Information Management for Professionals
Specialists in document production and management solutions, Ascertus offer a full range of professional services and software solutions, which allow professional knowledge workers across all sectors to demonstrate and justify their value to their company, effectively manage their costs, mitigate their risks, and enhance their efficiency and productivity.
Ascertus featured in Legal IT Professionals | Document and Transaction Management Processes Critical for Law Firm Data Security
The original article was featured in Legal IT Professionals: Document and Transaction Management Processes Critical for Law Firm Data Security
The security-related lexicon pertaining to email scams is rapidly growing. There’s phishing, spear-phishing, ransomware, whaling; and most recently, I heard of ‘smishing’. Not entirely an email scam, but these SMS-based messages have an email like format with email-specific fields in the messages and malicious links hiding behind shortened URLs.
Cybercrime is indeed a global problem, but law firms are especially susceptible due to the large volume of highly sensitive client data they hold on businesses and individuals; in addition to the fact that they are also cash rich.
Emails are the chink in law firms’ armour. Due to the pervasiveness of email as the default communications tool, it’s easiest for criminals to take advantage of it for malicious proposes. Security systems may mitigate many of the issues, but nowadays it is the law firm Partnership and staff that are being targeted and socially engineered. They must be educated and made aware of the warning signs. In cases where security is still breached (and it will be), adding hurdles and layers of security for the criminals to navigate will help minimise risk.
Consider this scenario. A Partner at a law firm receives an email from a professional acquaintance, with a suggestion to visit a particular site via the link in the email. The Partner clicks on the link, which takes the individual to a page with a message, ‘can’t reach the page’. Soon after, a window pops up on the Partner’s screen requesting a re-authentication with the firm’s email server. Unsuspectingly, the Partner enters the details and in doing so, gives away credentials to criminals, who then have full control of the PC and access to not just the Outlook mail box, but potentially also the firm’s entire data in the network. It’s that simple!
Ringfencing critical data
Law firms need to institute strong security defences around data, so that in the event of a breach the damage can be contained, if not entirely pre-empted. Properly configured processes in the firm’s email and document management will go a long way in facilitating data security. Some thoughts:
Fully administered locations – Rather than storing information in file shares and Outlook inboxes, saving information in ‘governed’ locations in the firm’s email and document management system is a better approach. Many access restrictions can be instituted to ensure that data is not easily available to unauthorised users. For example, demanding multi-factor authentication means that only those users will be granted entry to the file or folder if they are able to present two or more pieces of evidence to authenticate themselves. Security can be further enhanced by leveraging encryption at rest and in transit. Most crucially, if a breach does occur, the email and document management solution would provide audit trails to track the actions of every single user to enable the law firm to ascertain exactly what data has been compromised. This is important for timely and appropriate crisis and customer management.
Enforcement of strict ‘pessimistic’ security policies – Culturally, most law firms have been fairly open in the way they share and access information internally. In today’s world, this optimistic attitude is risk-ridden, especially for those firms who have a multiple regional presence or are planning the same. Structuring and enforcing corporate security policies down to a very granular is imperative. This will shift the focus of the security policy away from the feeble password approach, which is completely unreliable given that employees are prone to sharing and often losing such codes. Applying access policies at the file, sub-folder, document and email level ensures that only approved individuals can access data – i.e. rather than giving an employee access to an entire folder in order to view a single file, a partner could authorise the individual to view just that one document, barring visibility of all the other pieces of information. Additionally, automatic ‘inheritance’ can be applied to folders. So, any document added to a particular folder would mechanically inherit the security profile of that folder.
Provision of secure file sharing – File sharing tools like Dropbox and Box have seen exponential growth in the enterprise over the last few years, perhaps because organisations hardly offer comparable easy to install, user-friendly and cross-platform applications for the sharing of large sized file attachments with external parties. Consequently, these ‘shadow IT’ solutions have grown outside of the IT governance policies whilst employees resort to the use of these insecure tools to easily and speedily exchange information. Utilising such services that can be provided on the back of the email and document management systems are a much better alternative, equally effective and intuitive to use and offer the necessary governance controls like auditability and security.
Records management and timely data destruction – Organisations don’t always appreciate the value of timely data destruction. It is instrumental to records management. Law firms must have processes that automatically enforce destruction policies. Aside from saving storage costs, timely data destruction minimises the risk of unnecessarily held information reaching the hand of criminals. Record management systems will also ensure that firms understand exactly what data they hold, in what format and where. In the event of a security breach, they will be able to quickly identify and inform the necessary parties and regulators. Failure to do so may now result in severe, possibly business terminating, fines.
Threat management analytics – A hacker can penetrate a network and ‘sleep’ there unbeknown for weeks and months without even a whiff to the organisation whilst accessing and monitoring the information they require. Commonly now, an employee goes rogue, stealing or destroying data from the firm’s systems. By leveraging smart threat management systems, firms can build up an accurate analysis of their users’ behavioural patterns and proactively detect peculiar activity, which is essential to mitigating the effects of malicious security incidents.
