They say that nothing in life is certain except for death and taxes, but legal organizations can add another truism to the stack: Ransomware and other types of cyberattacks will only continue to increase in frequency and severity.
According to Juniper Research, more than 33 billion records will be stolen by cybercriminals in 2023, which represents an increase of 175% from just five years ago. Additionally, Kaspersky Labs reported that during the first 10 months of 2022, the proportion of users attacked by targeted ransomware doubled compared to the same period of 2021 — a trend line that does not bode well for 2023.
Amid this surge, legal organizations — not surprisingly — continue to be popular targets for these types of attacks. Meanwhile, flexible working models — which have dispersed professionals from an office environment where all daily business was conducted on company-approved devices behind the corporate firewall, to a “work from anywhere on any device” situation — have only added to the degree of difficulty in keeping sensitive data secure.
Given this formidable array of security challenges to contend with — not to mention a persistently tight labor market — it’s no wonder that those tasked with protecting company and client data are feeling overburdened and under an increasing amount of pressure.
In response, many organizations have started investing in security orchestration to help improve the efficiency of their internal security controls. The primary benefit of security orchestration is that it allows previously siloed tools used to detect and respond to security incidents to be connected. This approach unifies and automates multiple aspects of security — from threat alerts and monitoring to remediation.
“Since a good document management system (DMS) has robust security and data governance controls, the failure to integrate it into the wider company threat monitoring strategy means that valuable real-time information and alerts related to documents and emails residing in the DMS are missed out.”
When it comes to orchestration planning, however, one essential component is often ignored: integration with the organization’s document management system (DMS). This oversight has the unintended effect of creating a gap in the organization’s security response — one that centers around the system where the vast majority of law firms and corporate legal departments keep their sensitive and privileged information.
Since a good DMS has robust security and data governance controls, the failure to integrate it into the wider company threat monitoring strategy means that valuable real-time information and alerts related to documents and emails residing in the DMS are missed out.
So, how can we best close this gap and bring the DMS into the fold?
A good first step is a change of mindset around how the DMS is viewed within the organization. Traditionally, IT focuses on monitoring the systems that fall into the “infrastructure” bucket (e.g., the email system, endpoint devices, private cloud and so on) while more specialized applications like the DMS are seen as being “owned” by the particular team, department or practice group that purchased them or uses them the most.
The downside of this segmented approach is that alerts generated by the DMS when certain user behavior deviates from what is considered normal are sent to a point person within that team or practice group rather than to those with a global view of the organization. The obvious concern: Does the point person know what to do when they receive an alert and whom to escalate it to?
An employee who is leaving the organization and is serving their notice period may decide to create a “backup” of all the files they worked on during their employment because they feel that these belong to them. The activity triggers an alert in the DMS, as the files contain sensitive content such as client information. To reduce the risk of data loss, organizations would want to ensure that this type of alert reaches their central threat monitoring system as soon as it is generated. Alternatively, an alert could be generated by the DMS when a user accesses confidential documents from projects that they are not working on. This could be the product of a bad actor who has their hands on stolen user credentials.
The important point is that those responsible for protecting business information across the organization should be alerted of any anomalous behavior surrounding the DMS so that they can investigate and take action, as they would do for any attacks to the company network.
Legal organizations should make sure that whatever DMS they’re using, it can easily “talk to” the organization’s integrated security stack. Industry-standard services such as REST APIs are crucial here, ensuring that DMS alerts can be integrated into the Security Information and Event Management (SIEM) tool, for instance.
When different products are seamlessly working together in this manner, organizations can fully embrace the benefits of security orchestration, leaving behind manual processes in favor of an automated and integrated approach that encompasses important systems like the DMS. Only this comprehensive course of action will do for legal organizations that want to effectively protect their sensitive data from the security challenges that are part and parcel of today’s business landscape.