By Dr. Guy Bunker @guybunker
A new report published last week from the Information Commissioner’s Office warned barristers and solicitors about keeping information secure.
This came on the back of 15 incidents in the past 3 months. At the end of the report there are a number of steps that companies should take. While these are aimed at the legal profession, the reality is that they should be essential reading and action for anyone who looks after critical information.
The legal world is an interesting one, as they base their business on other people’s critical information. Whether it is buying a house, or a company, defending an Intellectual Property law suit or filing a patent, there will be lawyers involved somewhere along the line.
A few years ago, I was fortunate to look closely at some of the information security practices of a particular law firm. In essence they wanted to know what more they could do, as security to them was a key part of their value proposition to existing and future clients. One piece that surprised me was the ‘open access’ to information for all lawyers in the firm. Most files were held on file servers, and it turned out that everyone had access to the file servers. Reducing access was a simple case of ensuring that access control was properly set up (which in a law firm, where different teams’ work on different projects is much easier to say than do). A process was put together to better handle on-boarding and off-boarding of new projects so as to minimise access to only those who were part of the team. Furthermore when a particular project was finished, then access to the files was reduced to a single custodian – until such time that it could be properly deleted or archived.
While access control works well on files on file servers (or even in collaboration software, such as SharePoint), there is now a need to have controls on internal email as well. Email remains the last bastion inside the organization which enables inappropriate information sharing. Apart from a few very specific instances, in most organizations, anyone can send anything to anyone else inside the organization. (The specific instances where measures are taken to prevent this, usually having duplicate email solutions with controls between the users of each, include financial services with their front-office, back-office legal requirements, and the defence world, where whole air-gapped networks are used to keep classified information away from prying eyes... or at least they try to.)
Earlier this year, Clearswift introduced the Clearswift SECURE Exchange Gateway (SXG) to address the challenges of inappropriate email sharing. This enables organizations to use their existing email infrastructure to introduce email segregation. Whereas the solutions in finance and defence remain inflexible, the content-aware policy driven nature of the SXG means there is minimal disruption – with only email which would break policy being quarantined for later inspection and logged for audit purposes.
As the regulations continue to grow, and the new EU Data Protection regulation looms, now is the time take stock of business practices and re-engineer them taking advantage of new technologies that are designed to help in the transition. Law firms might have been singled out by the ICO this time, but legislation applies to all. Good Information Governance and security can be a differentiator, after all, who would you prefer to share your critical information with – someone with processes and technologies from yesteryear, or someone who has kept their systems and processes up to date?