Preventing Hackers from Accessing your Document Management System

Preventing Hackers from Accessing your Document Management System

It’s a perfect storm. Law firms possess incredibly valuable and sensitive information, and the Internet provides a new methodology through which the information can be accessed and pilfered. The growing threat to law firms from hackers has been validated by a number of recent reports in the Wall Street Journal, Bloomberg, and other publications. How big is the threat? The Bloomberg article cites data released by security firm Mandiant, based in Alexandria, VA, which estimates that 80 major law firms were hacked in 2011. (1)

These reports shouldn’t come as a surprise: many law firms have knowledge of critical trade secrets and market-moving events. The right content allows a hacker to trade on inside information—and that’s a powerful motivator. Hacking, in point of fact, has gone from the blood sport of supernerds, who hacked systems just to prove they could, to economic espionage. The bigger the deal, the bigger the effort. Another type of hacker called “hacktivists” attempt to promote political issues through hacking. Both have proven that, once the firewall has been breached, a hacker meets few barriers to data access.

The Medieval castle defense

In a time when full-scale attacks and small scrimmages were the rules of the day, it was vital for a Medieval castle defense system to take all possibilities into account. Law firms would do well to follow in their footsteps.

While law firms can clearly tighten their outer defenses with the latest firewalls, two-factor authentication, and other mechanisms, an outer  defense is not likely to be enough. Just as castles in Medieval times protected themselves with rings of defenses—the moat, outer wall, internal wall, and the last place of refuge, the tower—law firms today need to build rings of defenses that give them multiple opportunities to prevent harm if their firewall gets breached.

The first ring of defense—controlling the desktop

More often than not, breaches to the firewall happen because of an act by an employee. We’re all familiar with a number of well-publicized acts of malfeasance, but many breaches are inadvertently caused by something far more mundane:

      • Creating weak passwords
      • Unwittingly giving away passwords as a result of Trojans, spear phishing, email fraud, fake websites, and keystroke loggers
      • Installing less-than-secure software


The culture of law firms, where partners have significant sway, make them particularly vulnerable to spear phishing, where an email appears to come from someone you trust. In 2010, for example, a Los Angeles law firm reported receiving emails that looked like they were from members of the firm but which were really designed to retrieve data from its computers concerning a $2.2 billion lawsuit against the Chinese government and several computer manufacturers.(2) Other recent law firm hacks have involved efforts to steal secret details about mergers and acquisitions.

In addition to strong password policies, one of easiest ways to control the desktop is to restrict the ability of lawyers to install software, particularly vulnerable, cloud-based filehosting programs that allow users to share files, photos, documents, and videos. Like strong password policies, however, this smacks of bureaucracy, and many firms are reluctant to go that far.

Controlling the desktop is just the first and most obvious defense against hackers. A number of additional internal controls can be put in place to add further rings of defense.

Additional rings of defense

In the name of providing the best customer service for their lawyers, most firms have created too many super-users (in other words, users who have access to all of the content in the document management system).  Weekend warriors want to be able to review case files, and many of those case files hold sensitive information. However, if just one superuser account gets broken into, hackers have access to most of the content in the firm. The problem has reached critical mass: law firms must limit super-user access to DMS content.

The firm also needs to strictly limit the information available to the help desk and local office IT support staff to what is required to perform their jobs. For example, while this class of users may need access to profile information in documents stored in the firm’s document management system, they don’t need access to the actual content of the documents. In parallel, the law firm needs to limit the functions of the help desk and IT
support staff, for example, by allowing them to view document security but not change document security.

To further strengthen their defense against hackers (as well as acts of malfeasance), firms also need to find a way to automatically enforce the firm’s ethical walls and information barriers. If a user is walled-off from a matter, or if the matter is confidential, a process should be established that surfaces any improprieties before the user is granted access to documents in the matter.

Weaknesses in the public security model

Let’s take a step back and look more broadly at security models. Law firms in the U.S., Canada, UK, and Hong Kong have traditionally used a public security model. In this model, all users have access to all the content in the organization except for content behind ethical walls or confidential barriers. (In contrast, in Asia nearly everything is confidential.)

While the assumption of confidentiality is built into any discussion between a client and a lawyer, in reality a law firm may have only 10 matters out of 5,000 that are walled off from the general firm for confidentiality purposes. This means that hackers potentially have access to most of the firm’s content, including valuable trade secrets.

