Handling rogue access by ex-employees

Elizabeth Millard//November 5, 2014

Handling rogue access by ex-employees

Elizabeth Millard//November 5, 2014

elizabeth millardFor law firms, the next big IT threat is likely to hit close to home: ex-employees and former associates who are still accessing a firm’s documents.

A recent survey by cloud IT provider Intermedia and survey firm Osterman Research found that 89 percent of former employees retained access to files, documents, and apps, through the use of online storage application Dropbox as well as email, PayPal, and file-sharing apps.

This is especially problematic for law firms, since this kind of rogue access can lead to legal malpractice, disbarment, and breach of attorney-client privilege. To get an idea of the scope of the issue and what can be done, we spoke with Dennis Dimka, managing director for Uptime Systems, an Eden Prairie-based provider of cloud services that focuses exclusively on the legal industry.

ML: What kind of trends are you seeing in terms of law firms dealing with overall security issues?

DD: We have clients in every state and service only law firms, so we have the unique opportunity to see trends on a national level in the legal industry. What we’re seeing is that firms will call us because they want to move to the cloud, and we’ll ask for their driving factors for that decision. They mention remote access and cost savings, but to our dismay, security isn’t the driving factor, and we feel that it should be. So the major trend we’re seeing is a disconnect between IT decisions and a sense of urgency about security.

ML: Why are the results from the recent study about ex-employees important? Should law firms be concerned about that statistic?

DD: Absolutely. There is all kinds of press about hackers, but ex-employees pose a far greater threat to a law firm’s systems. When Intermedia and Osterman did the study, they just wanted to see how people were sharing files and how many might still have access to business assets even after they left a company. The results are pretty shocking. There’s a huge percentage of people who not only access file-sharing programs, but also they can still get on the company networks. The other important finding in the study is that many people use that access — it’s not just that they have the ability to get in, they actively take advantage of that to reach back into the assets of former employers.

ML: Why is this such a huge and widespread problem?

DD: Many times, a business doesn’t provide a centralized place to store documents, or they lack adequate backup systems. So, an employee might conclude that they need a place to put those files so they can access them remotely. They tend to choose free online storage options like Dropbox or Box. Also, a firm’s systems might be ad hoc, and grown over time. They may not have made the investment yet into a central platform, so employees use file sharing or document storage on their own. And that’s what is leading to this issue.

ML: In addition to creating a central document repository, what else can a firm do for data protection?

DD: One major strategy is to implement a single-sign-on application. That means employees have one password that gets them into all of the company’s assets based on their access levels. It’s like a front gate that sits in front of all the company’s files and applications. When an employee leaves, you simply remove their ability to get through that gate. That can go a long way toward protecting assets.

Also, a firm should have an IT offboarding checklist, so when the employee or associate leaves, you can go through the list, in the same way that you’d get their ID badge or company equipment. They should be able to hand over all their passwords, VPN key fobs, and key files, and be instructed to remove any personal data from company devices, since you should securely wipe their laptops and company-owned smartphones.

Another thing to keep in mind is to run a system audit when employees change departments, and to de-provision access to anything they no longer need in a new role. Employees or associates should only have access to systems and applications that they really need to do their work.

Elizabeth Millard has been writing about technology for nearly 20 years. Her work has appeared in ABA Journal, Law Office Computing, Business 2.0, eWeek, and TechNewsWorld.