Securing Your Digital Files from Legal Threats

Cybersecurity Roadshow

Securing Your Digital Files from Cyber Threats

2

Rebecca SattinChief Information Officer

World Software Corporation


Joseph MarquettePresident

Accellis Technology Group

John RothDocument Management

Consultant Accellis Technology Group

Presenters

3

Topics• Cybersecurity in the Legal Industry: Trends• Cybersecurity as understood by Defense in Depth• Best Practices for Securing your Digital Files (but don’t

forget paper)• Conclusion


4

Cybersecurity in the Legal Industry: Trends

5

FBI Warnings to Law Firms


6

FBI Warnings to Law Firms


7

• Law firms have access to a vast amount of valuable information (data gold) and don’t realize it• Financial• Digital ecosystem• Information

Why does security matter to law firms?


8

Inheriting Regulatory Concerns

HIPAA SOX

PCI GLBA

FINRA


9

ABA Model RulesRule 1.1 – CompetenceTo maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing Legal education requirements to which the lawyer is subject.


10

ABA Model RulesRule 1.6 – Confidentiality of InformationThe unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).


11

ABA Cybersecurity Resolution 109

“RESOLVED, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.”


12

Why isn’t everyone doing it?

SECURITY

CONVENIENCE


13

Cyber-InsuranceRisk Assessment• What sensitive information do you have?• How sensitive is it?• Information Governance: is it organized logically?• How is it collected, protected, used, shared, destroyed?Exposure• Danger of public relations issues?• Are you or your client a target?• Danger of operational disruption?Can you prove it?


14

Defense in Depth

15

Benefits of a Cybersecurity Plan

Understand your threat profile Ability to implement the tools, policies,

procedures and technology needed to protect your firm

Improves visibility of risks across the firm Preparedness for breach response Prevent loss of reputation and lower

recovery costs


16

Cybersecurity as Understood

by Defense in Depth• Data• Application security• Infrastructure security• Training, Policies & Procedures• Validation & Testing


17

Know Your Data (Information Governance) • Recognize what confidential /private data you maintain

• Social Security Numbers• Personally Identifiable Information (PII)• Protected Health Information (PHI)• Intellectual Property

• Where does it reside in space and time?• Is it organized in such a way that it can be easily secured?• Law firms are not exempt from litigation holds


18

Application Security• Least privilege• Individual accounts• Login protocols• Pass through authorizations


19

Harden Your Defense (Infrastructure Security)1) Complex passwords2) Spam filters3) Encryption4) Multifactor authentication5) Off-site backups (more for

disaster recovery)6) Remote Access Policy7) Patching servers and

workstation

8) Firewalls9) Virtual Private Network (VPN)10) Group Policy11) WSUS12) Network Access Control (NAC)13) Vulnerability scanning 14) Mobile device management15) Security Information & Event

Management (SIEM)


20

Training, Policies & Procedures

• Training - Ensure employees understand the rules and why they are important; security awareness will benefit them at work and at home• Usage, access and system

management policies


21

Program Validation & Breach Planning• Usage, access and system

management policies• End-user training• Physical security • Breach planning


22

Best PracticesFor Securing Your Digital Files

23

Use a Document Management System• Control where data lives• Central management of IP and PII• Enforceable firm standards• Audits and reporting• Compliance


24

Internal DMS Configurations• Create user groups• Restrict access to cabinets• Document retention and archive

policies• File security templates (based on AoP)• Ethical walls• Audit trail• Security groups• Profiling• Numbering and naming schemes• Delete security

• Export security• UNC mapping• Dedicated administrators• Password protect the system• Encryption• AD Integration• Folder and drive level security• Third-party integration• Updates• User management


25

What about paper?• Scanning to DMS from MFD• Scanning to DMS from personal

device• Sony Digital Paper


26

Mobility• Unified Remote Access Policy, firm owned devices• Peripheral devices – servers, laptops, mobile devices• Remote Access

• Web Mobile• Enterprise• RDP • Terminal Server • Citrix• iOS App

• Physical documents and Sony Digital Paper• Encryption in transit


27

Training & Education• Password protect documents• Check-in / check-out• Annual Refresh training• Onboarding procedure for new hires• Remote Policies• Email important files


28

Preventing Data Loss• Examine applications for leakage potential• Risk assessment on each to determine potential

exposure• Application analysis for leakage potential• Procedural analysis for leakage potential• Ongoing risk assessment• Shadow IT


29

Conclusion

30

Recognize that your DMS is where the vast majority of sensitive information can be accessed.

Create a cyber militia Have a plan, any plan – just have one! Remember that security is almost always in

direct opposition to convenience.


31

Additional Resources• “Ouch!” SANS Security Awareness Newsletter (sans.org)• Verizon Data Breach Investigations Report

(verizonenterprise.com)• Accellis Cybersecurity Policy Handbook (accellis.com)• Worldox to Debut Enhanced Encryption Feature

(buyerslab.com)• ABA Cybersecurity Handbook (americanbar.org)• World Software Corporation (Worldox.com)• Accellis Technology Group (accellis.com)


http://securingthehuman.sans.org/resources/newsletters/ouch/2016



http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

http://accellis.com/cybersecurity-policy-handbook/

http://www.buyerslab.com/News/Editors-Desk/2016/May/Worldox-to-Debut-Enhanced-Encryption-Feature

http://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=213569

http://www.worldox.com/

http://accellis.com/cybersecurity-policy-handbook/

32

Questions?Slides available @ http://bit.ly/1FIJZ3X

Rebecca SattinChief Information Officer

World Software Corporation

[email protected]

Joseph MarquettePresident

Accellis Technology Group, Inc.

[email protected]

John RothDocument Management

Consultant Accellis Technology Group, Inc.

[email protected]

Securing Your Digital Files from Legal Threats

Technology

Transcript of Securing Your Digital Files from Legal Threats