Best Practice Brief
Responding to the DMS Hacker Threat First steps: controlling the desktop and limiting access In a time when full-scale attacks and small scrimmages were the rules of the day, it was vital for a medieval castle defense system to take all possibilities into account. Law firms would do well to follow this model. Just as castles in medieval times protected themselves with rings of defenses—the moat, outer wall, internal wall, and the last place of refuge, the tower—law firms today need to build rings of defenses that give them multiple opportunities to prevent harm if their firewall gets breached.
The first ring of defense—controlling the desktop More often than not, breaches to the firewall happen because of an act by an employee. We’re all familiar with a number of well-publicized acts of malfeasance, but many breaches are inadvertently caused by something far more mundane: • Creating weak passwords • Unwittingly giving away passwords (Trojans, spear phishing, email fraud, fake websites, and keystroke loggers) • Installing less-than-secure software (particularly cloud-based hosted file sharing) The culture of law firms, where partners have significant sway, make them particularly vulnerable to spear phishing, where an email appears to come from someone you trust.
Minimize the number of superusers In the name of providing the best customer service for their lawyers, most firms have created too many superusers (in other words, users who have access to all of the content in the document management system). For example, for the sake of convenience, many firms unnecessarily give superuser privileges to their document processing center, their records management department, and “night floaters.” In addition, the firm’s “weekend warriors” want to be able to review case files, and many of those case files hold sensitive
© 2013 Prosperoware, LLC
information. However, if just one superuser account gets broken into, hackers have access to most of the content in the firm. The problem has reached critical mass: law firms must limit superuser access to DMS content. It’s time to map privileges to what is needed to perform your job.
How about help desk and IT access? The firm also needs to strictly limit the information available to the help desk and local office IT support staff to what is required to perform their jobs. For example, while this class of users may need access to profile information in documents stored in the firm’s document management system, they don’t need access to the actual content of the documents. In parallel, the law firm needs to limit the functions of the help desk and IT support staff, for example, by allowing them to view document security but not change document security.
Prepare for ISO27001 certification The same internal controls that defend against hacking are the same controls that will satisfy clients’ requirements for better security and privacy. Limiting access is inherent in security certifications, such as ISO 27001. When law firms can demonstrate that degree of security, it reassures the client and resolves a major pain point for the law firm, who no longer needs to assign resources to respond to exhaustive security audits.
LEARN MORE Next steps: bringing the end user into the loop Slideshare: The Hybrid Security Model
About Prosperoware Prosperoware designs and delivers software solutions to help professionals operate with the greatest degree of latitude possible without sacrificing governance, security, or privacy. Prosperoware platforms infuse rich web-based functionality into iManage WorkSite and Microsoft SharePoint to help firms automate and digitize core processes, securely collaborate, and work remotely on the device of their choice. Prosperoware clients include Baker Hostetler, Berwin Leighton Paisner LLP, Cravath Swaine & Moore LLP, DLA Piper, Hill Dickinson, Hughes Hubbard & Reed LLP, Duane Morris LLP, Sheppard Mullin Richter & Hampton LLP, and White & Case. Prosperoware has offices in Europe, Asia, and the U.S. To learn more about Prosperoware solutions, go to prosperoware.com. © 2013 Prosperoware, LLC
First steps: controlling the desktop and limiting access