Ask the Experts
How Can We Keep Our Law Firm’s Systems Safe in a BYOD World?
Question: We’re all using personal tablets, smartphones and laptops for work, but there’s worry about the threat it poses to our law firm’s IT systems and infrastructure. What can we do to keep firm and client data secure while using our personal technology for work?
Glen R. Boyer: Many firms are moving to the “bring your own device” model. BYOD gives people the flexibility to find and use whatever technology works best for them. However, with that cornucopia of devices comes a cornucopia of potential risks and headaches — not the least of which is how to protect firm and client data from improper distribution or use.
While we expand that envelope of potential risks, firms are also concerned about things like increasing regulatory pressures regarding privacy, required security-breach reporting, client-requested compliance audits and cryptically worded questions on our professional liability insurance applications.
These concerns are considered the opposite of fun by most sane folks in the legal industry. Pondering them at length can cause even the most steely-nerved risk attorneys random panic attacks, complete with the angry banging of an imaginary gavel. Such concern is clearly justified. Penalties can be organizationally fatal — if not in dollars, then in the destruction of your firm’s previously marketable reputation. I’m reminded of the DA whose stolen laptop contained his entire case file — a case you might have heard of — regarding O.J. Simpson. I read how he woke in the middle of the night picturing that data appearing on the Internet for all to see. It didn’t happen — his laptop was recovered unmolested. But he was very lucky.
Because tablets and laptops are available in such variety, there isn’t a one-size-fits-all magic encryption bullet or operating system choice or theft recovery scheme to address these concerns. The safest approach is to understand the following two concepts and take them to heart. If you embrace them, I can almost guarantee you more nightmare-free slumber when (not if) your device suddenly sprouts legs and runs away.
1. First, you need to require that any device accessing firm or client data is password-protected to the best of that device’s ability. Passwords are not foolproof and can be circumvented in most situations, but let’s not make it too easy for the bad guys to wreak havoc. Not only should passwords be required, but they should never, ever be cached or stored in software. Not in web pages or your VPN shortcut or your email log-in or your remote desktop connection.
Take the time to type your password each and every time you plan on accessing data remotely. It is fairly easy to gain administrator access to a local system. If all of your other passwords are stored there, you just gave the thief access to everything, including that picture of you with the lampshade on your head at the Christmas party.
2. Second, don’t keep firm or client data on your device. It’s real simple: If there is nothing there that will later require you to call a client, report a breach, put an identity at risk, get phone calls from the press, have law enforcement knocking on your door or get named in a lawsuit, then you will have nothing to worry about. If you need specific data available offline, make sure you remove it the moment it is not needed. If you absolutely must keep some data with you at all times, keep it on a truly encrypted external device. It should be something very portable that you can carry separate from your laptop or tablet, and it won’t be the end of the world if it is lost or stolen because you also have that data on your secure firm resource.
Think how well you will sleep then.
Glen R. Boyer is Network Administrator for Johnson, Graffe, Keay, Moniz & Wick. He is a lifelong geek with more than 14 years’ professional experience in the high-tech industry. He obtained his A+ in 1999 and went on to complete training for a dozen other Microsoft and Cisco solutions. Previously, Glen served as the IT & Records Manager at Stafford Frey Cooper, where he enjoyed solving challenges related to data security, electronic evidence discovery, technology vendor negotiations and legal records management.
Rick Rusch: There are several easy-to-remember actions you can take when working outside the office. I’ll break them down into two categories: “No Internet” or “Internet.” “No Internet” assumes you aren’t connected either through your phone provider’s data connection, or through public Wi-Fi.
1. No Internet access. If you don’t need Internet access, turn off your Wi-Fi and Bluetooth. They drain your battery when they aren’t needed and it “shuts the door” on outside influences. Have expertly installed and configured anti-virus software installed on your laptop, such as Kaspersky Anti-Virus. If you are accepting documents or other files, be sure that you know the sender and that you were expecting the files.
2. Internet access. Connecting to the Internet through your phone provider’s data service is slightly safer than via public Wi-Fi. However, anytime you’re connected to the Internet you will want to take these actions. Beware of free Wi-Fi access, but when that’s essential, you must ensure that you have up-to-date anti-virus software for your laptop and that you’ve had an IT professional configure your device’s firewall. Minimize your activities on “the web” by using only those apps or software programs you already have installed. Only download new apps that you’ve cleared through your IT department or another expert. Again, if you aren’t using it, turn off your Bluetooth. This is an easy access point for hackers. Also, rather than using a normal browser, use an app such as Trend Micro’s SafeSurfing. It screens the browser session through Trend Micro’s own security servers to protect against bad websites.
Additionally, all mobile devices that contain work material (email or documents) should be secured with a password or passcode. We’ve all heard the news stories of lost or stolen phones, tablets and laptops with sensitive data on them, and that’s only the government’s devices we’ve read about.
Lastly, ask your IT department to check out anything suspicious before you accept it or click “Okay.” It will take them about a minute to confirm if it is harmless. The alternative could take hours to clean — or worse.
Rick Rusch is the Controller/IT Administrator of Cohen & Malad, LLP in Indianapolis. He also consults on accounting software through his firm, Complete Programmed Accounting, Inc. Rick began his career as an Audit Senior for PwC. His technical and financial leadership has streamlined and improved accuracy in accounting processes and reporting by designing and implementing solution-focused software systems, applications and internal controls. Follow him @RickRuschCPA.
Questions About Management?
Not every law firm has a full-time administrator or professional management to guide them. Send us your questions via email, or use the comment section below, and we’ll pass them on to the experts at the Association of Legal Administrators. Watch for the best ones here in “Ask the Experts.”
»Top cloud-based practice management software: Free 30-day trial!
»Manage my legal practice from anywhere on any device—HoudiniEsq.
»Learn more about the easiest way to get paid.
»Manage your practice with ease, for one small fee.
»Work from anywhere. Intuitive legal practice management software. Free trial.
»See who’s speaking at Lawyernomics 2014. April 23-25, Las Vegas.