LRG Members Article Published by John Fitzgerald, CPA, Chair of Law Firm Services at Berdon LLP and Vincent Bell, President, Upstream Consulting Group

Creating a Lateral Plan that Will Work

By John Fitzgerald, CPA, Chair of Law Firm Services at Berdon LLP
and Vincent Bell, President, Upstream Consulting Group

In an industry facing a decrease in billable hours per attorney, flat budgets at clients, and an increase in lower cost alternatives for legal services, law firm executives continue to recruit individual partners, practice areas, or firms as a growth strategy.

Such a “lateral” strategy can be costly on many levels if not planned and executed properly. In order to enhance your success rate with a lateral hire or merger, your plan should include four distinct phases:  

  1. Recruitment

  2. Integration

  3. Retention

  4. Evaluation

Click here to read the full article:

By Rob Kleeger- It’s not your firewall or anti-virus, it’s your business practice that puts you at risk…Are People the weakest link?

The daily news headlines reveal the escalating, and costly, problem of data breaches for companies. Today, we are in the midst of never ending articles, blogs and news reports regarding the latest cyber security breach.  The days of casual hackers going about their efforts for little more than bragging rights have now morphed into big business where the financial rewards can be substantial. This summer, the FBI has received reports of more than $18m in losses in the past year stemming from the spread of the bitcoin ransomware Cryptowall and its related variants. When you consider all the viruses on the Internet, the amount of revenue generated by these wicked hackers are collecting is astonishing.

All companies store assets digitally — from consumer personal data, to B2B customer data, to trade secrets, to confidential information relating to mergers and acquisitions. When it comes to Law Firms, they often handle sensitive data (i.e. intellectual property, corporate transactions, mergers and acquisitions, bank account #’s, social security #’s, client addresses, credit card information, health care information, personally identifiable information (PII) or personal data.)  

Additionally, law firms utilize many individuals who may have access to sensitive data beyond partners and associates, such as contract attorneys, paralegals, secretaries, and others. An incident could occur even when an employee of the firm accesses data improperly or when an employee mentions something to friends or family or on social media sites.

Law firms don’t have secrets, it’s the client information that hackers want. The reality is they have a digital treasure trove of data...which is a primary reason that law firms are and have been targets for numerous years.  

A major harm is reputation – no firm wants to go to a huge client and inform the client that it has lost the client’s sensitive data.

All businesses depend upon the integrity and their computer networks to operate efficiently, effectively, and securely.  Corporate directors and officers have fiduciary obligations to safeguard these assets, and lawyers additionally have an ethical obligation to their clients.

When a breach happens, reputational, regulatory, financial and legal risks proliferate.

Unfortunately, the key question that never seems to get answered is: What exactly are we at risk from and what are we supposed to do about it?

With over a decade of experience in handling hundreds of matters, here is the hint: It’s not your firewall or anti-virus, it’s your business practice that puts you at risk…People are the weakest link.

After doing research by asking people about their definition of data security, I found many varied definitions.  I’ve defined it in simple terms, “Data security is simply keeping sensitive information from falling into the wrong person’s hands.”  

Consider this hypothetical:

You are on your way into work and you spot a USB thumb drive on the ground. It has your company’s logo on it, so decided to pick it up and see what's on it so you can figure out who it belongs to and return it to them. You plug it into your office computer and there are no files or anything else that you can find that identifies the owner. Hmm. Since you did find that it’s a 128 Gigabyte USB stick, you keep the USB drive for your own use.  A few days later, you end up plugging it into your laptop and home computer to transfer sold old pictures and music from computers.

What you don’t know is that the USB drive contained malware that infected your computer once you inserted it and the auto-run feature ran. The malware connects outwardly to the hacker’s computer, giving them full access to your computer and your network.  The files are on a hidden partition that you were unable to delete and they have also now infected your home computer and laptop.  Rather than the hacker needing to gain access to your facility or hack into your network, he simply threw the pen drive into your parking lot from the street and voila!  They are in.

This all happens without anyone ever realizing it. This hacker now has access into your company and all of its data and quietly uses it for monetary gain.

Again, we find that the employee’s devices are the weakest link in most firms.  These devices are typically protected only by antivirus software and most hackers attack that point rather than working through a server or other external facing protections.

