Get ready to learn some immensely powerful tips and management approaches designed to safeguard your digital files firm from today’s growing cyber threats. Dive into Worldox technology and how it helps clients ensure compliance with ABA rules and protect your documents. We’ll offer practical guidance and strategies for Worldox users, law firm administrators, and IT managers looking to secure their documents and protect their sensitive client, business and employee information.
2. Rebecca Sattin
Chief Information Officer
World Software Corporation
SecuringYour Digital Files from CyberThreats
Joseph Marquette
President
AccellisTechnology Group
John Roth
Document Management Consultant
AccellisTechnology Group
2
Presenters
3. Topics
• Cybersecurity in the Legal Industry:Trends
• Cybersecurity as understood by Defense in Depth
• Best Practices for Securing your Digital Files (but don’t forget paper)
• Conclusion
3SecuringYour Digital Files from CyberThreats
5. FBI Warnings to Law Firms
5SecuringYour Digital Files from CyberThreats
6. FBI Warnings to Law Firms
6SecuringYour Digital Files from CyberThreats
7. • Law firms have access to a vast
amount of valuable information (data
gold) and don’t realize it
• Financial
• Digital ecosystem
• Information
Why does security
matter to law firms?
7SecuringYour Digital Files from CyberThreats
9. ABA Model Rules
Rule 1.1 – Competence
To maintain the requisite knowledge and skill, a lawyer should keep
abreast of changes in the law and its practice, including the benefits
and risks associated with relevant technology, engage in
continuing study and education and comply with all continuing
Legal education requirements to which the lawyer is subject.
9SecuringYour Digital Files from CyberThreats
10. ABA Model Rules
Rule 1.6 – Confidentiality of Information
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
confidential information relating to the representation of a client does not constitute
a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the
access or disclosure. Factors to be considered in determining the reasonableness of
reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of
the information, the likelihood of disclosure if additional safeguards are not
employed, the cost of employing additional safeguards, the difficulty of
implementing the safeguards, and the extent to which the safeguards adversely
affect the lawyer’s ability to represent clients (e.g., by making a device or important
piece of software excessively difficult to use).
10SecuringYour Digital Files from CyberThreats
11. ABA Cybersecurity
Resolution 109
“RESOLVED, That the American Bar Association encourages all
private and public sector organizations to develop,
implement, and maintain an appropriate cybersecurity
program that complies with applicable ethical and legal
obligations and is tailored to the nature and scope of the
organization and the data and systems to be protected.”
11SecuringYour Digital Files from CyberThreats
12. Why isn’t everyone doing it?
SECURITY
CONVENIENCE
12Securing Your Digital Files from Cyber Threats
13. Cyber-Insurance
Risk Assessment
• What sensitive information do you have?
• How sensitive is it?
• Information Governance: is it organized logically?
• How is it collected, protected, used, shared, destroyed?
Exposure
• Danger of public relations issues?
• Are you or your client a target?
• Danger of operational disruption?
Can you prove it?
13SecuringYour Digital Files from CyberThreats
15. Benefits of a Cybersecurity Plan
Understand your threat profile
Ability to implement the tools, policies, procedures
and technology needed to protect your firm
Improves visibility of risks across the firm
Preparedness for breach response
Prevent loss of reputation and lower recovery costs
15SecuringYour Digital Files from CyberThreats
16. Cybersecurity as Understood
by Defense in Depth
• Data
• Application security
• Infrastructure security
• Training, Policies & Procedures
• Validation &Testing
16SecuringYour Digital Files from CyberThreats
17. Know Your Data
(Information Governance)
• Recognize what confidential /private data you maintain
• Social Security Numbers
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• Intellectual Property
• Where does it reside in space and time?
• Is it organized in such a way that it can be easily secured?
• Law firms are not exempt from litigation holds
17SecuringYour Digital Files from CyberThreats
18. Application Security
• Least privilege
• Individual accounts
• Login protocols
• Pass through authorizations
18SecuringYour Digital Files from CyberThreats
19. Harden Your Defense
(Infrastructure Security)
1) Complex passwords
2) Spam filters
3) Encryption
4) Multifactor authentication
5) Off-site backups (more for
disaster recovery)
6) Remote Access Policy
7) Patching servers and workstation
8) Firewalls
9) Virtual Private Network (VPN)
10) Group Policy
11) WSUS
12) Network Access Control (NAC)
13) Vulnerability scanning
14) Mobile device management
15) Security Information & Event
Management (SIEM)
19SecuringYour Digital Files from CyberThreats
20. Training, Policies & Procedures
• Training - Ensure employees
understand the rules and why they are
important; security awareness will
benefit them at work and at home
• Usage, access and system
management policies
20SecuringYour Digital Files from CyberThreats
21. Program Validation
& Breach Planning
• Usage, access and system management
policies
• End-user training
• Physical security
• Breach planning
21SecuringYour Digital Files from CyberThreats
23. Use a Document Management
System
• Control where data lives
• Central management of IP and PII
• Enforceable firm standards
• Audits and reporting
• Compliance
23SecuringYour Digital Files from CyberThreats
24. Internal DMS Configurations
• Create user groups
• Restrict access to cabinets
• Document retention and archive policies
• File security templates (based on AoP)
