebody can hack in via our e-mail server, he doesn't mess with our accounts and documents."

Strict policies in place
TSMP leaves nothing to chance when it comes to protecting its documents--security policies are in place to minimize, if not eliminate, the risks of external bugs entering the corporate network.

One rule that employees observe is to have laptops that have been brought out of the office scanned for viruses before they are put back on the network. There is a dedicated network point--segregated from office network--to scan the notebooks.

While senior executives have mobile access to e-mail using either the Treo or O2 mobile device, the attachment replication function is disabled, and unless specific re-authorization is carried out, they can only view the e-mail messages minus the attached documents. Remote e-mail access is also limited.

"What we try to do is while maximizing a functionality and the convenience of connectivity, we try to also cut out the loopholes and the risk areas, such as attachments," said Thio. What's important, she added, is being able to view what a client has sent using a smart phone, and then access and work on the attachments via a laptop.

"The problem with having a full-time IT person here is they may be good at what they do today, but they may not be able to stay as fresh with the problems that are being faced (as time progresses)."
--Stefanie Thio
Corporate head and joint MD, TSMP

Good partners are hard to find
According to Thio, even though security is a major worry, finding the right systems integrator is equally challenging, as many do not live up to expectations.

"To find a good one is very, very hard," she noted. "They (SIs) promise you the moon, earth and stars when they first market to you… they promise you a Microsoft-certified engineer, and when you sign up with them, the Microsoft-certified engineer disappears from the face of the earth."

Another challenge was having to establish new relationships due to staff turnover in the SIs. "You have to build a really good relationship with the guy who understands your problems, and he very often gets poached to another company, and then you have to start all over again."

Keeping IT personnel on the payroll is not a suitable option for the company, as they are "not able to stay on top of connectivity, and hardware and software developments", Thio added. TSMP had, for a period of time, employed a dedicated staff to take care of IT matters, but decided that the headcount was redundant when it engaged Stone Forest IT last April as its technology consultant. The legal firm, which opted to lease servers, printers and desktops from Hewlett-Packard, also receives support from the vendor.

Thio explained: "The problem with having a full-time IT person here is they may be good at what they do today, but they may not be able to stay as fresh with the problems that are being faced (as time progresses).

"With IT, you really need to have people who are in this full-time, and who are able to access cutting edge technology that is being used in business, so that we know what to deal with… it's really about getting cutting edge professionals who know what's on the market, what the problems facing market players are today, so that they know what solutions to best bundle together for you," she added.