Trends such as phishing, ransomware and whaling show no signs of abating. Ransomware is proving to be an extremely lucrative business model for hackers. Security researchers believe that some developers of ransomware have even adopted a ransomware-as-a-service model and are distributing their wares through professional looking websites and with information on how to configure the software, writes Roy Russell, pictured, CEO of a document management company, Ascertus Limited.
And for their efforts, they are demanding a 20 per cent cut of the profits. According to a recent report, the total cost of ransomware to business is set to reach $1 billion in 2016.
Furthermore, hackers are now also resorting to whaling or business email compromise – ie, stealing the business credentials of C-level executives, abusing their authority by tricking employees into making large wire transfers of funds to financial institutions. In the last three years, whaling scams have led to more than $2.3 billion in losses, according to the Federal Bureau of Investigation.
While most organisations are heavily investing in anti-virus software and cyber security products to pre-empt security breaches, they are ignoring the bleeding obvious – the ubiquitous email. Phishing, ransomware and whaling are all email scams. With the high level of reliance on emails for record keeping, correspondence and collaboration in business; the pervasive email is the ‘sitting lame duck’ for cyber criminals. There is empirical evidence too – according to Mimecast, the email security services provider, 91% of attacks start with an email.
It’s true that organisations deploy best-of-breed email security solutions to defend against a security breach, but no matter how well protected they think they are, they must still be prepared for a successful assault. Without supplementing email security with a solution that houses confidential and business-critical information – i.e. the email and document management system – there is a gaping hole in security defences. In fact, many organisations don’t have best of breed email and document management systems. This is a dangerous oversight.
Document and email management systems have evolved into total work product management solutions providing various interfaces suitable for different corporate functions and various levels of required security. An integrated email security and document and email management approach builds a strong security barrier around the data that resides in the organisation:
1.Entry point policies and procedures – It enables organisations to establish policies, practices and procedures to address social engineering and cybersecurity threats, including how sign-ons, data transfers and approvals for financial transfers take place. Processes can be automated to detect suspicious URLs, identify keywords and match known sources of scams and threats to a blacklist. It also helps institute best practices around people and processes so that in the event of a human error, the technology steps in to protect the data and the organisation.
2.Governed locations – Email and document management processes enable organisations to set up ‘governed locations’ to hold sensitive information. For instance, access to these governed locations can require multi-factor authentication, so users can only be granted entry if they can present two or more pieces of evidence to authenticate themselves. Similarly, governed locations can leverage encryption at rest and in transit, to add additional security. And should a breach occur, the solution would be able to provide audit trails to enable the organisation to ascertain exactly what data has been compromised.
3.Granular security policy – Organisations can apply security policies to files on a very granular level – electronic file, sub folder, and individual document and email level. This means that security isn’t reliant on passwords, which often people lose or share freely, thereby negating their value. The best part is that these policies are immensely executable, requiring no IT skills on the part of operators.
4.File sharing services – In business today, an increasingly common problem is that employees resort to ‘shadow IT’ – e.g. using non-corporate approved applications, such as file sharing services, due to restrictions on the file size of email attachments. Some of the advanced email and document management systems, offer similar, easy to use, but auditable file sharing tools from within the solution to users.
5.Corporate data destruction policies – Holding information that is no longer needed today presents a huge risk to businesses. The recent Panama Papers debacle is a case in point. The most incriminating information stolen in this incident dated back to the 1970s. Timely deletion of records would have saved the law firm a lot of trouble. Organisations can automate destruction of critical information as it comes to the end of life, based on regulatory and compliance requirements.
6.Intelligent analytics – Email and document management systems offer advanced analytics based on the behavioural patterns of employees. Organisations can therefore identify security breaches as they happen and undertake damage control to mitigate losses.
Streamlining email security and document and email management-related processes and technology enable organisations to create a strong security foundation in the organisation. The approach ring-fences the business critical data so that even in the event of an attack, the organisation is well positioned to protect confidential information and its intellectual property, and mitigate financial losses.
About the author
Roy Russell is the founder and CEO of Ascertus Limited. Roy has over 25 years’ experience of implementing and supporting software technologies within the U.K., European, and North American legal markets. In 1992, Roy co-founded a software distribution company responsible for introducing the first legal document management systems into the UK marketplace. This company was acquired by a software vendor. He has also held senior management positions at PC DOCS Group, CompInfo and Hummingbird. Roy was one of the UK’s first advocates of PC network based document management, imaging, and workflow systems and has spent the last 18 years advising many corporate in-house legal departments about their use of technology to improve productivity, reduce costs, and mitigate risk.
