Paul is a brilliant, tech-savvy junior partner nearing the end of his 12-hour day. He responds to dozens of emails from a midtown cab, finalizes a settlement agreement at the corner Starbucks, and researches case law on a the firm’s largest-ever M&A deal on the train ride home, moving effortlessly from iPhone to tablet to laptop. As he arrives at his stop, his phone rings.
"What is the value of the Jefferson-Stokes acquisition?" the caller asks.
Paul stares down the crowded aisle as the train pulls to a stop.
"Who is this?"
"You’re the partner handling this very confidential matter," the man replies, "Six million?"
"Wait a minute —"
"I’ll call you at home tonight. Enjoy your latte." Click.
Never before have law firms been at a greater risk of exposing confidential information than with today’s mobile devices. Faster than you can say iPhone 5, firms are suddenly supporting hundreds or thousands of mobile devices — up to two and three each for lawyers like Paul. It’s as if our secured network walls are being stormed by an army of wireless device owners demanding access to everything inside. Technology leaders must be ready for this fight — or they risk losing everything.
Mobile device security issues fall into four key categories. One is an accident; the others are criminal.
#1 — Oops!
The most common mobility battle is the accidental loss of a device. If you’re lucky, the user will know right where he or she left the device: the seat back pocket of the airplane, the cab, the hotel room. More often, they’ll have no idea. Whatever your fortune, you must impress upon users to report losses immediately so you can make an attempt to quickly locate the device — then remotely wipe its data. Sounds easy enough, but for each minute that passes, the risk grows. While the ultimate risk here is much less than those described below, the loss of a device occurs far more often.
The other three battles involve criminals — often enterprises — who are after your data. Your security arsenal must be able to combat each of these threats: extortion, espionage and sabotage.
#2 Give Us Your Money!
A writer once asked a literary agent, "What kind of writing pays the most?" Her answer was simple: "Ransom notes." That’s sort of what’s happening in the cybercrime world — sensitive data in the wrong hands is used to extort money.
Confidential attorney-client data is a prime target because it can include anything — documents, emails, voicemails, text messages. Cyberthieves don’t have to find that "one critical document" because of the compliance and ethical responsibility factors for all attorney-client communication. Privileged information, stolen or otherwise recovered by outsiders, can result in losing a client, being sued for negligence, incurring court sanctions — even facing disbarment if an attorney didn’t take reasonable precautions to protect data.
#3 Give Us Your Data!
All the data in your firm might have a "confidential value," but some of it also has a business value. While Paul’s new friend was more interested in extortion, others may just want the information. "Data has become the hacker’s currency," says Security Week. "More data, more money." From competitive information to client lists to secret formulas — there’s often someone who wants to steal your secrets.
How can someone obtain that data? By breaking into your mobile device through a Wi-Fi connection; by having malware on your device steal a password into your corporate network; by stealing the device and accessing the data on it — or the data accessible with automatic logins to your firm’s systems.
#4 Firm, Interrupted
The final cyberbattlefield is where someone, somewhere, for some reason wants to sabotage your systems. We hear about Denial of Service attacks where your network or website is hit with millions of simulated requests that takes the automation out of your systems.
Who would do this? And why? Was it something we said? We used to ask these questions about computer viruses. It probably started with juvenile whiz kids in the basement. Today, however, we’re fighting huge, multi-national operations with HR and marketing departments, and thousands of well-paid employees. So while these attacks may appear to be random, they may be targeting your law firm — even a specific case you’re handling.
But we have a firewall, so how do the wrong hands get on the data? Unsecured public Wi-Fi spots found in coffee houses, restaurants, bars, bookstores, and shopping malls to name a few. Try enabling Wi-Fi on your phone and walking along a busy downtown street. Dozens of networks will create an electronic web that connects you automatically. Like the public Wi-Fi spot Paul passed somewhere between the coffee shop and the train.
That cool, new app you just downloaded might contain key-logging malware, enabling hackers to steal your passwords used to access the firm network. Or that new smartphone you had "jail-broken" to free you from the limits of your cellular carrier may have just opened up access for everyone else. You may have done a "jail-break," but you also unlocked every door at the prison. Finally, don’t make the mistake of thinking the security controls on your traditional corporate network will keep your mobile devices secure. Those controls can’t help you when an iPad full of emails and documents has just been nabbed outside baggage claim.
If lawyers insist that firm data must reside on a device — anywhere — IT must build a comprehensive management structure to minimize risk. (Note that I didn’t say eliminate risk, because you can’t.)
Here’s the more important tasks to get you started:
1. Create a mobile device security policy — Include: What data can users access? Which devices will be supported? What happens when a device is lost? What transfer methods (encrypted email, cloud storage, etc.) are accepted? When you’ve got it all down, get your managing partner to send it out to everyone. This isn’t just another IT security policy; this is about the security of your law firm.
2. Deploy a mobile device management system — Require that all mobile devices that store any firm data be enrolled in the MDM. The MDM system must require strong passwords, prohibit any jail-broken devices, track device location and be able to remotely disable devices (including wiping of data).
3. Prohibit unauthorized cloud storage — Assure that work product stays protected inside your systems. Tablets make it tempting for editing a document, then sending it into the cloud for a client to pick it up. But is that document secure? Does it contain protected health information or payment card data? Is it encrypted with password protection? Whatever is happening in that cloud, it’s not likely to be as secure as documents created and stored in your document management system, and sent with your encrypted email systems.
4. Avoid train wrecks: Educate users on the dangers of mobile devices — Paul’s train wreck of a story is just one example of what can happen in the real (mobile) world we live in today. Think about how that world has changed, just in the past couple of years. Keeping up with the technology is one thing, but assuring that your users are complying with well-designed mobile device security policies and procedures is critical. •