Like most organizations, your workforce has shifted from the office to remote work from home. Due to the fast moving coronavirus, people all over the world are now working from remote personal computers. All of these changes occurred so quickly that there may not have been enough time to set up an ironclad security posture. IT departments are overwhelmed. Cyberattacks are up dramatically, according to a recent poll by CNBC.
The protocols previously set up by your IT department work well within the confines of the building. Now that the staff is scattered, confidential information is flying free outside the firewall.
Remote Platform Comparison Chart
You may be lucky, with a business continuity and disaster prep plan in place. Or you may rely on platforms that seem safe. But are they? If you’re using some of the most popular platforms, there’s a lot you’re missing.
Prepare for remote work. Avoid negative consequences.
When choosing a secure remote environment, make sure you have control over all possible scenarios. Don’t use company email for the most confidential data. Block screenshots. Ensure that the person with document access is the authorized employee. This is a time to take precautions. Lock it down.
Global organizations are implementing 14-day quarantine, or “quarantine at home” procedures for staff who have traveled to areas affected by the Coronavirus. These crisis response measures introduce new information security risks for organizations and their clients.
Even the most prepared organization’s plans will be challenged by rapidly evolving scenarios which may include government mandated travel restrictions, quarantines or even sickness affecting staff of all levels including executives who may not be able to reach their place of work.
Staff who weren’t previously cleared to work outside the office due to information security policies may find themselves in a quarantine scenario that pits business operations against policies that restricted access to sensitive information.
Corporate IT departments will also be challenged to provide at short notice a scalable and secure remote computing environment that meets the organization’s security and data privacy requirements.
Outside vendors such as contract attorney staffing agencies may also have staff that suddenly can’t reach their review centers due to quarantines, and then face similar challenges to deploy secure remote computing environments that meet their client’s security requirements without delaying document reviews.
Secure Remote Work Environments Support Business Continuity
SecureReview helps address these issues by extending a secure work environment to quarantined remote workers, thus helping balance information security compliance with the demands of urgent projects and of the business generally to continue operating as normally as possible.
A global SecureReview client said, “SecureReview is an important part of our business continuity plan to protect highly confidential information when staff and contractors need to work outside the office on an as-needed, matter-specific basis.”
Total isolation of client data is critical on remote personal computing devices that may be compromised by malware. Screenshot prevention, data transfer restrictions (copy/print/save) and matter-specific email, help ensure access to confidential information without leaks.
SecureReview can help reduce Coronavirus-related business disruptions by enabling staff from corporations, law firms and service providers to continue working remotely on sensitive projects while maintaining a strong security posture.
There are so many ways that SecureReview helps reduce the risk of information disclosures on an upcoming project. Recently, SecureReview’s Jordan Ellington had an opportunity to converse with a customer (at a firm that’s ranked in the Am Law 50), and they touched on the most pressing concerns raised with specific product features.
Customer: How do we make sure that sensitive documents are viewed only at the firm and not at home or in a Starbucks?
SecureReview: We can implement IP locking to ensure that a secure session is initiated only in a certain location.
Customer: What if the user accesses the firm’s network via VPN so it appears as if they are in the office even if they’re not? Wouldn’t that bypass the concept of IP locking?
SecureReview: We can implement a software blacklist to include VPN software to prevent a secure session from beginning if a VPN client is started.
Customer: Can a user share their credentials with someone else?
SecureReview: No, SecureReview can be locked down to a single user’s PC, preventing credential sharing.
Customer: What if a user logs another user into their PC?
SecureReview: We can enable ongoing user verification with the PC’s webcam and prevent an unauthorized user from using a shared login credential with the authorized user.
Customer: Can users print, save, screenshot or otherwise share information with others?
SecureReview: SecureReview can intercept any form of screenshots, screen-sharing (WebEx) and automatically replace the protected content with a black redaction. Also, a watermark can be configured to display across a user’s screen to discourage pictures taken of the screen.
Customer: What if a user is running a virtual machine (VM) and taking a screenshot of the host? Would that bypass SecureReviews’s screenshot protection?
SecureReview: SessionGuardian has an optional setting to prevent program execution in a virtual machine to prevent users from circumventing screenshot/screenshare protections.
By the end of this conversation, the customer was satisfied. Adding SecureReview’s security layer to the project decreases the risks of information disclosure. Another good day in SecureReview world.
Almost every day there’s a new headline: an investigation into alleged fraud at a bank, a sexual harassment claim against a company executive, or a whistleblower report of suspicious business dealings.
