The connection is encrypted, and often, multifactor authentication is used—meaning a password isn't enough to gain access; there has to be another check, as well, such as a token, a physical device that contains a code or biometric data that helps to prove the bona fides of the user. "Anyone who isn't using multifactor authentication for remote access is just asking for trouble," says one CIO.
Fenwick, which uses VMware View to power its virtual desktops, takes things a step further, providing its traveling lawyers with special passwords that provide less than their normal access, but enough to get their job done. "They will click on the VMware View software and get into their email and a segregated section of our network that contains whatever documents they need while they are away," says Kesner. "It will look like their normal desktop, but everything is really happening on the remote server, not their own machine, and nothing is stored or cached locally. We have been told that this is the current state of the art for law firms and even the diplomatic corps."
Carry, observe, and report
Laptops should never leave a lawyer's possession. That means not leaving them in a hotel room—even in the safe—while stepping out. Hotels in China, says an IT security expert at one U.S.–based law firm, often work in concert with the government to install software on an unattended computer. But sometimes it is impossible to keep a laptop in hand. For example, at Chinese airports, it is not uncommon for a customs agent to temporarily take a visitor's laptop into another room. "You don't know what is going on there," says another firm's IT security chief. "The battery might be replaced with something that tracks keystrokes. There have been cases where the hardware has been tampered with."
Lawyers should watch out for incidents in which they are separated from their gear, and report them to the firm's IT department, which may then want to take the equipment out of service. Whatever has been done to that laptop can be hard to detect, notes this expert. "You can take steps in advance, like using tamperproof tape, but that will really raise alarms for whomever is tinkering with the machine," he says. "So we may just get rid of the machine."
Wipe on return
Even if there has been no separation from the user or sign of tampering, the safe play is to erase the entire laptop upon a lawyer's return. That doesn't mean simply wiping data, but also erasing the system's BIOS (the software that boots up a computer and controls its basic functions), which is the only way to get rid of some of the more advanced forms of malware. This adds another level of complexity if the laptop in question is a lawyer's own device, and not a loaner. "Preferably, we erase the machine," says one IT security officer. "But there have been times where a partner wants to hold on to it, and won't let us do that unless we can positively identify malicious traffic."
Take a no-frills cell phone
It is advisable, too, say CIOs and security experts, that lawyers leave their smartphones at home along with their laptops. Instead, a low-frills handset (that is, something that doesn't surf the Web or run apps), devoid of all contact and calendar information, should be taken. It, too, should be clean when entering China and wiped upon return. Fenwick, for example, issues what Kesner calls "very nonsmart phones." The firm also cautions traveling lawyers to be careful about what they talk about, since the phones will be running on local wireless networks. "We've been told by federal agencies that audio calls are regularly recorded and reviewed, and that the process goes even further with smartphones, as data and email can be intercepted," says Kesner.
Change passwords when you get home
Even if a lawyer has never opened a Web browser on their laptop, but simply checked their Facebook and Yahoo accounts from a hotel business center or Internet cafe, they'll want to change their passwords when they return home, in case the machine they used contained a keystroke-logging program.
For firms with offices in China, the challenges—and the solutions—get even more complex. China-based lawyers, after all, won't be returning in a week or two, handing off their loaned laptops and phones for decontamination. They'll be using the equipment for the long run. But firms are devising strategies here, too, including the use of desktop virtualization (to keep data off local machines) and network architectures where China-based lawyers can't access the document management systems back in the United States but use a special China-dedicated DMS (so if there is unauthorized access, damage is minimized).
At least one firm has gone so far as to install a firewall—typically used to keep outsiders from gaining access to a network—between its data center and its own China office. Only certain users, such as a U.S.–based attorney temporarily in China, are allowed through. "We have authentication and access control at the software level through the whole firm, but China is the only place where we have a firewall, another level of protection, to block and monitor traffic, because China is such an obvious threat," says the firm's CIO. "You're almost anticipating an unauthorized person getting in there."
Educate
Finally, there is perhaps the most important strategy of all: Get the word out about the risks and the steps that can mitigate them. Loaner laptops and phones add zero protection if a partner won't take them. Too many lawyers, says one law firm's IT security chief, think a laptop with antivirus software will counter any threat. "Getting by antivirus software is a joke for even moderately advanced hackers," this security chief says. The key is vigilance, and precaution, and at times a little inconvenience. Firms need to explain all this to their lawyers—so their lawyers don't need to explain to their clients how their data was compromised.
Alan Cohen is a freelance writer in New York who covers law firm technology. Email: alanc31@yahoo.com.
This article originally appeared in The American Lawyer.
This article originally appeared in The American Lawyer under the headline “Red Alert.”
Subscribe to The American Lawyer
