Massive data breaches at professional services firms have put unprecedented pressure on information security professionals to keep sensitive client information secure at every level, writes Aaron Rangel, Director of Product Marketing at iManage, a company offering email and document management products.
A myriad of data privacy regulations including GDPR, HIPAA, and state regulations like CCPA have further strained already encumbered information security professionals. Law firm clients have become more demanding. Over 39pc of law firms over 500 users have been forced to perform a third party security assessment on behalf of a client, over 66pc of law firms with 100-plus lawyers have received a client security requirements document or guidelines. Potentially, these figures are reflective of the UK legal sector too. To win a client’s business, information security, risk and compliance teams must execute flawlessly.
Across professional services firms, it’s common knowledge that the organisation’s most sensitive and privileged data resides within the document management system (DMS). Needless to say, it’s imperative that information security professionals have a good understanding of the security and regulatory risks that information housed within these systems may inadvertently expose the firm to.
The multiple sources of risk
Cyber threats are a major issue for law firms, due to the highly privileged data they hold. A recent PwC survey revealed that 60pc of law firms reported an information security incident, up from only 42pc in 2014. Similarly, according to the National Cyber Security Centre, 2018 saw a 20pc rise in cyber-attacks on law firms over 2017.
Risk is hardly limited to cyber criminals, phishers, and other outside actors. Insiders – people who already have access to the network – present a threat of their own to sensitive data. The “insider threat” can take many forms, including disgruntled employees or hacktivists with an agenda; departing employees that are planning on moving to a competing firm or opening their own practice; or contractors who abuse their administrative privileges.
The DMS is also susceptible to risk simply through bad practices and bad habits – malicious intent isn’t required. For example, users might take files out of the DMS and temporarily store them on their local drive or share them with others using an insecure file share site. Alternately, someone within the firm might accidentally email documents to a lawyer who recently left the firm.
For these and many other reasons it’s crucial to have the proper security controls in place for the DMS. This includes a need-to-know security model, where access to a file is limited to only those people who need to have access to it, rather than – by default – providing access to anyone within the firm. Having this access control in place helps limit the potential damage that can occur in the event that the DMS is breached.
Additionally, there needs to be monitoring in place to detect anomalous behaviour around the DMS. Is a lawyer who normally only accesses files from matters X and Y downloading dozens of files from matters A, B, and C? There could be a valid explanation for this behaviour – but regardless, it’s necessary that this type of unusual activity is flagged as soon as it occurs.
Maintaining sensitive content past its retention date creates unnecessary risk, so it’s important to make sure that a law firm has a retention policy in place for the content within the DMS. Is material being properly disposed of at the end of its retention period – or is it hanging around for years, or even decades, longer than it should be? Enforcing retention policies reduces risk. After all, bad actors can’t get their hands on material that has already been disposed of.
During a security audit, clients will look for the presence of these key controls, as well as other security aspects like support for two factor authentication, document encryption and monitoring of privileged accounts within the DMS.
In addition to satisfying client requirements regarding how information is stored and managed, information security professionals will need to ensure that they are not running afoul of any regulations that govern how certain types of information need to be treated. From HIPAA to FINRA to GDPR, there are a slew of regulations aimed at ensuring that privileged personal information is protected. Having the appropriate controls for data residency and security in the DMS can reduce the accidental risk of non-compliance, and the hefty fines that can accompany a misstep of this kind.
Knowledge is power
Understanding the security and regulatory risks associated with a DMS is the first step towards properly securing and governing the sensitive content within it. With knowledge about the types of malicious attacks that DMS systems are susceptible to, the data privacy regulations that apply to the information inside the DMS, and an understanding of which security controls must be a top priority, information security professionals will be in a better position to prevent a breach and ensure regulatory compliance.
About the author
Aaron Rangel is responsible for the Threat Manager product within the iManage Govern product suite. Aaron has experience in launching products to the market. Prior to iManage, Aaron held senior product management positions at SPSS, IBM and has experience of document management and analytics.
