With most work product now stored digitally, the ability of malicious insiders to cause serious damage by stealing this information continues to grow. Now clients are demanding that their law firms implement stricter information security measures and conduct audits to ensure measures are in place and working properly.
The days when law firms could employ open or optimistic security policies — where most users have access to documents and other work product by default — are over. Today, modern law firms need to implement advanced security models to address external and internal security threats that meet clients’ security expectations.
Unlike optimistic information security models where employees have free and open access to a firm’s sensitive information, pessimistic information security models only allow employees access when there is a “need-to-know” justification — when they are working on the specific project, deal or matter. Segregating and securing sensitive content on a need-to-know basis rather than utilizing the traditional open approach is an important part of any strategy to keep critical information safe.
By successfully implementing a need-to-know information security policy, law firms of all sizes can minimize the probability of a breach, reduce the damage caused by a successful breach and pass strict client security audits.
The following three tips can help law firms more effectively make this transition, allowing them to reduce the risk of and mitigate damage from external and internal data breaches.
1. Ensure all work product can only be accessed in a secure manner. If the work product is not secure, managing access to it will be ineffective. For this, firms need to encrypt their work product — not just when it is at rest but also while it is in motion. They also need to make sure users who can access work product are both authorized to do so and authenticated to be who they say they are. The latter point here is very important: By making sure users are authenticated (via multifactor authentication, for example), the chances that someone pretending to be an authorized user are reduced. Cybercriminals have utilized successful phishing attacks to steal passwords enabling them to access to sensitive information.
2. Strictly manage access to work product. For a need-to-know information management policy to work effectively, firms must ensure users can only access what they really need to know by implementing strict policies that limit access to and between data sets. The default should be that all users start off without access to client work product — users must demonstrate a need before they are authorized and granted access. Firms should set clear policies to determine who can access specific work product. With strict enforcement, firms can dramatically reduce the amount of information accessed in the event of a breach. Build the policy with the expectation that a breach is inevitable.
3. Analyze all work product activity. Just making sure all work product is secure and strictly managing access to work product is not enough. Firms also need to enforce access as well as analyze activity to determine if there was a breach. Increasingly, there are powerful data analytics and artificial intelligence tools that can alert firms to unusual or suspicious activity, while at the same time cutting down on “false positive” alerts. Analyzing this activity will help firms identify breaches quicker, limiting damage from the breach. In addition, by tracking activity, firms ensure the pessimistic information security model is not watered down or weakened over time.
As we move into a world where need-to-know security is becoming more nonnegotiable, firms need a better way to manage the increasing volume and complexity of security policies. These tips provide some insights on how firms can meet these challenges head-on and implement barriers and walls to meet client demands without slowing down workflows.
ABOUT THE AUTHOR
Ian Raine has more than 25 years of experience in the IT industry, building information governance and records management software products for the enterprise. He is currently Head of Product Management for the iManage Govern Division, responsible for iManage’s suite of information governance products for professional service firms.