Albert Baroscchini’s post, Are E-discovery Review Platforms a Serious Security Risk?, brings up an important discussion about the need to focus on the security of our online review platforms and our industry’s responsibility in ensuring that data remains secure during review. I completely agree with his points. I would add that we need not only to focus on the security of our review platforms, but also to ensure the security of the entire process from data intake to shipping the final product.
We need to design our processes and systems with security as a central feature, not added on as an afterthought. Although important, having our IT teams building secure systems is not sufficient. Our entire organizations must embrace processes that support security. This includes training people who are committed to doing what is required to keep clients’ data safe from hackers, malware and corporate espionage. We might make our data centers as secure as nuclear missile silos, but that doesn’t do much good when users share easily-guessable passwords or employees jot login credentials on sticky-notes attached to their laptops.
This doesn’t mean we have to sacrifice convenience for security. The security industry is constantly improving the art of convenient security practice while incorporating the science of blocking the latest vulnerability exploits. We have seen great improvements in the ease-of-use of two-factor identification, secure e-mail, encrypted data tunnels, mobile messaging and even physical shipping. However, it requires ongoing vigilance by the entire organization to block the latest exploits while keeping the system easy to use.
Human frailties tend to be the weakest links in our security chain, and issues show up most often when transferring data between organizations. Taking seemingly insignificant shortcuts can add up to big trouble — sending a small data set through unencrypted e-mail; skipping the time-consuming step of encrypting a hard drive; using easy-to-guess passwords; or sharing log-in credentials..
We have a great responsibility for keeping our clients’ data safe and secure. Luckily, the security industry has given us the ability to block the exploits while keeping our systems easy to use. Now it is up to us to combine all aspects of security (people, process and technology) to keep our data safe.