Ascertus featured in Legal IT Professionals | Document and Transaction Management Processes Critical for Law Firm Data Security

Tuesday, November 29, 2016

The original article was featured in Legal IT Professionals: Document and Transaction Management Processes Critical for Law Firm Data Security

The security-related lexicon pertaining to email scams is rapidly growing. There’s phishing, spear-phishing, ransomware, whaling; and most recently, I heard of ‘smishing’. Not entirely an email scam, but these SMS-based messages have an email like format with email-specific fields in the messages and malicious links hiding behind shortened URLs.

Cybercrime is indeed a global problem, but law firms are especially susceptible due to the large volume of highly sensitive client data they hold on businesses and individuals; in addition to the fact that they are also cash rich.

Emails are the chink in law firms’ armour. Due to the pervasiveness of email as the default communications tool, it’s easiest for criminals to take advantage of it for malicious proposes. Security systems may mitigate many of the issues, but nowadays it is the law firm Partnership and staff that are being targeted and socially engineered. They must be educated and made aware of the warning signs. In cases where security is still breached (and it will be), adding hurdles and layers of security for the criminals to navigate will help minimise risk.

Consider this scenario. A Partner at a law firm receives an email from a professional acquaintance, with a suggestion to visit a particular site via the link in the email. The Partner clicks on the link, which takes the individual to a page with a message, ‘can’t reach the page’. Soon after, a window pops up on the Partner’s screen requesting a re-authentication with the firm’s email server. Unsuspectingly, the Partner enters the details and in doing so, gives away credentials to criminals, who then have full control of the PC and access to not just the Outlook mail box, but potentially also the firm’s entire data in the network. It’s that simple!

Ringfencing critical data

Law firms need to institute strong security defences around data, so that in the event of a breach the damage can be contained, if not entirely pre-empted. Properly configured processes in the firm’s email and document management will go a long way in facilitating data security. Some thoughts:

Fully administered locations – Rather than storing information in file shares and Outlook inboxes, saving information in ‘governed’ locations in the firm’s email and document management system is a better approach. Many access restrictions can be instituted to ensure that data is not easily available to unauthorised users. For example, demanding multi-factor authentication means that only those users will be granted entry to the file or folder if they are able to present two or more pieces of evidence to authenticate themselves. Security can be further enhanced by leveraging encryption at rest and in transit. Most crucially, if a breach does occur, the email and document management solution would provide audit trails to track the actions of every single user to enable the law firm to ascertain exactly what data has been compromised. This is important for timely and appropriate crisis and customer management.

Enforcement of strict ‘pessimistic’ security policies – Culturally, most law firms have been fairly open in the way they share and access information internally. In today’s world, this optimistic attitude is risk-ridden, especially for those firms who have a multiple regional presence or are planning the same. Structuring and enforcing corporate security policies down to a very granular is imperative. This will shift the focus of the security policy away from the feeble password approach, which is completely unreliable given that employees are prone to sharing and often losing such codes. Applying access policies at the file, sub-folder, document and email level ensures that only approved individuals can access data – i.e. rather than giving an employee access to an entire folder in order to view a single file, a partner could authorise the individual to view just that one document, barring visibility of all the other pieces of information. Additionally, automatic ‘inheritance’ can be applied to folders. So, any document added to a particular folder would mechanically inherit the security profile of that folder.

Provision of secure file sharing – File sharing tools like Dropbox and Box have seen exponential growth in the enterprise over the last few years, perhaps because organisations hardly offer comparable easy to install, user-friendly and cross-platform applications for the sharing of large sized file attachments with external parties. Consequently, these ‘shadow IT’ solutions have grown outside of the IT governance policies whilst employees resort to the use of these insecure tools to easily and speedily exchange information. Utilising such services that can be provided on the back of the email and document management systems are a much better alternative, equally effective and intuitive to use and offer the necessary governance controls like auditability and security.

Records management and timely data destruction – Organisations don’t always appreciate the value of timely data destruction. It is instrumental to records management. Law firms must have processes that automatically enforce destruction policies. Aside from saving storage costs, timely data destruction minimises the risk of unnecessarily held information reaching the hand of criminals. Record management systems will also ensure that firms understand exactly what data they hold, in what format and where. In the event of a security breach, they will be able to quickly identify and inform the necessary parties and regulators. Failure to do so may now result in severe, possibly business terminating, fines.

Threat management analytics – A hacker can penetrate a network and ‘sleep’ there unbeknown for weeks and months without even a whiff to the organisation whilst accessing and monitoring the information they require. Commonly now, an employee goes rogue, stealing or destroying data from the firm’s systems. By leveraging smart threat management systems, firms can build up an accurate analysis of their users’ behavioural patterns and proactively detect peculiar activity, which is essential to mitigating the effects of malicious security incidents.

