Is your firm running End of Life software?

September 20, 2019

If you are reading this article after loading Windows 7 and launching Outlook 2010, we suggest you keep reading!

A number of mainstream and legal-specific IT software applications are publicly stating their scheduled date for End of Life. Stephen Brown, Legal IT Consultant at Lights-On Consulting explains the impact of End of Life software and advice on managing a software upgrade project.

Impact

The ICO recommends that: “Organisations should only be using supported operating systems that the manufacturer provides regular security updates for”.

The SRA states that: “Software, including operating systems should be kept up to date”, and reminds firms they are obliged to “mitigate risks to client confidentiality, client money, and to overall compliance with our regulatory arrangements”.

Cyber Essentials (recommended by CQS) states that: “Software must be supported”.

In short, if your law firm is running End of Life software, then you could be in trouble with the regulators.

What does ‘End of Life’ mean?

‘End of Life’ software traditionally means the end of support and maintenance – specifically the support for new and known defects, security vulnerabilities, regulatory compliance and software upgrades.

The following software applications are scheduled for End of Life – note: the software listed is on the assumption it is running the latest service pack.

(NB at time of publication, some dates have already passed)

Server 2008 – ESED 09/07/2019
SQL 2008 – ESED 09/07/2019
Envision – December 2019
Windows 7 – ESED 14/01/2020
Exchange 2010 ESED 13/10/2020
LexisNexis Axxia Artiion and Desktop – 31/01/2020
Office 2010 – ESED 13/10/2020
Thomson Reuters Enterprise all go end of life – 31/12/2022

(Key: ESED – Extended Support End Date).

Another consideration that will affect multiple businesses, not just law firms, is an announcement by BT that from 2020, ISDN networks (generally what telephone systems use to make calls) will be unavailable for purchase, following plans to discontinue ISDN and PSTN. The associated risks are decreased levels of support, increased rentals and call charges, and at the extreme, increased downtime during outages.

For many firms, these impending end of support dates will trigger and require some fundamental infrastructure overhauls which mean pressure on resources and finances.

The Risks: what are the problems of running End of Life software?

“In the last year, 60 percent of law firms reported an information security incident – an increase of almost 20 percent from the previous 12 months.”

National Cyber Security Centre, July 2018

These dates are in the public domain – generally you see an increase in security vulnerabilities for End of Life software just after the software expires, as cyber criminals delay releasing viruses and malware because they know they won’t be fixed.

As a consequence of running End of Life software, firms risk leaving themselves susceptible to a myriad of problems, and top of this list is an increased susceptibility to a cyber-attack.

The risks are:

Security – the firm will open itself up to cyber-security risks by running End of Life software. This isn’t a case of being sensationalist but a simple fact. With no ongoing patch fixes, known loopholes can and will be targeted by cyber criminals, and chaos could ensue, as was experienced by the NHS in May 2017 when it suffered the WannaCry ransomware attack.

It was a similar scenario when in 2016, Mossack Fonseca, the Panamanian law firm, suffered the leak of 11.5 million documents, when the firm’s IT systems were hacked, reported to have been due to its email server being susceptible to penetration as it hadn’t been updated since 2013.

Cost – in 2017, it was reported that approximately £10.7 million of client money was lost to cyber-crime.
Vulnerabilities – software providers will always issue a public advice when patches are released, and cyber-criminals will exploit these. If the firm doesn’t update to the latest versions or apply vendors’ patches as they are released, the vulnerabilities in systems will remain exploitable. A very recent example is the announcement by iManage when it released a critical update in June with a fix for an iManage Work Server security vulnerability, and advised firms to apply the patch installer on all iManage on-premises environments with Work Servers running from 9.5 R2 through to 10.1.3.
Technical support and job security – the job security and sustainability for technical experts of End of Life software will be impacted and redundancies are therefore likely (if not probable). Some of those affected may set up as consultants, some may retire, some may re-train, but for law firms running End of Life software, there will be a knowledge gap of experts familiar with the system and able to provide support. The IT specialists that do opt to maintain the provision of support to End of Life software will likely charge a premium for their ‘dying expertise’ which in turn represents an additional (potentially high) IT maintenance cost for firms.

Is an upgrade the only option?

Clearly there are many risks around running out of date software, and for a law firm this practice exposes it to potentially catastrophic consequences.