• Ethical walls
• Audit trail
• Security groups
• Profiling
• Numbering and naming schemes
• Delete security
• Export security
• UNC mapping
• Dedicated administrators
• Password protect the system
• Encryption
• AD Integration
• Folder and drive level security
• Third-party integration
• Updates
• User management
24SecuringYour Digital Files from CyberThreats
25. What about paper?
25
• Scanning to DMS from MFD
• Scanning to DMS from personal device
• Sony Digital Paper
SecuringYour Digital Files from CyberThreats
26. Mobility
• Unified Remote Access Policy, firm owned devices
• Peripheral devices – servers, laptops, mobile devices
• Remote Access
• Web Mobile
• Enterprise
• RDP
• Terminal Server
• Citrix
• iOS App
• Physical documents and Sony Digital Paper
• Encryption in transit
26SecuringYour Digital Files from CyberThreats
27. Training & Education
• Password protect documents
• Check-in / check-out
• Annual Refresh training
• Onboarding procedure for new hires
• Remote Policies
• Email important files
27SecuringYour Digital Files from CyberThreats
28. Preventing Data Loss
• Examine applications for leakage potential
• Risk assessment on each to determine potential exposure
• Application analysis for leakage potential
• Procedural analysis for leakage potential
• Ongoing risk assessment
• Shadow IT
28SecuringYour Digital Files from CyberThreats
30. Recognize that your DMS is where the vast majority of
sensitive information can be accessed.
Create a cyber militia
Have a plan, any plan – just have one!
Remember that security is almost always in direct
opposition to convenience.
30SecuringYour Digital Files from CyberThreats
31. Additional Resources
• “Ouch!” SANS Security Awareness Newsletter (sans.org)
• Verizon Data Breach Investigations Report (verizonenterprise.com)
• Accellis Cybersecurity Policy Handbook (accellis.com)
• Worldox to Debut Enhanced Encryption Feature (buyerslab.com)
• ABA Cybersecurity Handbook (americanbar.org)
• World Software Corporation (Worldox.com)
• AccellisTechnology Group (accellis.com)
31SecuringYour Digital Files from CyberThreats
32. Questions?
32
Slides available @ http://bit.ly/1FIJZ3X
Rebecca Sattin
Chief Information Officer
World Software Corporation
rsattin@worldox.com
Joseph Marquette
President
AccellisTechnology Group, Inc.
jmarquette@accellis.com
John Roth
Document Management Consultant
AccellisTechnology Group, Inc.
jroth@accellis.com
Editor's Notes
Joe
Joe
Joe
Rebecca
Rebecca,
Joe & Rebecca
Rebecca: Despite the FBI warnings, the breaches and the Comments on the ABA Rules, many attorneys still didn’t take notice until their clients insisted on it.
Security questions began to show up in RFPs from clients.
Also, cyberinsurance policies require completion of security questionnaires.
Joe: 2012 Comments added to ABA Model Rules
Competence – attorneys must stay current on how to use technology required in their practice areas.
(California added that this obligation can be met if an attorney competent in the technology assists.)
Rebecca: 2012 Comments added to ABA Model Rules
Confidentiality – (Attorney Client Privilege) – reasonable efforts to prevent access or disclosure of client data sensitivity of data extent to which privacy of communication is protected by law or confidentiality agreement
It is now the ethical obligation of attorneys to stay current on the technology required for their practice and to make reasonable efforts to protect their clients data.
Joe: The ABA published a much abridged version of their original draft of Resolution 109, encouraging “all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program.” While the language is not as strong as originally intended, we are all aware that client and customer security requirements are increasing daily and law firms have to maintain the same levels of security in order to keep their clients’ happy.
Rebecca
Rebecca: Risk Assessment should be an ongoing process that happens with each new technology being considered for adoption at a firm.
The important thing that firms can do regardless of their size or budget is to ensure that processes and procedures are in place for risk assessment and information governance. There is a reason all the regulatory bodies use the word “reasonable” when describing the efforts required to maintain the security of client data. It is because reasonable efforts differ based on size and budget of a firm and by using that word, everyone should be able to comply.
Joe & Rebecca
Joe
Rebecca
Joe & Rebecca
Joe & Rebecca - point out encryption (safe harbor), ethical responsibility
Rebecca
Joe
John
John, 10 Years after a matter is closed then Archive or Delete.
John
Law firm guests and loose papers in conference rooms. Don’t forget about video conferences, what is visible to the camera.
Rebecca & John
BYOD – Phones Personal Data vs Firm Data