Adopting digital transaction management processes

Additionally, as organisations conduct business in today’s ever-increasing digitised environment, adopting electronic signatures and digital transaction management (DTM) can go a long way in not only managing the lifecycle of business transactions, but making those transactions faster, easier, more convenient and doubly secure.

DTM systems, can assist employees to prepare, execute and manage every stage, both internally and externally, of their transactions. There is full, real-time auditability – how many times a document was opened, by who and at what times, who signed the transaction and when. Once digitally signed, the document is sealed to indicate that the electronic signature is valid and that the document has not been tampered with. This ensures that documents are legally admissible and enforceable. Such technology of course must be based on industry security certification standards such as ISO 270001.

When talking to Richard Oliphant, Europe, Middle East and Africa General Counsel at DocuSign, he commented, “When using a Digital Transaction Management platform to digitise workflow, you have access to a real-time audit trail, tracking every step of the transaction – who signed, when they signed and, in some cases, where they signed. It generates the ‘proof’ of signature that you can rely on in court to establish the authenticity and integrity of the electronic transaction. And there’s the efficiency and cost savings through going paperless – firms remove the need for printing, faxing, scanning and mailing. These outdated services not only eat up money, they don’t belong in the digital era.”

Many organisations today invest heavily in trying to prevent a breach. Evidence suggests that perhaps the emphasis should be on mitigating the impact of a successful breach. Securing business critical data is not only obvious, but also a quick win. The pace and vigour with which criminals are building their armoury, alongside their phenomenal success rate; strengthening security barriers around data is a practical and astute approach, but also a no brainer.

Thursday, November 24, 2016

Ascertus Featured in IT Security Guru: Mitigating the Impact of Security Breaches

The original article was featured in IT Security Guru, Document Management + Email Management + Transaction Management = Mitigating the Impact of Security Breaches

Organisations today are expending (and rightly so) a great deal of money, time and effort on deploying a variety of technologies to prevent security breaches. They must however, also make similar attempts in mitigating the impact of malicious attacks in the event of a security incident, which most security professionals believe to be a matter of time – if it hasn’t already happened.

Due to the ubiquity and pervasiveness of email, it is most definitely the ‘Achilles heel’ of most organisations. Today, 91% of attacks start with an email. This is no surprise, given that phishing, ransomware and whaling all are email scams. To protect data, integrating email security with email, document and digital transaction management is the ‘low hanging fruit’ – it must be a key consideration as part of the overall security strategy of any organisation. This will add another level of safeguard to data by strongly ring-fencing it to prevent hacker access to business-critical information.

Such an integrated approach – i.e. email security + email and document management + transaction management – will streamline the processes and technology to create a strong security foundation in the organisation. Here are some ideas:

  • Email security systems are the first line of defence. They automate processes to detect suspicious URLs, identify keywords and match known sources of scams and threats to a blacklist. The problem however, is that organisations simply aren’t able to keep pace with the rapid improvement in the means of attack of cyber criminals and so despite the heightened alertness of professionals, often it is difficult to detect a malicious email. According to experts, today there are over 120 families of ransomware Hence, email security systems also establish best practices around people and processes so that in the event of a human error, the technology steps in to protect the data and the organisation.

  • Set up stringently ‘controlled locations’ in the document management system for sensitive information, protected with features such as multi-factor authentication, and encryption at rest and in motion. Should a cyber-criminal in one way or another, gain access to the organisation’s network, access to data will be restricted to authorised users in this secure environment.

  • Place further limits on confidential information in the document management system and minimise the use of standard file shares that rely on potentially flimsy passwords for security. In the document management system, apply rigorous access policies at file, sub-folder, document and email levels. This will ensure that only approved individuals can access data, regardless of where in the folder structure the information resides. For example, an employee could be granted access to a single file in a folder, barring visibility of all the other pieces of information. Additionally, consider applying automatic ‘inheritance’ to folders. So, any document added to a particular folder would mechanically inherit the security profile of that dossier.

  • Limit or even replace the use of email as a default collaboration tool and restrict unprotected consumer file sharing services (e.g. Dropbox); with similar, easy to use, auditable tools from within the document management system.

  • Enforce corporate data retention and destruction policies. This will grow in importance once the General Data Protection Regulation (GDPR) comes into full force in May 2018. Undertaking records management will help organisations know exactly what data they hold, in what format and where. Should there be a security breach, the organisation will be able to quickly inform the affected parties and the regulators, as demanded by the regulation. Crucially, it will ensure that the organisation doesn’t unnecessarily hold information it doesn’t need, which in the event of a hack could end up in the hands of criminals.