Adopting digital transaction management processes
Additionally, as organisations conduct business in today’s ever-increasing digitised environment, adopting electronic signatures and digital transaction management (DTM) can go a long way in not only managing the lifecycle of business transactions, but making those transactions faster, easier, more convenient and doubly secure.
DTM systems, can assist employees to prepare, execute and manage every stage, both internally and externally, of their transactions. There is full, real-time auditability – how many times a document was opened, by who and at what times, who signed the transaction and when. Once digitally signed, the document is sealed to indicate that the electronic signature is valid and that the document has not been tampered with. This ensures that documents are legally admissible and enforceable. Such technology of course must be based on industry security certification standards such as ISO 270001.When talking to Richard Oliphant, Europe, Middle East and Africa General Counsel at DocuSign, he commented, “When using a Digital Transaction Management platform to digitise workflow, you have access to a real-time audit trail, tracking every step of the transaction – who signed, when they signed and, in some cases, where they signed. It generates the ‘proof’ of signature that you can rely on in court to establish the authenticity and integrity of the electronic transaction. And there’s the efficiency and cost savings through going paperless – firms remove the need for printing, faxing, scanning and mailing. These outdated services not only eat up money, they don’t belong in the digital era.”
Many organisations today invest heavily in trying to prevent a breach. Evidence suggests that perhaps the emphasis should be on mitigating the impact of a successful breach. Securing business critical data is not only obvious, but also a quick win. The pace and vigour with which criminals are building their armoury, alongside their phenomenal success rate; strengthening security barriers around data is a practical and astute approach, but also a no brainer.
The original article was featured in IT Security Guru, Document Management + Email Management + Transaction Management = Mitigating the Impact of Security Breaches
Organisations today are expending (and rightly so) a great deal of money, time and effort on deploying a variety of technologies to prevent security breaches. They must however, also make similar attempts in mitigating the impact of malicious attacks in the event of a security incident, which most security professionals believe to be a matter of time – if it hasn’t already happened.
Due to the ubiquity and pervasiveness of email, it is most definitely the ‘Achilles heel’ of most organisations. Today, 91% of attacks start with an email. This is no surprise, given that phishing, ransomware and whaling all are email scams. To protect data, integrating email security with email, document and digital transaction management is the ‘low hanging fruit’ – it must be a key consideration as part of the overall security strategy of any organisation. This will add another level of safeguard to data by strongly ring-fencing it to prevent hacker access to business-critical information.
Such an integrated approach – i.e. email security + email and document management + transaction management – will streamline the processes and technology to create a strong security foundation in the organisation. Here are some ideas:
- Email security systems are the first line of defence. They automate processes to detect suspicious URLs, identify keywords and match known sources of scams and threats to a blacklist. The problem however, is that organisations simply aren’t able to keep pace with the rapid improvement in the means of attack of cyber criminals and so despite the heightened alertness of professionals, often it is difficult to detect a malicious email. According to experts, today there are over 120 families of ransomware Hence, email security systems also establish best practices around people and processes so that in the event of a human error, the technology steps in to protect the data and the organisation.
- Set up stringently ‘controlled locations’ in the document management system for sensitive information, protected with features such as multi-factor authentication, and encryption at rest and in motion. Should a cyber-criminal in one way or another, gain access to the organisation’s network, access to data will be restricted to authorised users in this secure environment.
- Place further limits on confidential information in the document management system and minimise the use of standard file shares that rely on potentially flimsy passwords for security. In the document management system, apply rigorous access policies at file, sub-folder, document and email levels. This will ensure that only approved individuals can access data, regardless of where in the folder structure the information resides. For example, an employee could be granted access to a single file in a folder, barring visibility of all the other pieces of information. Additionally, consider applying automatic ‘inheritance’ to folders. So, any document added to a particular folder would mechanically inherit the security profile of that dossier.
- Limit or even replace the use of email as a default collaboration tool and restrict unprotected consumer file sharing services (e.g. Dropbox); with similar, easy to use, auditable tools from within the document management system.
- Enforce corporate data retention and destruction policies. This will grow in importance once the General Data Protection Regulation (GDPR) comes into full force in May 2018. Undertaking records management will help organisations know exactly what data they hold, in what format and where. Should there be a security breach, the organisation will be able to quickly inform the affected parties and the regulators, as demanded by the regulation. Crucially, it will ensure that the organisation doesn’t unnecessarily hold information it doesn’t need, which in the event of a hack could end up in the hands of criminals.
- Utilise analytics to monitor atypical activity. In doing so, build up an accurate picture of user behavioural patterns to actively detect untoward activity by analysing their usage habits such as how many emails they typically send, what types of documents do they work on, who they correspond with, which folders they are authorised to access and so on. This is critical to the ability to proactively identify malicious activity.
- Manage the lifecycle of business transactions through digital signatures, which are becoming increasingly important in today’s digital environment. They are legally admissible globally and are more secure than wet ink signatures. The technology is developed on industry security certification standards, such as ISO 270001, to ensure privacy of data by fully encrypting documents. It also offers authentication options and provides audit trails to support compliance.
A layered approach to security is essential today. From a data standpoint, such an approach will institute multiple barriers to ensure that even if a breach is successful, the damage to the organisation and its customers is minimal. The data will be extremely difficult to access.