Don’t even get me started about Bring Your Own Disaster policies.  If your business has adopted bring your own device (BYOD) policy however, all that preparation for avoiding outside risks may have been for naught.  BYOD introduces some notable security threats firms didn’t have to worry about previously. Employees are unknowingly your greatest threat. Sources show that over 80% of security threat to mobile devices were careless employees.  They don’t mean to, it’s just that the nature of their job gives them direct access to highly sensitive data.   ( )

Part time employees come with all the same problems as full times employees only they know they are temporary. The risk is greater when there is no fostered loyalty. Sure you might have them sign the non-disclosure agreements, but if you are not keeping logs of everything going on, even the most trusted part-time employees might be very costly. They often have all the same access as full time employees without the responsibility. These resources are often easy phishing targets.  Former employees sometimes get hostile after downsizing occurs. They might feel wronged and feel entitled to compensation. Employees who know they are leaving are also a substantial risk. What information did they take before they gave notice? Also, what about the access that former employees often retain even after they’ve left the firm? Firms without quick and decisive employee exit strategies or clear restrictions for remote access can find that the path to data loss is much shorter than expected.

If a hacker has penetrated the network of a law firm’s client and or vice versa, the email of in-house counsel, for example, it’s then easy to identify the email address of outside attorneys and fabricate messages to deceive them.  Once access is gained to a computer system, they typically have the ability and desire to stay for a while and hide.  Their goal is not too snatch information and leave…but to remain secretly entrenched, monitoring the flow of information and harvesting more valuable information.  Hackers generally maintain a presence in corporate systems for months without detection, unless proactive measures are taken.

But two deeply researched reports being released this week underscore the less-heralded truth: The vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

In the best-known annual study of data breaches, the Verizon 2015 Data Breach Investigations Report, it found that more than 23% of recipients opened emails which involved phishing (the security industry's term for trick emails).  Nearly 50% of users opened emails and clicked on malicious links within the first hour received.  Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90% of the time, Verizon found.

Most organizations are spending a large amount of money protecting their perimeter from the hacker hooligans, however while that is necessary, it’s something that is often unstoppable.  Meaning, if your firm is targeted by a hacker, or a hacking matter how secure your perimeter is, most security experts will confirm that there is nothing you can do to prevent it from happening.  Regardless of size, financial resources, security, technology... People are the weakest link when it comes to data breaches.

So why are firms not spending more time focusing on understanding what and where the sensitive data is?  Once you’ve understood what and where the data is, you put controls in place and maintain logs and information for a later investigation.

By following the below tips, we think that it will have a tremendous impact to avoiding a reportable data breach:

  • Passwords should be complex - use of upper- and lower-case letters, numbers, symbols, and random phrases in your passwords.
  • Encrypt information as much as possible, whether produced to others or stored on your computers.
  • Have a proper file and data destruction policy.
  • Ask clients if any of their data warrants special protection and discuss how that data should be protected.
  • Turn on two-factor authentication to add another layer of security to your login process
  • Educate often and routinely.  When it comes to protecting a company from its own employees, there needs to be a balance between reasonable access and security.
  •  Enact/Revise/Update Internal Policies and Processes
    • Understand security issues that can arise in any cloud computing services and mobile devices.
  •  Conduct Risk Assessments, including “ethical hacking” assessments
    • Analyze internal security strength, audit, and policies
    • Assess strength of vendors, suppliers and partners and evaluate contracts
  • Formulate a Data Breach Response Plan
    • Crisis Response Team (internal and external)
    • Conduct breach response drills annually
    • Media/PR Strategy
  • Insure
    • Consider cyber risk policy to augment existing coverages


 Article Written by Vincent M. Bell - Upstream Consulting Group

Since a period of very high inflation in the early 1980’s, American businesses have been aggressively reducing production costs to limit price increases. In order to maintain prices and still have reasonable profit margins, businesses have been controlling the cost of goods sold.

Since then, and even after the severe 2008 recession, law firms have done very little to identify, analyze and control their own internal production costs. They have focused on ways to better manage their matters and to be able to more accurately price fix-fee deals. Firms must behave like profit making businesses (they must learn to manage their businesses as their clients manage theirs) by focusing on optimizing all their internal production processes and not just focusing on pricing. Pricing is very important, but it is only one component of a more complex system. The best way to review the entire system is by using assessment tools which will identify how each operational and financial process works within the firm. Once it is clear how these processes work currently, it will be possible to identify points where there are interruptions or slowdowns in the process workflow. These leakage points are reducing profits. These inefficiencies should be corrected as soon as they are identified. These are not one time savings, but rather they will occur over and over again. When assessing these functions, pay special attention to: staff models and ratios; the billing and collections process; IT and Help Desk; and institutionalized exceptions to normal operational and financial procedures for individuals or small groups of partners, to name just a few. But most importantly, these are improvements which are entirely under your own control. These changes will improve and regularize profitability irrespective of whether it is possible to raise rates.

