Careless remote collaboration leads to a security catastrophe
Experts in document review recall a time before COVID-19, when work took place largely on premises. Staff situated in one large room could call over the team leader and say “Hey, take a look at this. How would you treat this document?”
In the age of the remote workforce, it is not sufficiently secure for workers to take screenshots of documents and send them to coworkers in an IM or by email to ask the same questions.
Balance Security with Collaboration
When we think about information security and data loss prevention tools, it is important to maintain a balance between collaboration and security. We don‘t want to go so far on the security side that we prevent people from working together effectively. Maintaining a gold standard in the work from home era requires a careful balance of security and collaboration.
People need a way to share documents, ask questions and get timely feedback. On the other side of the collaboration/security continuum is data loss prevention (DLP), infosec, compliance and privacy. If you go too far in that direction, nobody can work collaboratively. If the remote work environment is so completely locked down and airtight that reviewers are reviewing 10 documents an hour instead of 60 documents an hour, you’re probably not going to call it a win.
It’s important for legal service providers to allow for the right type of collaboration. In order for goals to align with outside counsel as well as with client goals around cost containment, efficiency is key. Choosing a collaboration tool and deciding on a collaboration process allows ensures that all of these goals are met.
Risk-Based Assessment is Key
There isn’t a one-size-fits-all formula to perfectly manage this balance. However, everyone agrees on the importance of taking a risk-based approach. “It’s all about that risk-based assessment, tying it back to risk and business goals.” said John Wilson, CISO at HaystackID. “When people have a smoking gun document that they don’t want getting out in public, they’ve got to have security elements in place to prevent that leakage. That comes down to communication and collaboration. How are reviewers working on this document? It may come to the fact that data could be exfiltrated out of the review system, for instance. There are a lot of different considerations and varying factors at play. You’ve really got to delve in to each situation to understand the risk.”
Risk assessment is the key to making communicating security needs easier. Privacy officers, CEOs, and clients can team up on DLP when things are easily drawn down to a risk assessment. “The secret sauce as to how you figure out the right thing.” said Wilson.
This is part of a series based on the Legalweek 2021 Panel, WFH Cybersecurity Risk Management from a Legal, Business and IT Perspective. Watch the full talk here.