Richard Elson, IS Director at law firm Trowers & Hamlins LLP, discusses the challenges of taking a security-first stance

Law firm Trowers & Hamlins needed to enable cross-platform mobility on both Android and iOS without compromising security.

The solution needed to support a wide range of business-critical applications across multiple operating systems. The firm decided to roll out BlackBerry BES12 to manage corporate devices, with the BlackBerry Dynamics (formally Good Dynamics) container to secure and manage corporate data on personal devices.

Speaking to Computing recently, Richard Elson, director of IS at the firm, explained how they balance the need for security with the oftentimes conflicting need for open communication.

"We could probably spend millions and millions and millions on security," he said. "It's obviously central to what we do; we've tried to take a security-first approach to all of our technology projects, but particularly our mobile technology. Taking a security-first stance can sometimes be a little unfashionable - and there can be trade-offs with ease-of-use, productivity, people wanting to use the latest apps. But we think we've got the right balance. We fairly recently standardised around a BYOD strategy, which is centrally-managed applications delivered to personal devices."

Elson went on to talk about the ease of deploying this programme and the BlackBerry software they use to manage all devices, to get the security levels they require. He also talked about the steps they took to educate their end users and the challenge of their end clients:

"Managing the service that we apply to individuals who are maybe less security-conscious is a bit of a challenge at times. But that said, if you're engineering security from the start and you've got education programmes and ways of dealing with things from the technology side, you can be in quite a good place."

When asked about the impact of the GDPR on the firm, Elson explained that although the regulation is a fairly onerous set of responsibilities, good data governance has accelerated their preparations. "We did an awful lot of work around the ISO 27001 and we did a lot of work for the Cyber Essentials Plus [scheme] and got the accreditation for that last year; and also in preparation for looking at the cyber insurance, about two and a half years ago, we put together a systems map of our Personally Identifiable Information." He explains, "What we've tried to do is, for each system and for each set of Personally Identifiable Information, [identify] what the risk is, how we're treating it today and how the requirements of GDPR - particularly in respect of consent and control - what next steps we have to take for each set."

The firm's security-led stance means that from an IT perspective, they're well prepared for the GDPR. "End-to-end encryption, encryption of data at standing, security of the mobile devices and all the end points locked down: we did all of that a long time ago. So really, I suppose, it's maturing that model, working closely with compliance; and especially, a programme of education - not everybody knows what GDPR is yet. So, both in terms of the seminars we run for clients, and also our programme internally, we're going to be focusing on what people need to do practically to make GDPR work" he said.

This is a sponsored post