In order to become more competitive, law firms must change their traditional financial and operational culture. This culture is based upon being able to raise billing rates annually, rather than developing an ongoing focus on cost control. As the economy slowly recovers from the recession, firms are finding it somewhat easier to raise billing rates. But it is unrealistic to think that aggressive annual rate increases will ever again become the norm. A significant portion of legal work is relatively commoditized and easily moved to another less costly provider. There is much less client/firm loyalty than before. Partners are very reluctant to admit that a sizable portion of their legal work is easily moved to a competitor. Firms need to change from being businesses that aren’t price sensitive to entrepreneurial businesses that work with their clients’ to slow the growth of the clients’ legal spend.

In order to identify these leakage points and realize the savings, the best approach is to engage an experienced and independent consultant who can review their internal operations and identify whether their non-legal organizational structure, staffing models and financial processes are consistent with current best practices in the legal industry.

These assessments involve a thorough analysis of a firm’s non-legal operations, including all financial and administrative functions. Once the data is collected, consolidated and analyzed it will be clear how much profit leakage exists in your firm.


Article Written by Vincent M. Bell - Upstream Consulting Group

Many law firms are engaging outside third-party consultants to do assessments of their current staffing and organizational structure. Like the patient who visits the doctor for the periodic stress test, blood work-up and physical examination, law firm management is eager to verify that the firm is organized effectively and efficiently, consistent with best practices in the legal industry.

The evaluation begins with a careful analysis of the firm’s non-legal organizational structure. Does it deliver the support the lawyers need to serve their clients? Are the staffing levels consistent across the firm? If different practice groups get by with leaner staffing, is there a reason? The consultant applies industry ratios to each group within the firm as the evaluation progresses. The staffing patterns ought to identify potential opportunities to reduce costs within specific groups, and across the firm altogether.

Another important inquiry of the analysis is the skillset levels of the managers running the various staffing functions. There are no ratios for these evaluations so, like the experienced physician who knows how to “ask the right questions,” the consultant probes how the attorneys make use of the firm’s shared resources and whether the managers’ capabilities meet the attorneys’ needs.

A proper analysis ought to answer two questions: 1) Is the firm (or particular practice groups) doing the best job possible in controlling internal costs? 2) Are the efficiency/staffing levels consistent across the firm, and consistent with industry ratios? With the consultant’s evaluations in hand, the firm is now prepared to choose which of them it would like to implement - either on its own or by engaging the consultant to oversee the implementation process.

The pricing for this evaluation should be broken down into phases. Phase 1 is the data collection analysis and recommendations phase which should be for a fixed fee. If the consultant is engaged by the firm to assist in Phase 2, the implementation process, then that work is generally priced on an hourly basis.

This type of internal stress testing is important for firms to do now. Like the overdue visit to the doctor, this type of internal self-examination might result in a prognosis that some firms may not want to hear, but it is essential to do on an ongoing basis. These examinations produce extremely useful information that ought to help the firm remain in good fiscal health.

If you would like additional information on stress testing for your law firm, please contact me on a confidential basis to discuss how we can assist you in designing a customized stress test for your firm.

Envision the Future and Make it Happen

By John Fitzgerald, CPA –- Partner and Chair Law Firm Services, Berdon LLP

March 2015 Legal Management Magazine


Capital planning and retention can be a contentious topic among law firm partners — often because the issue involves just how much will be coming out of each individual’s pocket. Nevertheless, it is a process that is crucial to the short- and long-term well-being of your firm. To ease the planning along, it is useful to break the process down so that all involved will see clearly what is necessary and important for their future.  

Read more at:

Alternate Fee Arrangements...

By John Fitzgerald, CPA –- Partner and Chair Law Firm Services, Berdon LLP

January 2015 Practice Made Perfect, Berdon LLP Law Firm Newsletter 

Historically, the fee structure between client and law firm had been the billable hour. The world changed with the massive sweep of the Great Recession when firms faced huge fee reductions. Today, in-house legal departments continue to apply pressure on law firms in the form of fee reductions or risk-sharing agreements with clients.  More than ever, clients expect firms to provide legal services in the most efficient and cost effective manner.  While the billable hour remains the predominant fee arrangement in the legal industry, Alternate Fee Arrangements (AFAs) are becoming more commonplace.

Read more at:

There’s No Time Entry like the Present

By John Fitzgerald, CPA –- Partner and Chair Law Firm Services, Berdon LLP

The very human tendency to procrastinate is something we all need to combat and in the world of professional services this is particularly important when it comes to time entry. It is worth a review of the benefits of entering time on time along with some thoughts on how to overcome the urge to put off what is inevitable and essential to the firm’s success.

Read more at: