Cybersecurity Comment: It's not been a good morning but Microsoft may have the answer
by Jeff Lawler, managing director, Tricostar (*)
It’s not been a good morning.
You see your firm’s name on the ticker tape on Sky News.
Then you see some 100,000 confidential client documents are in the public domain.
Some of your largest revenue clients are also named.
The documents were hacked how long ago? – 6 months – how is that possible?
Thank goodness, we are insured.
Yes, insurance may cover your immediate problem – but your reputation for discretion and client confidentiality is shattered.
So how did the above happen?
Well, today the client confidential data you create no longer resides, locked in a filing cabinet, locked in your office safe, behind alarmed front doors and security guards.
It moves electronically between users and their laptops, smartphones and tablets and is stored in a variety of different locations – maybe you use Dropbox as well as your internal document management system.
The big problem that every firm confronts is that regardless of the resources you put in place to protect your network from outside attack – no system in the world is hacker proof. Some are more difficult than others to hijack but none are immune. So once your perimeter is breached all your client confidential data is an open book, and unless you have the right tools in place and a vigilant, highly skilled IT department in place you are likely, not to even know that a copy of your crown jewels has been taken.
But unlike the Crown Jewels which stay heavily protected in one spot a lot of your client data is shared with a host of third parties involved in a file or matter.
As the originator of this information once you click send you have no control over it. Now that confidential data to a large extent is at the mercy of the third party and the security or lack of it that exists on their tablet or smartphone.
Let’s imagine a different scenario.
This time you save a file to your document management system and then attach it to an email and press the send button with the confidence that the files or document contained within are fully protected, whomever they go to and wherever they are stored. Even when your network is breached, or your files are leaked, the sensitive and confidential data within cannot be accessed by anyone without the express permission of the originator.
Your data controller can, if necessary, immediately revoke all access, or set an expiry date on all information, wherever it is, within seconds.
All this without a fee earner ever having to change their current working practices, retrain or make decisions on the level of security a document or email needs.
On top of this, at a press of a button, you can see a full forensic history of the lifecycle of that document so you can who also has opened it, redistributed it – in fact track any activity on the file and immediately revoke access if something unexpected happens.
In fact, this forensic audit trail will tell you immediately that your documents have fallen into the wrong hands. You won’t have to wait 6 months or more to discover that fact when your clients and their confidential data is headline news globally and your firm’s reputation is damaged beyond repair.
Information security nirvana you might think – Not so anymore!
The solution lies in a product from Microsoft that requires no expensive hardware, is technically simple to deploy and has a very low-cost licencing model.
The recently launched product is called Microsoft AIP, and is a huge step toward ensuring you do not fall victim to cyber-crime and meeting GDPR compliance, as well avoiding potentially huge fines for data breaches and non-compliance come 25th May 2018.
How Does AIP Uniquely Secure Your Client Confidential Files and Documents?
First some comforting background. Microsoft only launched this product in the middle of 2017, but the technology has a significant pedigree. It was developed by an Israeli company founded in 2006, who designed the software to classify sensitive information automatically based on policies outlined by an enterprise, and then to wrap it in the appropriate level of digital rights management. It has been deployed in global companies. However, the scope and size of the infrastructure required meant only the largest corporations with the deepest pockets could afford to deploy it.
Microsoft purchased Secure Islands Technology for an undisclosed sum in 2015 when Tricostar’s security division was about to market the services around this product set.
Microsoft then took the software technology and created AIP – a cloud based product that works with Office 365, requires no unwieldly hardware infrastructure, has a low, simple licensing model and is technically easy to deploy. Scalable from the one-man practitioner to the largest global law firms.
Let’s look at the three core activities this product performs: –
- You can automatically classify a document based on source, content and its context. The beauty is once classified this “label” is embedded in the document and travels with the document wherever it goes. And this is the area where you will need help i.e. using a proven implementation methodology that permits you to deploy this system without disrupting the firm’s day to day work or business practices. Today by using this proven implementation methodology, we are working with organisations to provide a smooth implementation and ensure that sensitive and confidential data cannot be accessed by anyone without the express permission of the originator.
- The document is then automatically encrypted and protected wherever it goes and access is restricted to authorised users only, based on centrally controlled data policies.
- Lastly the document or file can be tracked, what happens to it analysed and its protection rights immediately changed if unexpected activity occurs.
So, in summary
- Full control, no matter who has your documents or data Even when your network is breached, or your files are leaked, the sensitive and confidential data within, cannot be accessed by anyone without the express permission of the originator. Who can, if necessary, immediately revoke all access, or set an expiry date on all information.
- No need to retrain, or change the way you work Using Microsoft’s Azure Information Protection (AIP) software, there is now a way you can deploy and protect your data and documents wherever they are, wherever they go or whomever has them, without disrupting your firms usual working practices.
- Easy for you to maintain and update With the introduction of Microsoft AIP, a trained data controller can now roll out policy changes across your entire organisation (using Microsoft Office 365), in a little less than one minute.
- Real-time intelligence and information Your documents and data remain protected no matter where in the world they may be, and our exclusive management dashboard helps you to understand which teams or departments are regularly sending or receiving sensitive information.
- Low cost of ownership You need little more than Microsoft Office 365, and utilising Tricostar’s proven implementation methodology you will be protected. Updates are deployed automatically over the cloud, and changes can be made by you, as your data policies and legislation changes.
* Tricostar are passionate about bringing secure, innovative legal software solutions to the legal sector since 1988. They were first to provide portable electronic time recording in 1988, the first to provide a true 100% web-based case management solution in 2005, the first to successfully deploy a working legal shared service in 2007 and the first to host a case management application for a legal department in the cloud. Our security division, supports our own case management solution and now supported by Microsoft, enables us to provide to provide a true solution for data classification and protection, which will integrate seamlessly with your existing processes and applications.
For more information go to https://tricostar.com/general-data-protection-regulation-and-security/