Blog
← Back to Blog
July 15, 2022 legal

Your Document Management System Is a Goldmine for Hackers

Law firm document management system targeted by hackers

Your document management system contains everything: client contracts, litigation documents, corporate filings, financial records, personal information, privileged communications. For a hacker, compromising your DMS is like breaking into a vault filled with every valuable thing your firm has ever touched.

Whether you use NetDocuments, iManage, Worldox, SharePoint, or even a structured folder system on a server, your DMS security deserves focused attention.

Common DMS Security Failures

Everyone Can See Everything

The most common failure: no matter-level access controls. Every attorney and paralegal can access every client's files. An associate working on real estate closings can view files from a high-profile litigation matter. A compromised account exposes the entire document library.

Fix: Implement matter-based security. Users should only access matters they're assigned to. Most DMS platforms support this natively. Configure it.

No MFA on DMS Access

Your DMS is accessible remotely (it has to be for attorneys working from home, court, or client sites). If remote access is protected only by a password, a credential stuffing attack can give an attacker access to your entire document library.

Fix: MFA on all DMS access, especially remote access. NetDocuments and iManage both support MFA. Enable it.

Uncontrolled Sharing

Documents shared via email attachments, personal cloud storage, USB drives, or public share links. Once a document leaves the DMS, you lose control and visibility. No audit trail. No access revocation.

Fix: Use the DMS's built-in sharing features. Share links instead of copies. Set expiration dates. Require authentication for access. Train attorneys to share through the DMS, not around it.

No Ethical Walls

When your firm represents clients with conflicting interests, ethical walls (information barriers) must prevent personnel working on one matter from accessing the other. Many firms implement ethical walls through verbal instructions rather than technical controls.

Fix: Configure technical ethical walls in your DMS. Block access at the system level, not the honor system level. Document the wall's implementation for compliance purposes.

DMS Security Checklist

  1. MFA enabled for all users
  2. Matter-level access controls configured and enforced
  3. Ethical walls implemented technically (not just verbally)
  4. Audit logging enabled and reviewed monthly
  5. External sharing controlled through DMS features (not email attachments)
  6. User access reviewed when staff join, leave, or change roles
  7. DMS backup included in your disaster recovery plan
  8. Encryption enabled for data at rest and in transit
  9. Mobile device access secured (MDM or DMS app with PIN)
  10. Admin accounts limited and separately authenticated

Your DMS is your firm's institutional memory. An attacker with access to it has access to everything your firm has ever known. Protect it like the goldmine it is.