With the dramatic rise in crypto and ransomware attacks, law firms (and their clients!) are starting to pay more attention to security issues. Obviously Worldox-specific security should not be seen as a replacement for overall firmwide network and workstation security.
While various areas of hacking have gotten the most attention, it is important to note that there are multiple levels of security in a law firm. For starters, in terms of Worldox, there’s internal security and external security.
There are several levels of internal firm security.
• The firm needs to protect documents that should be restricted (partners only, HR, Accounting, etc.) from visibility/access by non-authorized employees. The best way to do this is to create at least one additional cabinets (an “Admin” cabinet is the most common) and then restrict access to that cabinet or within the cabinet with a variety of Ethical Walls. This is generally preferable to individual document-level security which is more work for the user and less secure.
• Restricting deletion options to “Salvage Bin” (a Worldox equivalent of the Recycle Bin on your local PC) protects both against inadvertent error (“I didn’t mean to delete that”) and maliciousness (employees taking unauthorized documents with them when they leave a firm). A limited number of people are given access to restore files from the Salvage Bin.
• Configuration Security. Restricting deletions to the “Salvage Bin” (a Worldox equivalent to your local Recycle Bin) is a main feature here. Firms will also want to limit the ability to create new client/matters and access various other feature. Other features (such as Web Access) may be restricted to specific users.
• Personal documents. Many users feel the need for “personal” or “private” documents. While technically any document produced on a firm’s computers belong to the firm (and hence there are no “personal” documents) firm culture frequently allows for this. Rather than having users store documents on their individual PCs (a bad practice in every conceivable way), many firms allow for a “personal” matter in an individual folder. This can be set up so that only the individual sees them (typically using Ethical Walls) or in a folder that is in fact available to everyone.
On a network level, Worldox GX4 integrates with Active Directory. This means that any security applied by Worldox is ported over and applied to Active Directory and vice versa. This should be a basic “best practice” option (although it may not be available in some hosted solutions).
Lastly an issue that has received a lot of attention lately: Multi-Factor Authentication (“MFA” or “2FA”). This means that when you log in to Worldox, it sends you a notification (typically via text message to your phone, but sometimes via email) with an extra code which you need to input in order to complete the login. Implementing MFA has been shown to prevent 99% of hacking attempts to email accounts (probably the main form of hacking, although it does not affect phishing, where someone is tricking into logging in to a fraudulent site that steals your email address book or leads people to transfer money to a fraudulent site).
Despite proven effectiveness, many people don’t implement MFA because it is “too much work,” i.e., and extra step that takes at most one minute to implement. With email it should be a no-brainer, but what about Worldox, where you are traditionally accessing it from an in-house network and not a cell phone, iPad, etc.?
Let’s start with the easy case: if you are using Worldox Web (access to Worldox via your browser, with no other software necessary) you should definitely enable MFA.
For Worldox itself, things are more complicated. Traditionally, in an all in-house network, MFA is probably marginal. However, with the Covid pandemic, many if not most, people are largely working from home. In this case, they are accessing Worldox via a VPN or RDP server (terminal server) either to their in-house PC or a hosted solution. In this case, the risk factor is considerably higher and firms would do well to consider MFA.
The main danger is not hacking but phishing. I have had several clients have their email accounts “phished” where the user is tricked into opening documents with malicious code that steals their entire email list. I have to confess I am not immune: at one point a year or so ago I received an email ostensibly from the managing partner of a client (the return email address listed him as the sender) asking me to take a look at a document. I stupidly opened the document and was subsequently bombarded with hundreds of emails daily from all over Europe and Eastern Europe offering something for sale. It took me about 6 months to get rid of them. Actually, this was relatively benign (although extremely annoying): I was lucky in that as far as I know, my own account was not hacked.
Recent Comments