Peer to Peer Magazine

Fall 2015

The quarterly publication of the International Legal Technology Association

Issue link: https://epubs.iltanet.org/i/588021

Contents of this Issue

Navigation

Page 11 of 79

WWW.ILTANET.ORG 13 controls that ensure threats (data loss or unintentional disclosure) are appropriately mitigated through an established firmwide process. This should be a standard for everyone who will have access to your firm's sensitive information. The goal is not just compliance, but rather an increase in people's understanding that this is the right thing to do. Your policy should set precedents on who has access, how you allow access and what personal devices are allowed (or not allowed). Here are a few recommended items for your BYOD policy, including some best practices commonly missed: Establish a designated process/ person(s) that approves, sets up and documents the access to firm information on each personal device. If you don't have internal applications that can limit that type of access, consider moving to one. Mobile device management (MDM) can play a key role. TIP: Focusing on the mitigating controls and methods of securing/wiping the data is more important than the name of the application. Do a risk analysis to see what information devices are accessing and what is (or should be) firm-sanctioned. Include language in the BYOD policy for IMMEDIATE reporting of lost or stolen devices. Include BYOD in your Acceptable Use Policy, and specifically inform employees that the firm will wipe their phone when they leave or if the device is lost or stolen. If you can separate personal and firm data, that 3 4 not given the proper tools and procedures for safely accessing and interacting with firm data outside the office, they will bypass firm-sanctioned methods and find other ways to do their work. As stated eloquently in the movie "Jurassic Park," "Life finds a way." The threat is real. The FBI has indicated many times that law firms are a big target. Mary Galligan, FBI Special Agent in charge of cyber and special operations, put it like this: "The more mobility you have, the more documents you're sending through the Internet, the more likely you are to be the victim of a cyberattack, and that's what we're seeing at law firms." More mobility equals more vulnerability. Security can't be ignored for the sake of convenience, but people want to work on their own device from wherever they are. This creates a challenge. We've heard of lawyers, away from the office, spending 30 minutes finding and testing different apps in order to open a document, edit it and send it back on their phones. The good news is it's exciting to be able to do this. The bad news is they're removing the firm's data from secure systems and exposing the data to vulnerability and breach. Threats to mobility include some cleverly named threats like evil twin hotspots, man in the middle attacks, juice jacking, phishing/spear phishing attacks, ransomeware, etc. A simple search will provide definitions for these and other attack vectors. We have to be mindful of the increased exposure to risk that mobility and BYOD bring to law firm personnel. POLICIES Your policies must bring mobility, security and ethical responsibilities together, while maintaining productivity. The policy establishes the firm's stance on the during lunch, working from home before or after work, at a client's site or on vacation. The ability to have a rich work experience from anywhere, with any device, any time is here now, and it's incredible! We can work on documents, have a conference call, collaborate with colleagues and turn around work product from wherever there is connectivity. PITFALLS Today's mobile options have also opened up a whole new and challenging world of exposure and vulnerability. Exposure, risk, liability and ethical responsibility must be a part of the conversation as we discuss mobility, and specifically BYOD, with law firm employees. Navigating these pitfalls requires us not only to know the risks and threats, but also to know the mindset of our workforce. In the absence of the firm providing the means to perform work on the go, people will find their own way. A lawyer at a recent event discussing information governance stated, "I've never been able to sell the DMS as a collaboration tool." This emphasizes that if people are About the Author Nik Prosser is an industry educator on information security and regulatory guidance. He advises clients in the legal, financial, health care and corporate arenas in risk identification and in creating effective and proactive security programs. Nik's background includes IT audits, risk management, social engineering, vendor management and disaster recovery. In addition to strategic consulting, Nik is a frequent presenter at industry conferences. Contact him at nprosser@travelingcoaches.com. Let me make this simple. I want to work ALL THE TIME! My work-life balance is not your issue. Make it happen.

Articles in this issue

Links on this page

Archives of this issue

view archives of Peer to Peer Magazine - Fall 2015