Internal investigations that are necessary and appropriate to get at the facts involve the collection, analysis, and review of thousands, perhaps tens of thousands of sensitive emails and documents. For a variety of reasons, this information needs to be kept from a vigorous press.
Countless security breaches and accidental or intentional document leaks leave high profile players and their attorneys exposed. The particular circumstances of internal investigations make attention to document security especially critical.
It’s so important to control who’s receiving the notifications that an internal investigation is underway. Often the possible targets are not aware that the investigation is ongoing. It’s also vitally important to ensure that the details of an investigation are not leaked to the press, because the entire substantive matter will blow up — reputations, and perhaps even individuals’ liberty, is at risk.
What about a government or corporate whistleblower? You’ve seen the movies. Perhaps only some people in the company should be aware that an investigation is happening when some employees are collaborating and others are not. The cost of any information leak or breach can be catastrophic. At the very least, the reputation of the company, the law firm, and its consultants take a hit, suffering reputational damage that takes years to overcome.
Damage Avoidance Made Easy
A leak may not even be intentional or malicious. Consider how easy it is to accidentally enter the wrong email address. A simple human error results in exposure to someone outside the company that an internal investigation is happening. Spouses, roommates, nosy seatmates on the train or in a Starbucks can learn of headline-grabbing stories if care is not taken. It is critical to restrict document access to limited, specific people on the investigation team, some of whom work for the company and some who do not.
You don’t need the headache, and you don’t have to suffer the risk anymore. A simple, elegant solution materially reduces the risk of leaks and breaches on many levels. Lock down the matter with Secure Matter Infrastructure (SMI), which provides layers of cybersecurity for your crucial document intensive projects.
Restrict Email Access
We don’t spend a lot of time considering it, but email is full of security gaps. SMI includes a secure, encapsulated email infrastructure that allows you to create a restricted email list. There is no way to inadvertently or intentionally send an email to the wrong party. You’ve shut down the bad actors as well as the people who meant no harm when they hit send too soon. And when the project or investigation is over, you have all the email and documents in one place, for sure.
With a dedicated data security platform, you can stop anyone from copying and pasting documents, taking screenshots, and even allowing another person to look at the document on screen. You gain the flexibility to restrict access to just one user, a team, even a specific conference room. You can decide to allow access only at certain times of the day.
Control Sensitive Data Now
And when the matter is complete, access is revoked. The documents disappear or are saved as part of an official records retention policy. Can you say the same of your current network? It is reassuring to know that those who have access are the only eyes allowed.
Enforce the policies that your firm or business has put in place, even beyond the boundaries of your network, 24 hours a day. Do you really know who is reading your most sensitive documents?
Sharing confidential documents is a necessary aspect of doing business. But conventional methods of sharing private matters also carries a degree of risk. You don’t really know who can gain access to confidential data unless you have a secure, multilayered environment that takes all possible breaches into account.
Consider that copies of information get stored in backups of file systems. On a typical day, users may access documents on corporate or personal computing devices. People work from home and access documents remotely on email. A contractor may do document review somewhere far away from the firewalled infrastructure of a law firm. These situations are quite common, and they present serious information security and compliance concerns.
People can make honest mistakes. People can also behave badly. That’s why SecureReview was created. It’s a computing infrastructure that provides complete isolation of confidential data so it can’t be leaked, either intentionally or accidentally.
Why Matter Specific Infrastructure?
From a practical perspective, Matter Specific Infrastructure means that for each project, or matter, SecureReview creates a discrete virtual workstation for each user working on that matter.
With SecureReview, each virtual workstation has its own dedicated storage, as well as a dedicated email address for the matter and user. Additionally, each virtual workstation has firewall rules to ensure the user can only access resources that are allowed within the context of the matter, and that they can only send and receive emails to and from authorized participants on the matter.
Data Security and the Backup Dilemma
By implementing Matter Specific Infrastructure, you achieve a complete security bubble around the matter and simplify the audit process that ensures that all relevant data is destroyed at the end of the matter.
Consider a situation that’s all too common when working with highly confidential data. A judge issued an order to protect a large cache of documents. The problem was that the documents were cached in the email system of the contract agency. Because there was no firewalled data security solution, the agency had to go to great lengths to destroy six months of backups. Not only was this task time consuming, but it carried a very high cost. Had the agency utilized Matter Specific Infrastructure, the process would have been painless, quick and low cost.
By contrast, SecureReview’s Matter Specific Infrastructure provides an individual virtual workstation for each project, or matter, and for every user working on that matter. Security and ease of use are guaranteed, and data security headaches disappear.
