January 13, 2020

Law firms still running Windows 7 software are at risk of cyber-attacks after 14 January 2020.

One of the weaknesses of the partnership model as a business structure is that it is less open to public scrutiny than businesses with external investors. Law firms may employ experts in the areas of IT, finance, marketing and HR but they don’t always have to take their advice. The advent of non-lawyer partners has gone some way to aiding parity within a leadership team, but the collective will of fee earners is likely to win out on key strategic decisions.

There are still too many instances of firms choosing to defer capital investment decisions ‘for another year’ in order to deliver short term profitability. Eventually this deferred decision making will catch up with firms and so it is the case with I.T. and specifically Microsoft Windows 7 software.

There will be many legal practices who for years have had the same practice management / case management system that everyone in the firm is familiar with. We hear stories about idiosyncrasies and bugs in the software, but the users all know work-arounds and reports are still produced on time for the executive team. For firms whose legal software has not been developed beyond Windows 7, the days of ‘getting by’ are almost at an end.

It’s been well-trailed – the end of Windows 7 is nigh

When Microsoft launched Windows 7 in October 2009, it promised to support its new operating system for 10 years. In the middle of this year Microsoft announced its end of life plans for Windows 7. Support will end on 14 January 2020. The company has been true to its word and since the announcement, much has been written on the subject.

IT publisher, Computer World estimates that when the end of life date arrives, 1 in 4 PCs will still be running Windows 7. This figure will be higher in industries slower to embrace I.T. developments and legal is likely to be amongst those.

While PCs running Windows 7 will not stop working after 14 January, the risks to security and compliance of keeping these machines within the network are significantly increased. Microsoft will cease to issue product updates and security patches for Windows 7. These computers are more likely to be susceptible to malware attacks and other cyber-criminality that could be disruptive to the day-to-day operation of a law firm.

There are some short-term transitory measures available for limited ongoing protection for a period beyond the 14 January, but nothing more than a ‘sticking plaster solution’. For any law firms out there tempted to take a chance, they’ll do well to be reminded of the 2017 WannaCry cyber attack.

Lessons from recent history – The NHS

The WannaCry ransomware attack of 2017 led to the cancellation of 19,000 GP appointments and cost the NHS an estimated £92 million (source: theinquirer.net). A report into the attack showed that 42 separate NHS Trusts were running Windows XP on tens of thousands of machines, despite support for the operating system ceasing in 2014. The parallels with Windows 7 end of life and support are clear. The failure to replace redundant I.T. leaves any business at risk.

WannaCry affected thousands of computers across the world and was not just restricted to the NHS. Although it was not directly aimed at the NHS, the attack highlighted serious vulnerabilities. It will be interesting to see what lessons have been learnt in the health service from this Windows XP / WannaCry episode in the months and years after 14 January 2020.

What should law firms still running practice / case management software on Windows 7 do?

The time for burying one’s head in the sand is over. The good news is that there is a way forward and with digital transformation, the investment needed to make it happen is likely to be just a fraction of what it was the last time.

Data security is one of the key elements to remaining a successful legal practice as we enter a new decade. There will be firms that cease to exist because they have not kept their I.T. up to date and then been victims of an attack.

In the first instance, enquire from your existing supplier, what if any impact the end of Windows 7 support will have on the systems in your firm. If there is no upgrade path to Windows 10 that is open to you with your current provider, you may conclude that the best way to mitigate the potential risk is to find a replacement system. The exercise of replacing a practice and case management system takes in the region of 3 – 6 months. In choosing a replacement system you will need to consider how data in the present system will move (migrate) into the new one. We would recommend only shortlisting suppliers with a good track record of migrating from the system you already use.

A credible software supplier will be able to partner with you and advise on a new solution and the right implementation strategy. This could be a completely cloud-based system, on premise or a combination of both.

Tim Smith is Technical Director at Insight Legal Software.