The original business goal for the public security model was to enable lawyers to easily leverage prior work product. However, when this model took form, the document management system only held firm-generated documents. With the advent of mattercentric collaboration and email management, the document management system now contains email and third-party content as well as firm-generated documents.

Strategies for limiting access

Two different strategies can be used to limit access in a public security model:

      • Make matters confidential to a limited group of people
      • Employ a hybrid model, where work-in-progress drafts remain public but thirdparty, email, and finished content are secured

Both strategies attempt to solve a problem that was introduced when law firms transitioned from paper to electronic files. When we were paper-based, you’d have to break into the firm and actually know where a document was physically located to steal information. The conversion to electronic files, while truly a boon to the practice of law in many respects, also makes confidential data more accessible.

Limiting confidentiality as a strategy

To make matters confidential to a limited group of people, law firms must first decide on the level of confidentially their business model requires. Securing the matter to only those who need access is, of course, the most secure option. When all matters are confidential, users only have access to documents for the matters that they work on. In this approach, it will be incumbent on the firm to have more effective tools and workflows to capture precedent or best-practice documents.

One form this can take is to secure a matter at the practice-group level or to the individuals working on the matter or a combination of the two when a matter is handled across practices. To make this work, law firms need to make it as easy as possible for end users to gain access to the matter when needed. If users can’t access matters with just a few clicks, the IT or risk group should be prepared staff up to handle requests for access.

A better solution: the hybrid model

The hybrid model balances the user’s need for agility and ease of collaboration with the firm’s need for security. One of the biggest challenges in making matters confidential is that it hampers collaboration. When night secretaries or document processing centers need to work on a document, giving them access to the document creates one more task the lawyer must remember to do. Similarly, when the responsible lawyer wants to get a quick opinion on a particular clause from another lawyer, he needs to remember to give them access to the relevant document.

In the hybrid model, work-in-progress remains public in a clearly marked folder, such as “working drafts,” (except where confidentiality is truly needed). Email and all other documents, including supporting material from third parties and finished content that is signed and executed, are secured as confidential to the matter team. In this model, the ability for lawyers to collaborate and to search for prior work product is not impeded.

The hybrid model takes into account the sensitivity of third-party supporting material, including emails. In many cases the legal documents the firm generates sanitizes what is confidential in the third-party content. For example, the engineer’s notes on a patent are more likely to hold truly confidential information than the patent itself because it demonstrates how the product actually works while the patent application provides a description of a specific feature or capability. In employment law, the email from a client describing the colorful details around employment discrimination is much more sensitive than the simpler narrative in the letter from the lawyer.

A related email issue is that, from a cultural perspective, lawyers are like the general population in that they consider emails to be personal in nature. If firms want to encourage them to file their emails, lawyers are more likely to be compliant if there is some level of privacy and security. The hybrid model relieves that tension.

To make the hybrid model work, law firms need to make it very easy to create and secure folders to the matter team and to give end users the ability to manage who is on the matter team. It is also necessary to avoid the complication of processes that require documents to be updated or re-filed each time a new user is added to the matter team. Additionally, it is
necessary to ensure that a single addition of a new user to the matter team grants the new person access to all secure documents across folders in the matter (rather than requiring that each folder be updated).

It’s a two-fer: hacker defense and client security

From a knowledge management perspective, the hybrid model gives lawyers the ability to leverage prior work product. The other advantage of the hybrid model is that, in addition to providing another ring of defense to prevent hacking, you limit access to private information and other client confidences contained in the third-party content and email. This has become vital. As hacker attacks continue to escalate, law firms are increasingly threatened with a loss of client business if they can’t show improved security. It may soon become mandatory: new guidelines from the U.S. Security and Exchange Commission ask all public companies to voluntarily disclose cybersecurity incidents.

The same internal controls that defend against hacking are the same controls that will satisfy clients’ requirements for better security and privacy. Limiting access is inherent in security certifications, such as ISO 27001. When law firms can demonstrate that degree of security, it reassures the client and resolves a major pain point for the law firm, who no longer needs to assign resources to respond to exhaustive security audits. It’s a win for everyone.


(1) “How Law Firms Can Combat Hacktivims” Law Technology News, July 5, 2012

(2) Wall Street Journal 06-25-2012 – Lawyers Get Vigilant on Cybersecurity

Click this button to read or download the PDF file

Want to learn more about Milan?

Read more about Milan from our product page.

Learn more

Check our related articles


WordPress Video Lightbox Plugin