Information Management for Professionals
Specialists in document production and management solutions, Ascertus offer a full range of professional services and software solutions, which allow professional knowledge workers across all sectors to demonstrate and justify their value to their company, effectively manage their costs, mitigate their risks, and enhance their efficiency and productivity.
London, U.K. – 06 December 2016 –
Threat and Records Management to Dominate in 2017; With Artificial Intelligence, in the Vein of Commoditisation, Striving to Make a Bigger Play
Roy Russell, CEO of Ascertus Limited, highlights his view on the technology trends in the legal sector in 2017:
- Threat management will play a key role in security efforts – With the continued onslaught of cyber-crime in all its various guises – phishing, ransomware, whaling, smishing and so on – security will be high up on the agenda in the legal sector. In addition to traditional reactive security measures, law firms will look to actively make pre-emptive security a priority. To support this requirement, legal technology vendors will embed threat monitoring and management into the core business applications that firms use. Linking big data with behavioural intelligence based on system history, such tools will create, study and monitor the finger print of every single user and alert the organisation to unusual actions and activities. These threat management solutions will very accurately highlight the usage patterns of employees based on their role in the organisation. Consequently, any peculiar or untoward activity will be relatively easy to spot to potentially identify attacks in process and even improve the ability to detect future breaches.
Records management systems will grow in importance and functionality – Records management is becoming essential for regulatory compliance and data security, driven to the forefront of firms’ agendas by the impending arrival of the General Data Protection Regulation (GDPR). The ability to automatically apply company retention policies to physical files, electronic documents and email correspondence based on good governance practices in both controlled and uncontrolled environments, from a range of device types, as well as inside and outside the corporate firewall, will become essential.
Historically, records management has been viewed as a burdensome elective process, relying upon users to manually apply the correct retention policies to their individual records. This has rarely been effective. To support the more widespread use of records management in view of the business imperatives, software vendors will make their systems more affordable and processes more user friendly and intuitive. For example, in recent times we have seen the rise of separate record management systems that can auto-categorise and automatically apply retention policies, thus eliminating manual effort. Unfortunately, to date these types of solutions have been very expensive. The new breed of records management systems will provide such functionality as standard. They will also provide full management of many types of data repositories, both physical paper and electronic based, including tight integration with document management systems, network file shares, SharePoint repositories, and other data stores.
Artificial intelligence (AI) initiatives will continue, but in the vein of commoditisation – AI is garnering interest in the legal sector, but a closer inspection of the tools and apps being made available reveal that they are presently more similar to commoditised legal services in the form of packaged, low cost modules for areas such as wills, contracts, pre-nuptials and non-disclosure agreements for the benefit of consumers. Undoubtedly, AI offers tremendous potential and some large law firms have launched initiatives to leverage the technology. However, there’s a significant amount of work to be done in defining the ethical and legal boundaries for AI, before the technology can truly be utilised for delivering legal services to clients with minimal human involvement. Until then, in 2017 and perhaps for a few more years yet, we will continue to see incremental innovative efforts to leverage the technology, but in the vein of commoditisation – similar to what we have seen in the last 12 months.
Note to the editor: Roy Russell is available to discuss and substantiate his view with further detail.
About Ascertus Limited
Ascertus provides information and document lifecycle management consultancy, software solutions and IT support services to law firms and corporate legal departments. Based in Central London, the company offers a full range of professional services – from consultancy, business analysis and project management; to software implementation, training, documentation and technical support – delivering bespoke email, contract and document management solutions in on-premises and privately hosted environments. The company has successfully delivered and managed some of the largest iManage Work installations at customer sites in the UK. For more information, visit: www.ascertus.com
Ascertus featured in Legal IT Professionals | Document and Transaction Management Processes Critical for Law Firm Data Security
The original article was featured in Legal IT Professionals: Document and Transaction Management Processes Critical for Law Firm Data Security
The security-related lexicon pertaining to email scams is rapidly growing. There’s phishing, spear-phishing, ransomware, whaling; and most recently, I heard of ‘smishing’. Not entirely an email scam, but these SMS-based messages have an email like format with email-specific fields in the messages and malicious links hiding behind shortened URLs.
Cybercrime is indeed a global problem, but law firms are especially susceptible due to the large volume of highly sensitive client data they hold on businesses and individuals; in addition to the fact that they are also cash rich.
Emails are the chink in law firms’ armour. Due to the pervasiveness of email as the default communications tool, it’s easiest for criminals to take advantage of it for malicious proposes. Security systems may mitigate many of the issues, but nowadays it is the law firm Partnership and staff that are being targeted and socially engineered. They must be educated and made aware of the warning signs. In cases where security is still breached (and it will be), adding hurdles and layers of security for the criminals to navigate will help minimise risk.
