Responding to the DMS Hacker Threat
Responding to the DMS Hacker Threat
First steps: controlling the desktop and limiting access
In a time when full-scale attacks and small scrimmages were the rules of the day, it was vital for a medieval castle defense system to take all possibilities into account. Law firms would do well to follow this model. Just as castles in medieval times protected themselves with rings of defenses—the moat, outer wall, internal wall, and the last place of refuge, the tower—law firms today need to build rings of defenses that give them multiple opportunities to prevent harm if their firewall gets breached.
The first ring of defense—controlling the desktop
More often than not, breaches to the firewall happen because of an act by an employee. We’re all familiar with a number of well-publicized acts of malfeasance, but many breaches are inadvertently caused by something far more mundane:
- Creating weak passwords
- Unwittingly giving away passwords (Trojans, spear phishing, email fraud, fake websites, and keystroke loggers)
- Installing less-than-secure software (particularly cloud-based hosted file sharing)
The culture of law firms, where partners have significant sway, make them particularly vulnerable to spear phishing, where an email appears to come from someone you trust.
Minimize the number of superusers
In the name of providing the best customer service for their lawyers, most firms have created too many superusers (in other words, users who have access to all of the content in the document management system). For example, for the sake of convenience, many firms unnecessarily give superuser privileges to their document processing center, their records management department, and “night floaters.” In addition, the firm’s “weekend warriors” want to be able to review case files, and many of those case files hold sensitive
information. However, if just one superuser account gets broken into, hackers have access to most of the content in the firm. The problem has reached critical mass: law firms must limit superuser access to DMS content. It’s time to map privileges to what is needed to perform your job.
How about help desk and IT access?
The firm also needs to strictly limit the information available to the help desk and local office IT support staff to what is required to perform their jobs. For example, while this class of users may need access to profile information in documents stored in the firm’s document management system, they don’t need access to the actual content of the documents. In parallel, the law firm needs to limit the functions of the help desk and IT support staff, for example, by allowing them to view document security but not change document security.
Prepare for ISO27001 certification
The same internal controls that defend against hacking are the same controls that will satisfy clients’ requirements for better security and privacy. Limiting access is inherent in security certifications, such as ISO 27001. When law firms can demonstrate that degree of security, it reassures the client and resolves a major pain point for the law firm, who no longer needs to assign resources to respond to exhaustive security audits.
Want to learn more about Client Value Management?
Read more about Client Value Management from our solution page.
Check our related articles
Until recently, globalization was a trend largely confined to big companies. Today, however, we’ve entered a new era where even small firms, recognizing the growth opportunities, are proactively broadening their global reach....01 February, 2013No comment