Phishing attacks as we know, are malicious and orchestrated by external parties. Often due to their sophistication, despite the best efforts on the part of employees, criminals manage to trick them into giving access to business-critical and/or sensitive information. Therefore, the importance of continuous staff awareness and training cannot be emphasised enough.
Equally, from a technical perspective, there is no shortage of solutions, and alongside them, a conceptual change in approach – from optimistic to pessimistic security – is necessary. This requires a change in mindset involving a move from an open approach to security to locking down data from the outset. To explain, in an open or optimistic model, typically, the document management system (where a firm’s data resides) is set up to enable anyone in the organisation to enter a matter workspace, but then as people work on the issues, data may be subsequently be locked down based on changing authorisations (known as by exception). In the closed or pessimistic model, the system is designed to only let the authorised individuals access the information. Pessimistic security can make a material difference to data security.
Data loss prevention
Similarly, firms should consider the concept of classification-based data loss prevention. Simplistically, when a matter is created, the user may set up an ethical wall, but further classification can also be set up to prevent individuals from taking actions like printing, copying text or editing data. In essence, the firm is applying governance to both the data access and user actions. So, in the event of a breach, the criminal may have access to data, but will not be able to act on it.
Cloud service provider credentials
When it comes to ransomware, especially with many organisations moving to the cloud, it is imperative to use a cloud service that meets the highest security standards. The stringency of this requirement will further increase in post-Brexit Britain. Considerations like data encryption at rest and in transit; compliance with audit, data privacy and security standards (e.g. ISO 270001, EU obligations, HIPAA); application of machine learning to protect data and use of advanced analytics to proactively identify threats; must be part of the cloud service providers’ repertoire.
If you would like to explore or discuss how you can adopt pessimistic security, do get in touch via firstname.lastname@example.org. We are already helping law firms and corporate legal departments with this transition.