Is your firm running end-of-life software?

I f you are reading this article after loading Windows 7 and launching Outlook 2010, it is imperative you continue reading. Numerous mainstream and legal-specific software applications have started publicly stating their scheduled end-of-life date, posing a compliance risk for many firms. The ICO recommends: “Organisations should only be using supported operating systems that the manufacturer provides regular security updates for.” The Solicitors Regulation Authority (SRA) states: “Software, including operating systems should be kept up to date”, and reminds firms they are obliged to “mitigate risks to client confidentiality, client money, and to overall compliance with our regulatory arrangements”. In short, if your law firm is running end-oflife software, then you could be in trouble with the regulators. See box opposite for software applications scheduled for end of life or recently exceeded it.

WHAT IS END OF LIFE?

The term end-of-life software traditionally means the end of support and maintenance – specifically support for new and known defects, security vulnerabilities, regulatory compliance and software upgrades. A separate consideration that will affect multiple businesses, not just law firms, is the recent announcement from BT that, as of 2020, ISDN networks (generally what telephone systems use to make calls) will be unavailable for purchase, following plans to discontinue ISDN and PSTN. The associated risks are decreased levels of support, increased rentals and call charges, and at the extreme, increased downtime during outages. For many firms, these impending end of support dates will trigger the need for some fundamental infrastructure overhauls which mean pressure on resources and finances. Generally, you see an increase in security vulnerabilities for end-of-life software just after the software expires, as cyber criminals delay releasing viruses and malware because they know they won’t be fixed. By running end-of-life software, firms risk leaving themselves susceptible to a myriad of problems: at the top of this list is an increased susceptibility to a cyber attack.

THE RISKS

Security – The firm will open itself up to cybersecurity risks by running end-of-life software. With no ongoing patch fixes, known loopholes can, and will, be targeted by cyber criminals, and chaos could ensue, as was experienced by the NHS in May 2017 when it suffered the WannaCry ransomware attack. It was a similar scenario in 2016 when Mossack Fonseca, the Panamanian law firm, suffered a leak of 11.5m documents, when its IT systems were hacked. This was reported to have been due to its email server being susceptible to penetration as it hadn’t been updated since 2013. Cost – In 2017, it was reported that £10.7m of client money was lost to cyber crime. Vulnerabilities – Software providers will always issue public advice when patches are released, and cyber criminals exploit this. If the firm doesn’t update to the latest versions or apply vendors’ patches, the vulnerabilities in systems will remain exploitable. Technical support and job security – The job security and sustainability for technical experts of end-of-life software will be impacted and redundancies are therefore likely. Some of those affected may set up as consultants, some may retire, some may retrain, but for law firms running end-of-life software, there will be a knowledge gap of experts familiar with the system and able to provide support. The IT specialists that do opt to maintain the provision of support to end-of-life software will likely charge a premium for their dying expertise which, in turn, represents an additional (potentially high) IT maintenance cost.

TIME TO UPGRADE?

Although the risks of running out-of-date software exposes firms to potentially catastrophic consequences, there may be reasons for running end-of-life software, not updating software, or upgrading to new software, for instance:

— The firm may be in financial difficulties, with limited resource to cover the costs;

— It may have other priorities, such as an office move or merger;

— It may not have identified any problems with the current software and assumes the ‘if it ain’t broke, don’t fix it’ mentality;

— It is unaware of the issues of end-of-life software due to a lack of expertise either in-house or from external consultants;

— It has heavily customised software that make updates or an upgrade impossible; or

— It is paralysed by the size of the project and doesn’t know where to begin.

TACKLING SOFTWARE CHANGE

Concentrating on the mainstream, most widely used software, what is the real impact of upgrading to new software? Windows 7: The upgrade would be to Windows 10, which will require new hardware. This can lead to new laptops and computers incurring extra costs. Server 2008: Upgrading this system will require large-scale transformation in the firm’s server room, which could mean tough questions to raise about investment cycles and cloud computing provision. Exchange / SQL: Document management, digital dictation, practice management, and email systems rely on Exchange/SQL. Any upgrade requires careful planning alongside the consideration of cloud availability and provisions. PMS / DMS Without a PMS or DMS, a firm cannot deliver a legal service to clients, as these systems impact, and are incorporated into, every process undertaken and carried out at the firm. Upgrading PMS or DMS is a lengthy process – selection and implementation can take between 12 and 24 months – and for the sixty or so UK law firms known to be affected, they have the added challenge of limited supplier resource available to help. With these software systems utilised by multiple departments within a law firm, it is unfair to assume the IT team will have complete control. An IT department will ultimately have to apply a strategic view of the broader picture where hardware and software is concerned. The marketing and business development departments will also be involved in assessing the capabilities and operational specifics of a new CRM, while the finance department should take the lead on a PMS project. ISDN / PSTN The alternatives to move to are:

— SIP telephone lines (A SIP Trunk) – a likefor-like upgrade to traditional ISDN lines via the internet.

— A hosted telephone system (cloud telephony) – removes the need for line rental and is usually offered on a per user / per month basis, on the proviso that the internet connection can support this.

GUIDE TO END-OF-LIFE SOFTWARE UPGRADE PROJECT

There is a process for these types of projects and sometimes the catalyst for change is the end of support for the software. The foundations need to be in place to change infrastructure and a complete IT strategy needs to be discussed. For an Office upgrade, enlisting the help of a managed testing organisation is strongly recommended. Depending on the criteria specified at the outset, a managed testing organisation can assist greatly in testing functionality before upgrading end users’ machines. Office upgrades could depend on whether the firm decides to migrate its infrastructure to the cloud. This will impact a number of features within a firm, such as its DMS servers. There is also an implication on training; new Office packages have new features and to ensure the partners and secretaries are able to work proficiently, there may be a requirement for either training in-house or from external trainers. When it comes to upgrading a PMS, the best advice is to start early. Selecting a PMS that is the right fit for the firm is a long and often arduous process and enlisting a third party to support the internal requirements gathering and supplier sourcing is to be recommended. A PMS project lasts a long time due to the amount of work involved, so skills with project management and communication will be imperative to ensure a smooth-running and well-communicated project.

TRAIN THE END USER

Knowing the deadlines for end of life software is only part of the battle. Having a robust plan of action to ensure that timescales don’t slip is the other edge of this very dangerous sword – the risks of ignoring the issue are just too great for the integrity of your firm