  • Utilise analytics to monitor atypical activity. In doing so, build up an accurate picture of user behavioural patterns to actively detect untoward activity by analysing their usage habits such as how many emails they typically send, what types of documents do they work on, who they correspond with, which folders they are authorised to access and so on. This is critical to the ability to proactively identify malicious activity.

  • Manage the lifecycle of business transactions through digital signatures, which are becoming increasingly important in today’s digital environment. They are legally admissible globally and are more secure than wet ink signatures. The technology is developed on industry security certification standards, such as ISO 270001, to ensure privacy of data by fully encrypting documents. It also offers authentication options and provides audit trails to support compliance.

A layered approach to security is essential today. From a data standpoint, such an approach will institute multiple barriers to ensure that even if a breach is successful, the damage to the organisation and its customers is minimal. The data will be extremely difficult to access.

Tuesday, December 6, 2016

Media Alert | 2017 Predictions by Roy Russell, CEO of Ascertus Limited

London, U.K. – 06 December 2016 –

Threat and Records Management to Dominate in 2017; With Artificial Intelligence, in the Vein of Commoditisation, Striving to Make a Bigger Play

Roy Russell, CEO of Ascertus Limited, highlights his view on the technology trends in the legal sector in 2017:

  • Threat management will play a key role in security efforts – With the continued onslaught of cyber-crime in all its various guises – phishing, ransomware, whaling, smishing and so on – security will be high up on the agenda in the legal sector. In addition to traditional reactive security measures, law firms will look to actively make pre-emptive security a priority. To support this requirement, legal technology vendors will embed threat monitoring and management into the core business applications that firms use. Linking big data with behavioural intelligence based on system history, such tools will create, study and monitor the finger print of every single user and alert the organisation to unusual actions and activities. These threat management solutions will very accurately highlight the usage patterns of employees based on their role in the organisation. Consequently, any peculiar or untoward activity will be relatively easy to spot to potentially identify attacks in process and even improve the ability to detect future breaches.

  • Records management systems will grow in importance and functionality – Records management is becoming essential for regulatory compliance and data security, driven to the forefront of firms’ agendas by the impending arrival of the General Data Protection Regulation (GDPR). The ability to automatically apply company retention policies to physical files, electronic documents and email correspondence based on good governance practices in both controlled and uncontrolled environments, from a range of device types, as well as inside and outside the corporate firewall, will become essential.

    Historically, records management has been viewed as a burdensome elective process, relying upon users to manually apply the correct retention policies to their individual records. This has rarely been effective. To support the more widespread use of records management in view of the business imperatives, software vendors will make their systems more affordable and processes more user friendly and intuitive. For example, in recent times we have seen the rise of separate record management systems that can auto-categorise and automatically apply retention policies, thus eliminating manual effort. Unfortunately, to date these types of solutions have been very expensive. The new breed of records management systems will provide such functionality as standard. They will also provide full management of many types of data repositories, both physical paper and electronic based, including tight integration with document management systems, network file shares, SharePoint repositories, and other data stores.

  • Artificial intelligence (AI) initiatives will continue, but in the vein of commoditisation – AI is garnering interest in the legal sector, but a closer inspection of the tools and apps being made available reveal that they are presently more similar to commoditised legal services in the form of packaged, low cost modules for areas such as wills, contracts, pre-nuptials and non-disclosure agreements for the benefit of consumers. Undoubtedly, AI offers tremendous potential and some large law firms have launched initiatives to leverage the technology. However, there’s a significant amount of work to be done in defining the ethical and legal boundaries for AI, before the technology can truly be utilised for delivering legal services to clients with minimal human involvement. Until then, in 2017 and perhaps for a few more years yet, we will continue to see incremental innovative efforts to leverage the technology, but in the vein of commoditisation – similar to what we have seen in the last 12 months.

Note to the editor: Roy Russell is available to discuss and substantiate his view with further detail.

About Ascertus Limited

Ascertus provides information and document lifecycle management consultancy, software solutions and IT support services to law firms and corporate legal departments. Based in Central London, the company offers a full range of professional services – from consultancy, business analysis and project management; to software implementation, training, documentation and technical support – delivering bespoke email, contract and document management solutions in on-premises and privately hosted environments. The company has successfully delivered and managed some of the largest iManage Work installations at customer sites in the UK. For more information, visit:

Media contact:


Vidushi Patel

+44 7958474632