To find out more, visit SecureReview at the LegalTech 2020 conference, booth #3231. SecureReview is a proud sponsor of LegalWeek, which takes place February 3 to 6, 2020, at the New York Hilton in Manhattan.
Are the best document review attorneys working long hours at night at home? Can they print “interesting” docs or emails to firm associates upon request? Does one doc review attorney out of 60 in a beautiful open-office space in Dallas have an ax to grind against your client or against a particular corporate player?
Can an attorney email docs to a college roommate who now works at Bloomberg? Can they casually share a particularly “colorful” comment by Acme’s president with their spouse on the couch for a laugh? You need a solution that ends the back channeling.
Wouldn’t it be great if your document review attorneys could access the docs from the office only if you choose — and only if the attorney’s face has been authenticated in front of the computer? That ideal state is available right now.
Professionals Are Humans, Too
The contract attorneys hired in Richmond, Atlanta, Philadelphia, and the Twin Cities are smart people who went to college, and then law school, and passed the state Bar. Most are earnest, well-meaning professionals.
But they make honest mistakes. Documents get saved to the wrong server, emailed to the wrong people in error, backed up to the agency’s systems and stored forever. Contract doc review attorneys live with people who work at law firms and newspapers or colleges and state legislatures.
They change too — impartial and professional one day, and driven by passions 90 days later — with access to evidence. And that evidence in the wrong hands can be devastating. Data loss prevention and other methodologies for controlling where sensitive client data goes are more important today than ever before, and more complicated today too, as projects involve more organizations.
Take Control of The Document Review Environment
There is a practical, economical way of implementing best-practices InfoSec across all your doc review agencies. You can select the vendor who has the doc review lawyers with domain expertise, or just the right price, and “outsource” the infosec to an independent provider who’s only business is keeping your client’s information secure.
Do the contract attorney agency and the full-service ediscovery provider have backups of their network storage resources? Their email servers? The individual PCs in the review center? Your key documents are on their network and in their backup snapshots, and perhaps even in their third-party data backup company’s storage systems.
Recently one contract doc review agency in the US had a “leak.” Some PDFs of import docs of one of their clients leaked from the user’s PCs onto the agency’s email server and system backup tapes. The audit to prove that they had complied with the document destruction order cost about as much as they made on the project.
If only the well-meaning doc review vendor had been able to segregate all the data on the matter to an independently managed info tech infrastructure, this could have all been avoided.
People can make honest mistakes. People can also behave badly. That’s why you need a fast, secure, inexpensive computing infrastructure that provides complete isolation of your client sensitive confidential data so it can’t leak or be leaked.
Solutions That Put You on the Right Side of the InfoSec Battle
Consider a secure, matter-specific information technology infrastructure and related services to get doc review projects started on the right InfoSec posture. From a practical perspective, a matter — or project — specific infrastructure means that for each document review and redaction project gets its own discrete, secure, virtual computer network with workstations, email, shared storage, and approved apps and constant auditing for each user working on that matter.
These systems can be faster than traditional approaches, accessible (with proper permissions) from anywhere in the world, and surprisingly economical.
Get a solution in which each virtual workstation has its own dedicated storage — that does not get backed up to the agency’s systems — as well as a dedicated email account for the matter and user.
With the right infrastructure, the email for project coordination, collaboration, and doc sharing is NOT inside the ediscovery vendor’s enterprise email system, with its own policies and backup protocols.
Be sure that each workstation has firewall whitelist rules to ensure the doc review attorneys CAN access the sites they need and cannot access other sites, and, of course can only send/receive email to/from folks they should.
A Matter Specific Infrastructure provides each document review attorney and project manager an individual virtual workstation for each new project, or matter, and at the end of the matter, the infrastructure is archived or deleted. You do not have to depend on the vendor’s IT staff to carry out the cleanup. Information security, convenience and cost-effectiveness are guaranteed. Worries disappear.
To find out more, visit SecureReview at the LegalTech 2020 conference, booth #3231. SecureReview is a proud sponsor of LegalWeek, which takes place February 3 to 6, 2020, at the New York Hilton in Manhattan.
Today, even for large law firms, one significant litigation or government investigation matter can lead to lawyers carefully reviewing thousands, or tens of thousands, of emails and memos and PowerPoints and spreadsheets from key players inside your client company for privilege, trade secrets, or any number of important facts and issues.
The powerful alchemy of AI and magic mojo of machine learning has not put document review attorneys across the globe out of business just yet.
