Organisations today are expending (and rightly so) a great deal of money, time and effort on deploying a variety of technologies to prevent security breaches. They must however, also make similar attempts in mitigating the impact of malicious attacks in the event of a security incident, which most security professionals believe to be a matter of time – if it hasn’t already happened.
Due to the ubiquity and pervasiveness of email, it is most definitely the ‘Achilles heel’ of most organisations. Today, 91% of attacks start with an email. This is no surprise, given that phishing, ransomware and whaling all are email scams. To protect data, integrating email security with email, document and digital transaction management is the ‘low hanging fruit’ – it must be a key consideration as part of the overall security strategy of any organisation. This will add another level of safeguard to data by strongly ring-fencing it to prevent hacker access to business-critical information.
Such an integrated approach – i.e. email security + email and document management + transaction management – will streamline the processes and technology to create a strong security foundation in the organisation. Here are some ideas:
- Email security systems are the first line of defence. They automate processes to detect suspicious URLs, identify keywords and match known sources of scams and threats to a blacklist. The problem however, is that organisations simply aren’t able to keep pace with the rapid improvement in the means of attack of cyber criminals and so despite the heightened alertness of professionals, often it is difficult to detect a malicious email. According to experts, today there are over 120 families of ransomware Hence, email security systems also establish best practices around people and processes so that in the event of a human error, the technology steps in to protect the data and the organisation.
- Set up stringently ‘controlled locations’ in the document management system for sensitive information, protected with features such as multi-factor authentication, and encryption at rest and in motion. Should a cyber-criminal in one way or another, gain access to the organisation’s network, access to data will be restricted to authorised users in this secure environment.
- Place further limits on confidential information in the document management system and minimise the use of standard file shares that rely on potentially flimsy passwords for security. In the document management system, apply rigorous access policies at file, sub-folder, document and email levels. This will ensure that only approved individuals can access data, regardless of where in the folder structure the information resides. For example, an employee could be granted access to a single file in a folder, barring visibility of all the other pieces of information. Additionally, consider applying automatic ‘inheritance’ to folders. So, any document added to a particular folder would mechanically inherit the security profile of that dossier.
- Limit or even replace the use of email as a default collaboration tool and restrict unprotected consumer file sharing services (e.g. Dropbox); with similar, easy to use, auditable tools from within the document management system.
- Enforce corporate data retention and destruction policies. This will grow in importance once the General Data Protection Regulation (GDPR) comes into full force in May 2018. Undertaking records management will help organisations know exactly what data they hold, in what format and where. Should there be a security breach, the organisation will be able to quickly inform the affected parties and the regulators, as demanded by the regulation. Crucially, it will ensure that the organisation doesn’t unnecessarily hold information it doesn’t need, which in the event of a hack could end up in the hands of criminals.
- Utilise analytics to monitor atypical activity. In doing so, build up an accurate picture of user behavioural patterns to actively detect untoward activity by analysing their usage habits such as how many emails they typically send, what types of documents do they work on, who they correspond with, which folders they are authorised to access and so on. This is critical to the ability to proactively identify malicious activity.
- Manage the lifecycle of business transactions through digital signatures, which are becoming increasingly important in today’s digital environment. They are legally admissible globally and are more secure than wet ink signatures. The technology is developed on industry security certification standards, such as ISO 270001, to ensure privacy of data by fully encrypting documents. It also offers authentication options and provides audit trails to support compliance.
A layered approach to security is essential today. From a data standpoint, such an approach will institute multiple barriers to ensure that even if a breach is successful, the damage to the organisation and its customers is minimal. The data will be extremely difficult to access.
About the Author
Roy is the Founder and CEO of Ascertus Limited. Roy has over 25 years’ experience of implementing and supporting software technologies within the U.K., European, and North American legal markets. In 1992, Roy co-founded a software distribution company responsible for introducing the first legal document management systems into the UK marketplace. He has also held senior management positions at PC DOCS Group, CompInfo and Hummingbird. Roy was one of the UK’s first advocates of PC network based document management, imaging, and workflow systems and has spent the last 18 years advising many corporate in-house legal departments about their use of technology to improve productivity, reduce costs, and mitigate risk. Today he is well recognised as an authority in the document lifecycle and work product management space. Follow him on Twitter @royruss and LinkedIn.