The original article was featured in Legal IT Professionals: Document and Transaction Management Processes Critical for Law Firm Data Security
The security-related lexicon pertaining to email scams is rapidly growing. There’s phishing, spear-phishing, ransomware, whaling; and most recently, I heard of ‘smishing’. Not entirely an email scam, but these SMS-based messages have an email like format with email-specific fields in the messages and malicious links hiding behind shortened URLs.
Cybercrime is indeed a global problem, but law firms are especially susceptible due to the large volume of highly sensitive client data they hold on businesses and individuals; in addition to the fact that they are also cash rich.
Emails are the chink in law firms’ armour. Due to the pervasiveness of email as the default communications tool, it’s easiest for criminals to take advantage of it for malicious proposes. Security systems may mitigate many of the issues, but nowadays it is the law firm Partnership and staff that are being targeted and socially engineered. They must be educated and made aware of the warning signs. In cases where security is still breached (and it will be), adding hurdles and layers of security for the criminals to navigate will help minimise risk.
Consider this scenario. A Partner at a law firm receives an email from a professional acquaintance, with a suggestion to visit a particular site via the link in the email. The Partner clicks on the link, which takes the individual to a page with a message, ‘can’t reach the page’. Soon after, a window pops up on the Partner’s screen requesting a re-authentication with the firm’s email server. Unsuspectingly, the Partner enters the details and in doing so, gives away credentials to criminals, who then have full control of the PC and access to not just the Outlook mail box, but potentially also the firm’s entire data in the network. It’s that simple!
Ringfencing critical data
Law firms need to institute strong security defences around data, so that in the event of a breach the damage can be contained, if not entirely pre-empted. Properly configured processes in the firm’s email and document management will go a long way in facilitating data security. Some thoughts:
Fully administered locations – Rather than storing information in file shares and Outlook inboxes, saving information in ‘governed’ locations in the firm’s email and document management system is a better approach. Many access restrictions can be instituted to ensure that data is not easily available to unauthorised users. For example, demanding multi-factor authentication means that only those users will be granted entry to the file or folder if they are able to present two or more pieces of evidence to authenticate themselves. Security can be further enhanced by leveraging encryption at rest and in transit. Most crucially, if a breach does occur, the email and document management solution would provide audit trails to track the actions of every single user to enable the law firm to ascertain exactly what data has been compromised. This is important for timely and appropriate crisis and customer management.
Enforcement of strict ‘pessimistic’ security policies – Culturally, most law firms have been fairly open in the way they share and access information internally. In today’s world, this optimistic attitude is risk-ridden, especially for those firms who have a multiple regional presence or are planning the same. Structuring and enforcing corporate security policies down to a very granular is imperative. This will shift the focus of the security policy away from the feeble password approach, which is completely unreliable given that employees are prone to sharing and often losing such codes. Applying access policies at the file, sub-folder, document and email level ensures that only approved individuals can access data – i.e. rather than giving an employee access to an entire folder in order to view a single file, a partner could authorise the individual to view just that one document, barring visibility of all the other pieces of information. Additionally, automatic ‘inheritance’ can be applied to folders. So, any document added to a particular folder would mechanically inherit the security profile of that folder.
Provision of secure file sharing – File sharing tools like Dropbox and Box have seen exponential growth in the enterprise over the last few years, perhaps because organisations hardly offer comparable easy to install, user-friendly and cross-platform applications for the sharing of large sized file attachments with external parties. Consequently, these ‘shadow IT’ solutions have grown outside of the IT governance policies whilst employees resort to the use of these insecure tools to easily and speedily exchange information. Utilising such services that can be provided on the back of the email and document management systems are a much better alternative, equally effective and intuitive to use and offer the necessary governance controls like auditability and security.
Records management and timely data destruction – Organisations don’t always appreciate the value of timely data destruction. It is instrumental to records management. Law firms must have processes that automatically enforce destruction policies. Aside from saving storage costs, timely data destruction minimises the risk of unnecessarily held information reaching the hand of criminals. Record management systems will also ensure that firms understand exactly what data they hold, in what format and where. In the event of a security breach, they will be able to quickly identify and inform the necessary parties and regulators. Failure to do so may now result in severe, possibly business terminating, fines.
Threat management analytics – A hacker can penetrate a network and ‘sleep’ there unbeknown for weeks and months without even a whiff to the organisation whilst accessing and monitoring the information they require. Commonly now, an employee goes rogue, stealing or destroying data from the firm’s systems. By leveraging smart threat management systems, firms can build up an accurate analysis of their users’ behavioural patterns and proactively detect peculiar activity, which is essential to mitigating the effects of malicious security incidents.
Adopting digital transaction management processes
Additionally, as organisations conduct business in today’s ever-increasing digitised environment, adopting electronic signatures and digital transaction management (DTM) can go a long way in not only managing the lifecycle of business transactions, but making those transactions faster, easier, more convenient and doubly secure.
DTM systems, can assist employees to prepare, execute and manage every stage, both internally and externally, of their transactions. There is full, real-time auditability – how many times a document was opened, by who and at what times, who signed the transaction and when. Once digitally signed, the document is sealed to indicate that the electronic signature is valid and that the document has not been tampered with. This ensures that documents are legally admissible and enforceable. Such technology of course must be based on industry security certification standards such as ISO 270001.When talking to Richard Oliphant, Europe, Middle East and Africa General Counsel at DocuSign, he commented, “When using a Digital Transaction Management platform to digitise workflow, you have access to a real-time audit trail, tracking every step of the transaction – who signed, when they signed and, in some cases, where they signed. It generates the ‘proof’ of signature that you can rely on in court to establish the authenticity and integrity of the electronic transaction. And there’s the efficiency and cost savings through going paperless – firms remove the need for printing, faxing, scanning and mailing. These outdated services not only eat up money, they don’t belong in the digital era.”
Many organisations today invest heavily in trying to prevent a breach. Evidence suggests that perhaps the emphasis should be on mitigating the impact of a successful breach. Securing business critical data is not only obvious, but also a quick win. The pace and vigour with which criminals are building their armoury, alongside their phenomenal success rate; strengthening security barriers around data is a practical and astute approach, but also a no brainer.