What Information Security Professionals Need to Know about Document Management Systems
It’s a well-known fact that law firms are prime targets for cyber security attacks. With high profile breaches at prestigious law firms making headlines globally, it’s no surprise that law firms and professional services firms face tremendous pressure from clients and internal stakeholders to improve their security posture. To address this challenge, several law firms have looked outside the legal industry to hire CISOs and other information security professionals with the goal of creating an enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
Over the past years, the iManage Security and Information Governance teams have worked with security professionals and addressed a wide-ranging of queries, from straightforward questions – related to the role of a document management system (DMS), application security, or architecture — to more strategic conversations related to best practices to secure information in the DMS and integrate security and monitoring solutions more tightly with the enterprise application security stack.
Based on this experience, we have created this blog series, with the goal to enable security professionals to have better access to the security and regulatory risk, associated with managing information in a DMS.
In this series, we shall cover:
1. Why having proper security controls in a DMS is a top priority?
2. The types of malicious attacks that DMS systems are susceptible to
3. Data privacy regulations that apply to information in a DMS
4. What a law firm client expects to see during client audits?
5. Requirements relating to a DMS system that clients mandate in outside counsel guidelines?
Why having proper security controls in a DMS is a top priority?
It’s a well-known fact that the DMS holds the firm’s “crown jewels,” namely the legal documents a law firm creates on behalf of its clients. Whether it stores M&A information, a patent filing, a celebrity divorce, or a personal injury litigation, the DMS contains highly privileged information that is not only prized by internal and external threat actors but also must be secured appropriately to comply with several data privacy regulations. As most firms don’t enforce retention policies consistently, it’s not uncommon for the DMS to contain information across the past 10-20 years.
Another challenge that firms face is the fact that a vast majority of their documents are not secured with an access control list and, as a result, are available to all the users of their DMS. The risk posed by deploying a DMS without the proper security controls has not gone unnoticed by clients, who now use contracts and outside counsel guidelines to enforce requirements. Moreover, regulatory bodies like the SEC have routinely charged employees at law firms with insider trading based on the fact that privileged M&A information has not been sufficiently locked down.
The types of malicious attacks that DMS systems are susceptible to
All DMS systems are susceptible to the following types of attacks:
Disgruntled user: An example threat pattern for this type of attack is an employee simply downloading privileged client content and posting it in a public forum to embarrass the firm.
Unintentional high-risk behavior: This kind of risk is not posed by intentional, malicious behavior, but by poor work habits. Examples include a secretary sending firm documents to an attorney who recently left the firm by mistake. Or another example is an attorney exporting a high volume of data from multiple matters to a personal computer before going on vacation, instead of accessing the DMS repository through a browser.
Sophisticated malicious insider: An example threat pattern in this category is a malicious actor that is slowly but systematically accessing content across clients that he has not represented, with the intention to find privileged information that can be monetized. Such a threat can be best identified by harnessing the power of machine learning and big data to analyze activity over longer periods of time to find anomalous behavior patterns.
Abuse of privileged accounts: Administration accounts have broad privileges over content management operations, which makes these accounts top candidates for misappropriation and phishing attacks. An example threat pattern in this category would be when an administrator’s account suddenly starts mailing and printing documents, when usually, it is only associated with bulk security changes.
Non-filers: Non-filers are those users who circumvent the document management system. This represents a risk to the firm as these users store content on local drives or other non-sanctioned repositories, where it’s not under firm control.
Stolen credentials (phishing attacks): It’s a well-known fact that attorneys in the M&A practice, as well as heads of practice areas with public profiles, are prime targets for phishing attacks. Whether the perpetrator is an insider or an external party who has obtained stolen credentials, the signature threat pattern of such an attack is access of content outside the matters, clients and practice areas the victim typically works across.
Departing attorneys: Across professional services firms the risk posed by departing employees is well understood. Attorneys often leave to join competing firms or to start up their own practices. With law firms in particular, there is a strong incentive for the attorney to take client business away from the firm when they leave.
It’s not uncommon for the head of a practice to leave and take his team along to a competing law firm, or for a group of 5-10 partners to depart. In a competitive lateral market, for a managing partner to know beforehand when an attorney or partner is likely to leave is game-changing. Advance knowledge of a likely departure gives key stakeholders the ability to preempt the departure.
For risk and compliance, it is critical from a competitive and risk mitigation standpoint to have the ability to monitor the activity of departing attorneys to ensure that firm intellectual property and non-sanctioned client data doesn’t leave the firm.
In the next blog post in this series on governance and security, we shall discuss “Data privacy regulations that apply to information in a DMS” and “What a law firm client expects to see during client audits.”