The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/7599
www.iltanet.org 48 Peer to Peer If a firm doesn't take precautions, simple lapses in security can happen. As Craig Ball notes, "When I'm working late at these firms, I'm amazed by how many lawyers leave their doors open and their systems logged in." Malicious Marauders Some of the newer viruses are easy to get and difficult to remove. One of the more aggressive ones that we've seen with clients is Antivirus Live, which looks just like antivirus software. Once you click Perform Scan, your computer becomes infected via Trojans, and it will load every time your Windows operating system starts. Make sure to educate your staff about this virus because even the professionals have a difficult time removing it. Remind them not to click any unfamiliar button or run any unknown program or virus scanning software. There's an Outlook Web Access look-alike virus, too. The security company M86 Security identifies this at http://www.m86security.com/labs/i/ Don-t-Update-Your-Email-Settings,trace.1215~.asp. It's not enough to stay up-to-date on virus protection, but it helps, and is well worth the effort. You should also keep current on information from industry experts. Visit websites such as United States Emergency Computer Readiness Team http://www. us-cert.gov/cas/tips/, and communicate regularly with the entire IT staff so they can make firm personnel aware of any real threats. The Artful Lodger Once while staying in a Chicago hotel, I ventured into the hotel's business center to print handouts for a meeting. I did a double take when I saw some files that had been saved on the computer desktop. They were titled FirstNameLastNamePassport, FirstNameLastNameVisa, and FirstNameLastNameBirthCertificate. The files were scanned copies of all these documents, and, as you can imagine, if they were to fall into the wrong hands, could have exposed the person to identity theft. I notified the manager of the hotel, and he told me that this happened all the time. He said he would get legal documents, medical records and all types of files he'd rather not see. This particular set of files did not belong to a guest of the hotel, and he could only surmise that it belonged to someone who was representing this person. Fortunately for this individual, the files were destroyed and no harm was done. This goes to show, however, that when traveling, certain protocol needs to be followed when working on, as well as disposing of, documents. Files should never be saved locally to a computer that is not secured. The Biggest Loser Careless people may be the biggest security threat that organizations face today. They don't intentionally set up themselves and/or their firms to be vulnerable, and they always think that a security breach won't happen to them –– until it actually does. Steve Fletcher, CIO at Parker Poe, says, "Security is about people, not technology. It's about people who leave laptops in airports or rental cars; people who can't be bothered with passwords on PDAs; people who refuse to make regular password changes unless they are forced; people who connect (or try to connect) personal devices to office networks after hours or on weekends; people who use their kid's highly unsecure home PC to draft confidential client info or work product; people who don't look carefully at an e-mail recipient's address or carelessly reply to all; people who leave confidential work product all over the office, in conference rooms, etc. While it's true that we have to deal with cybercrime, hacking, etc., from a network ops standpoint, many of the entry points of our systems result from those items mentioned above." Craig Ball agrees and adds, "People are the weakest link in any effort designed to secure information. It's especially easy to prey on their egos and insecurities through what's called 'social engineering.' I bet you could gain access to almost any law firm's network by leaving a thumb drive holding malware and labeled 'Payroll' on the bathroom floor. You might have to do it a few times to succeed, but you can bet someone will ultimately pick it up and pop it into a machine. If it holds self-executing spyware, forget the firewall; it's already inside and tunneling through the system sending secrets who-knows-where." what's a Firm To Do? What are some of the things you can do to address security concerns? If you are going to be contemplating cloud computing and other such endeavors, you cannot just take the word of consultants. Know the tough questions to ask and when to challenge their answers. Set an internal policy that is right for your firm, and see that it is passed to the attorney and staff population throughout the organization. Make sure virus protection is in place and kept up to date. Maintain firm software and updates. Determine what the firm policy will be for social networking and then create and distribute the policy. Train your trainers and support staff on security issues. Training should not be just for networking and administrative staff, but for your entire team. Finally, you can't be successful if you just look at security matters every five years; this has to be an ongoing process. If you audit your practices regularly, you will be more successful, better prepared and less vulnerable. ILTA Donna Payne is cEo of PayneGroup. she was the recipient of the first ever consultant of the year award given by Law Technology News, and the lex Proficio award for lifetime service advancement of legal software and publishing. she is a frequent speaker at legal and technical conferences worldwide and has spoken to congressional committees, the senate, and at international judicial conferences on the subject of metadata and preventing accidental disclosure. Donna writes the test Drive column for Law Technology News. she can be reached at donnapayne@payneconsulting.com or twitter @Donna_Payne.