The relentless flow of email, Slack and Asana, iMessage and Skype, and the move to Office365 means there is a lot of content for boards and their attorneys to worry about. Maybe the robots will skillfully handle all this doc review one day soon, but for now ramping up a document review project — even after all the technology-enabled culling has happened just right — is an important and expensive undertaking.
Sensitive Documents Need Sensitive Environments
Often, depending on the number of docs, the complexity of the issues, and the number of bold-face names on the witness list, there may be an army of contract lawyers in Florida or Nashville or Bangalore that get to read these emails and docs. If you’ve done all your ECA and TAR just right, you still have a bunch of sensitive docs and email from the important custodians, perhaps even C-level players, that attorneys need to pore over and make a decision about.
In many instances, contract attorneys will be needed to help your associates review the documents if you are to meet the court’s discovery schedule (or the strategically negotiated schedule with the DOJ lawyer).
It happens every day in the AMLAW 100 and 200, in the Magic Circle, and in the Big Four. Projects are bigger each year and it takes teams of firms to handle today’s complex litigation and investigation matters. If it has not already happened to you, it will soon. Many of the people you (and your clients) need to work on the matter will NOT work at your firm.
For Document Review, Don’t Rely on Trust
Can you trust your ediscovery or “managed review” provider to have really thought through all the complexities of today’s infosec issues? Can they afford the latest in DLP software? They too are taking advantage of the gig economy players with rented space at the start of each review project. Ten or 20 or 80 contract lawyers working at PCs set up on folding tables yesterday; lawyers who were working somewhere else last week.
How secure are these doc review operations? What can these vendors — with thin margins — focus on: good IT people, best practice procedures, or good review attorneys? If only there was a third-party providing security-as-a-service for legal document reviews.
The fake Windows update is a never ending process which can prank your friends when you open it in full screen (F11) on their computer.
When you regularly handle confidential documents, it’s an excellent idea to conduct information security audits. An information security audit is a great way to measure and assess the effectiveness of your security policies. An audit is an opportunity to ensure that your well thought out plans are technically sound.
But there’s one problem.
An audit is a snapshot. It captures no more than the precise moment the information security audit was conducted. There’s nothing to prevent a security breach from occurring a minute, a day, or a few months later. You would never know that there’s been a data breach if you’re relying solely on those audits to put your mind at ease.
Types of Security Audits
There is a great variety of security auditing tools and protocols for information systems. Here are five areas that are typically scrutinized:
- Vulnerability tests find weaknesses in design, procedure, and implementation
- Penetration tests discover opportunities for attacks to your digital resources
- Risk Assessment allows management to decide which risks it is willing to take
- Compliance tests assess how well the organization is adhering to agreed upon rules
- Due Diligence Questionnaires determine how well partners comply
Data Breaches Despite Security Protocols
While this set of evaluations appears to provide an exhaustive, 360 degree view of a system’s information security, it’s not enough to prevent major damage. Take, for example, some recent high profile data breaches. It seems that every time you look, another well known organization falls victim to hackers and identity thieves. Surely, Macy’s had security protocols in place in October 2019 when malware installed on its e-commerce site went undetected for an entire week, according to Fast Company.
During that time, sensitive customer data, such as credit card numbers, names, addresses, phone numbers, and email addresses, was stolen. The same malware that affected Ticketmaster and Newegg.
Equifax is another example of a serious data breach at a business that should have had ironclad security protocols in place. And yet, in 2017, the sensitive information of 145 million consumers was exposed. The ripple effect of this information security breach is still being felt to the tune of $650 million. The company is subject to a class action suit, and may have to pay out up to $20,000 per customer.
Error, Negligence, and Bad Behavior
Audits are only a small part of an overall information security strategy. An audit occurs at a point in time. The instant that moment passes, your organization is vulnerable again.
Even though major corporations have infosec protocols in place and undergo regular audits, there’s a high risk for human error, negligence and bad behavior.
While it’s probably impossible to entirely eliminate risk, there is a way to greatly reduce risk. You should reasonably expect that your documents will be secure throughout the system. The secret to infosec success is layers.
Risk Reduction Through a Layered Approach
By all means, continue to conduct security audits. And consider adding a layer of security that continues to work for you all day, everyday, around the office and around the globe.
As good as a security audit can be, it just takes one person to break the system once the audit is complete. Don’t play a cat and mouse game with hackers. When you truly protect your documents, you’ll sleep better at night knowing that you have an impenetrable information security wall.