Consider this scenario. A Partner at a law firm receives an email from a professional acquaintance, with a suggestion to visit a particular site via the link in the email. The Partner clicks on the link, which takes the individual to a page with a message, ‘can’t reach the page’. Soon after, a window pops up on the Partner’s screen requesting a re-authentication with the firm’s email server. Unsuspectingly, the Partner enters the details and in doing so, gives away credentials to criminals, who then have full control of the PC and access to not just the Outlook mail box, but potentially also the firm’s entire data in the network. It’s that simple!
Ringfencing critical data
Law firms need to institute strong security defences around data, so that in the event of a breach the damage can be contained, if not entirely pre-empted. Properly configured processes in the firm’s email and document management will go a long way in facilitating data security. Some thoughts:
Fully administered locations – Rather than storing information in file shares and Outlook inboxes, saving information in ‘governed’ locations in the firm’s email and document management system is a better approach. Many access restrictions can be instituted to ensure that data is not easily available to unauthorised users. For example, demanding multi-factor authentication means that only those users will be granted entry to the file or folder if they are able to present two or more pieces of evidence to authenticate themselves. Security can be further enhanced by leveraging encryption at rest and in transit. Most crucially, if a breach does occur, the email and document management solution would provide audit trails to track the actions of every single user to enable the law firm to ascertain exactly what data has been compromised. This is important for timely and appropriate crisis and customer management.
Enforcement of strict ‘pessimistic’ security policies – Culturally, most law firms have been fairly open in the way they share and access information internally. In today’s world, this optimistic attitude is risk-ridden, especially for those firms who have a multiple regional presence or are planning the same. Structuring and enforcing corporate security policies down to a very granular is imperative. This will shift the focus of the security policy away from the feeble password approach, which is completely unreliable given that employees are prone to sharing and often losing such codes. Applying access policies at the file, sub-folder, document and email level ensures that only approved individuals can access data – i.e. rather than giving an employee access to an entire folder in order to view a single file, a partner could authorise the individual to view just that one document, barring visibility of all the other pieces of information. Additionally, automatic ‘inheritance’ can be applied to folders. So, any document added to a particular folder would mechanically inherit the security profile of that folder.
Provision of secure file sharing – File sharing tools like Dropbox and Box have seen exponential growth in the enterprise over the last few years, perhaps because organisations hardly offer comparable easy to install, user-friendly and cross-platform applications for the sharing of large sized file attachments with external parties. Consequently, these ‘shadow IT’ solutions have grown outside of the IT governance policies whilst employees resort to the use of these insecure tools to easily and speedily exchange information. Utilising such services that can be provided on the back of the email and document management systems are a much better alternative, equally effective and intuitive to use and offer the necessary governance controls like auditability and security.
Records management and timely data destruction – Organisations don’t always appreciate the value of timely data destruction. It is instrumental to records management. Law firms must have processes that automatically enforce destruction policies. Aside from saving storage costs, timely data destruction minimises the risk of unnecessarily held information reaching the hand of criminals. Record management systems will also ensure that firms understand exactly what data they hold, in what format and where. In the event of a security breach, they will be able to quickly identify and inform the necessary parties and regulators. Failure to do so may now result in severe, possibly business terminating, fines.
Threat management analytics – A hacker can penetrate a network and ‘sleep’ there unbeknown for weeks and months without even a whiff to the organisation whilst accessing and monitoring the information they require. Commonly now, an employee goes rogue, stealing or destroying data from the firm’s systems. By leveraging smart threat management systems, firms can build up an accurate analysis of their users’ behavioural patterns and proactively detect peculiar activity, which is essential to mitigating the effects of malicious security incidents.
Adopting digital transaction management processes
Additionally, as organisations conduct business in today’s ever-increasing digitised environment, adopting electronic signatures and digital transaction management (DTM) can go a long way in not only managing the lifecycle of business transactions, but making those transactions faster, easier, more convenient and doubly secure.
DTM systems, can assist employees to prepare, execute and manage every stage, both internally and externally, of their transactions. There is full, real-time auditability – how many times a document was opened, by who and at what times, who signed the transaction and when. Once digitally signed, the document is sealed to indicate that the electronic signature is valid and that the document has not been tampered with. This ensures that documents are legally admissible and enforceable. Such technology of course must be based on industry security certification standards such as ISO 270001.When talking to Richard Oliphant, Europe, Middle East and Africa General Counsel at DocuSign, he commented, “When using a Digital Transaction Management platform to digitise workflow, you have access to a real-time audit trail, tracking every step of the transaction – who signed, when they signed and, in some cases, where they signed. It generates the ‘proof’ of signature that you can rely on in court to establish the authenticity and integrity of the electronic transaction. And there’s the efficiency and cost savings through going paperless – firms remove the need for printing, faxing, scanning and mailing. These outdated services not only eat up money, they don’t belong in the digital era.”
Many organisations today invest heavily in trying to prevent a breach. Evidence suggests that perhaps the emphasis should be on mitigating the impact of a successful breach. Securing business critical data is not only obvious, but also a quick win. The pace and vigour with which criminals are building their armoury, alongside their phenomenal success rate; strengthening security barriers around data is a practical and astute approach, but also a no brainer.