18 Oct 2016

Information governance: minimising the risk of a data breach

Linking email security with email and document management processes is fundamental to preventing and mitigating the effects of cyberattacks, writes Roy Russell.

Yauhen Korabau Yauhen Korabau

Given the frequency with which we hear about cyberattacks, security breaches might soon begin to lose their news value. Despite this, many security professionals acknowledge that at some point a security breach will happen, so organisations need to focus on minimising the impact ‘when’ it does.

There is a wide variety of security attacks today – phishing, spear-phishing, ransomware and whaling are all widespread and persistent. It’s noteworthy that they are all email scams. According to Mimecast, an email security services provider, 91 per cent of attacks start with an email. Also, law firms are a lucrative target for hackers, given the highly confidential nature of information they hold on their clients and the fact that they are cash-rich. Recently it was reported that cyber criminals had targeted 48 top law firms for inside information on mergers and acquisitions. Business advisors Hazelwoods believe that losses to UK law firms due to cyber-fraud alone has jumped by 40 percent in the last year.

Legal services providers need to create a strong security foundation – adopting a layered approach to building defences so that in the unfortunate event of a breach, critical business data is ring fenced. Additionally, such measures will support law firms’ compliance with regulations. Most regulations today are moving away from the prescriptive model, allowing organisations the flexibility to choose their own approach to data protection, but in doing so placing the onus of data protection solely on the shoulders of individual businesses. The EU General Data Protection Regulation (GDPR) is a case in point – a potential fine of up to 4 per cent of global revenue for non-compliance would pinch any law firm.

Email security – the first layer

From a data security standpoint, email security is the first layer. Many law firms are already deploying best-of-breed email security solutions to prevent infiltration of malware and rogue email scams into the network. Such solutions are critical, as they automate processes to detect suspicious URLs, identify keywords and match known sources of scams and threats to a blacklist. The hackers who are able to penetrate an organisation’s network are those who have successfully exploited a gap in the enterprise procedures. So, email security systems not only help establish best practices around people and processes, but in the event of a human error, also ensure that the technology steps in to protect the data and the organisation.

A tightly bolted down email and document management system – the core layer

But cyber criminals are upgrading their arsenal, often faster than most organisations. Therefore, should hackers break into a law firm’s network, an email and document management system can prevent them from gaining access to business-critical information. The issue of course is that not all law firms deploy such solutions. In failing to do so, they are invalidating any security measures they may be taking to protect their organisation and its data.

Many law firms still use standard file shares or ‘lightweight’ document management modules supplied with their practice or case management systems for document storage. In these scenarios, due to the fact that there tend to be multiple locations for and multiple versions of the same documents, there isn’t a single version of the truth. Furthermore, user-held passwords are relied on for security, which is far from satisfactory. People easily lose passwords or share them with other team members, negating the secrecy of the keyword.

Where law firms deploy best-of-breed email and document management solutions, on the other hand, all the data is stored in the system and accessible only through it. Information is shared via links, so even if criminals gain access to those links, they will not be able to access the documents due to the security applied to them at electronic file, sub folder, individual document and email level. Law firms can also set up ‘ethical walls’ to protect data and against conflicts, i.e. data can be compartmentalised on a need to know basis. This is further enabled by applying file encryption based on a set of rules for critical data including client information, matter type, practice area, employee information and such. This is especially pertinent for complying with data protection regulations.

In the event of a hack, one of the biggest challenges organisations face is determining precisely what data has been breached. Due to the processes within email and document management systems, there is full auditability – who has opened the emails/documents, how many times, how many views, date and time stamps and so on.  This makes it easy to detect where unusual activity has taken place and what information has been stolen. If critical data is simply stored on a network, it is near impossible to detect malicious activity.

Furthermore, the ability to identify that a breach is in progress is key to minimising the impact of the attack. FireEye research indicates that the average time that an attack goes undetected in a customer network is around 150 days. Today, advanced email security and document management technology offer analytics to help detect unusual activity. By combining data and behavioural patterns of employees via machine learning, law firms can have visibility of the attack in motion with actionable insights to mitigate the potential losses. More importantly, such insight significantly improves a law firm’s ability to detect future attacks.

QBE, which insures more than one in 10 law firms in England and Wales, says that approximately £85m has been stolen across the legal market in the past 18 months. Integrated email security and email and document management processes facilitate information governance, which must form a key part of firms’ overall security strategy. It is essential for loss mitigation and even prevention. Most crucially, this approach is proven as the ‘low hanging fruit’ for a more robust and effective security policy. It should be a no brainer.  

Roy Russell is the founder and CEO of software provider Ascertus Limited. 

Email your news and story ideas to: news@globallegalpost.com