However, there may be reasons for sticking with running End of Life software, not updating software, or upgrading to new software, for instance:

The firm may be in financial difficulties so limited resource to cover the costs;
The firm may have other priorities, such as an office move or merger;
The firm may not have identified any problems with the current software and assumes the ‘if it ain’t broke, don’t fix it’ mentality;
The firm is unaware of the issues of End of Life software due to a lack of expertise either in-house or from external consultants
The firm has heavily customised software that make updates or an upgrade impossible;
The firm is paralysed by the size of the project facing them and don’t know where to begin.

The facts – the real impact of a software change

Concentrating on the mainstream, most widely used software, what is the real impact of upgrading to new software?

Windows 7

The upgrade would be to Windows 10, which will require new hardware. This can lead to new laptops and computers incurring extra costs.

Server 2008

Upgrading this system will require large scale transformation in the firm’s server room, which could mean tough questions to raise about investment cycles and Cloud computing provision.

Exchange / SQL

Document Management, Digital Dictation, Practice Management, and email systems rely on Exchange/SQL. Any upgrade requires careful planning alongside the consideration of Cloud availability and provisions.

PMS / DMS

Without a PMS or DMS, a firm cannot deliver a legal service to clients, as these systems impact and are incorporated into every process undertaken and carried out at the firm. Upgrading PMS or DMS is a lengthy process – selection and implementation can take between 12 and 24 months – and for the sixty or so UK law firms known to be affected, they have the added challenge of limited supplier resource available to help.

With these software systems utilised by multiple departments within a law firm, it is unfair to assume the IT team will have complete control. An IT department will ultimately have to apply a strategic view of the broader picture where hardware and software is concerned. In addition, the Marketing and Business Development department/s will also be involved in assessing the capabilities and operational specifics of a new CRM, whilst the Finance Department should take the lead on a PMS project.

ISDN / PSTN

The alternatives to move to are:

SIP Telephone Lines (A SIP Trunk) – a like-for-like upgrade to traditional ISDN lines via the internet.
A hosted telephone system (Cloud Telephony) – removes the need for line rental and is usually offered on a per user / per month basis, on the proviso that the internet connection can support this.

Guide to End of Life software upgrade project:

There is a process for these types of projects and sometimes the catalyst for change is the end of support for the software. The foundations need to be in place to change infrastructure and a complete IT strategy needs to be discussed.

For an Office upgrade, enlisting the help of a managed testing organisation is strongly recommended. Depending on the criteria specified at the outset, a managed testing organisation can assist greatly in testing functionality before upgrading end users’ machines. Office upgrades could depend on whether the firm decides to migrate its infrastructure to the Cloud. This will impact a number of features within a firm, such as its DMS servers. There is also an implication on training; new Office packages have new features and to ensure the partners and secretaries are able to work proficiently, there may be a requirement for either training in-house or from external trainers.

When it comes to upgrading a PMS, the best advice is to start the process early. Selecting a PMS that is the right fit for the firm is a long and often arduous process, and enlisting a third party to support the internal requirements’ gathering and supplier sourcing is to be recommended. A PMS project lasts a long time simply due to the amount of work involved, so skills with project management and communication will be imperative to ensure a smooth-running and well-communicated project.

Tips and takeaways for End of Life software upgrades:

Questions to answer and points to address when considering and then implementing End of Life software upgrades must include:

Step 1 – high level strategy:

Do you have adequate inventory management protocols?
Do you have internal resource to manage and maintain projects of this sort?
How does this impact on your budgets?

Step 2 – getting into specifics:

What is the build on the end user machines?
What are the Extended Support End Date for the software on the end user machines?
Create a project steering board to own the project.
Create process flows.
Create check lists.
Be realistic with timescales – these are end dates, in an ideal world don’t leave it to the wire.
Test, test, test and test again.
Communicate with the end user.
Train the end user.

Knowing the deadlines for end of life software is only part of the battle, having a robust plan of action to ensure that timescales don’t slip is the other edge of this very dangerous sword – the risks are just too great for the integrity of your firm.

How can Lights-On Consulting help with End of Life software?

The consultants at Lights-On works closely with law firms to help them identify End of Life software and plan an effective strategy for dealing with it. Through our Strategic IT Review, we can highlight any areas needing focus or action, and our IT Strategy Development enables firms to create a roadmap for their IT development and vision. We work closely with law firm management teams and senior in-house IT professionals to bring a valuable external perspective and a hands-on approach that allows your IT team to ‘get on with the day job’.

Note: The thoughts outlined in this article are intended to provide insights only and do not constitute advice. Always engage with a qualified expert before embarking on any IT project.

This article was first published in the Solicitors Journal.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.