Legal professionals love the convenience of accessing the same information they would use in the office, when and where needed. Employees can be more productive, and firms can shift the cost of computing devices to users, which saves money.
But like many technological conveniences, personal devices can be risky. Since law firms are a treasury of confidential client information and data, actors with ill intentions are always finding new and creative ways to get to it. By breaching a personal device, a hacker’s intention is to use it as an ingress point to wreak havoc in your network.
“A simple cyber attack on an employee through an insecure personal device can result in a full-blown data breach,” James Harrison, Chief Executive Officer of INVISUS, a cyber risk management company and ALA VIP Business Partner. And along with that comes all the financial and reputational damage that could cost the firm, even small firms, millions of dollars to recover from.” Harrison notes that during the pandemic especially, a significant percentage of data breaches can be traced to attacks on employees working from home with personal devices.
Personal devices are outside the oversight of the firm or IT department, so settings and maintenance for security are often overlooked — which is exactly why law firms should be paying attention. While it’s possible to get more control over personal device security by issuing firm-owned devices to employees, it’s not always feasible.
“The smaller the firm, the more likely they are to allow the use of personal devices for work,” says Harrison. “Not every firm can or should provide corporate-owned devices, such as a cell phone or laptop, for employees who primarily work from home. There are things you can do to mitigate the potential risks.”
7 TIPS FOR A SAFER PERSONAL DEVICE EXPERIENCE
Everyone wants to avoid a ransomware attack or other breaches, so let’s not make it easy to do from a personal device. Here are some simple steps firms can take to mitigate the risks posed by using personal devices for client and firm work, and you can use these steps as a basis for a BYOD policy for your firm.
1. Enable Encryption and Two-Factor Authentication
While locked screens and strong passwords are essential security steps, these measures won’t protect your data if someone gets ahold of your password. If bad actors get just one of your passwords to any account ― including commonly used services like DocuSign and Box — it’s possible that they could gain access to your client data. A common best practice is to ensure that files and emails are encrypted on all devices. Even better: Access files and email from the cloud so that confidential information is never stored on a personal device.
“Personal devices are outside the oversight of the firm or IT department, so settings and maintenance for security are often overlooked — which is exactly why law firms should be paying attention.”
In addition, two-factor authentication provides an added level of security: The first factor is a strong password; the second factor is a temporary code sent to another device, usually a smartphone. This makes it more difficult to breach a network when a hacker has a password. By now, most mobile device users are familiar with two-factor authentication, so adoption shouldn’t be a big issue.
2. Have a Breach Response Plan
Don’t wait for something to happen and then figure it out as you go — have a plan ready.
“You need a plan to detect and report a breach on personal devices, respond to it quickly and resolve the issues that led to the breach,” says Harrison.
In addition, it’s best to have encrypted, easily restorable backups of all firm data in a secure location. In a ransomware attack, hackers lock your systems and demand a ransom to restore access. By having a handy backup always ready to go, you can skip the ransom payment and go straight to service restoration, minimizing downtime.
3. Keep Work and Family Activity Separate
Many people use personal accounts for work, and vice versa, but this complicates cybersecurity.
“The idea of going home to an insecure environment and using a personal device that may not be safe is riddled with problems,” says Harrison. Firms should be proactive in ensuring an employee’s home office environment is secure. He recommends that personal devices used for work connect through a secure home WiFi router using a separate network and login so that your work is always logged in through a unique segregated network on the WiFi router. Another best practice is to connect to firm resources using a virtual private network (VPN).
4. Use Secure Network Connections When on the Go
Mobility is awesome. You can get work done at a cafe or the beach. The downside is that public Wi-Fi access points can be hazardous to your data. Hackers can eavesdrop on unsecured networks or use unsecured connections to distribute malware. However, if you use a VPN or a secure “SSL” connection, you can nearly ensure online safety no matter where you’re working.
5. Have a Plan for Lost or Stolen Devices
It happens — smartphones, laptops and other devices get lost or stolen. What happens next? Your written BYOD policy should include the procedure employees should follow in the event of a lost or stolen device, such as a policy for promptly reporting and wiping lost or stolen devices, even after hours.
“The idea of going home to an insecure environment and using a personal device that may not be safe is riddled with problems.”
Among the options is to use a service like Apple’s Find My iPhone or Google’s Find My Phone to locate missing devices. If that fails, firms can remotely disable and wipe lost or stolen devices.
6. Keep Devices Updated with Current Software
Hackers love old versions of software and operating systems. While upgrades are regularly delivered by software companies to fix bugs and improve performance, they also come with necessary security upgrades to fix known vulnerabilities. To reduce the number of vulnerabilities in your environment, employees should always keep apps and operating systems up to date with the latest version.
7. Schedule Regular Security Checkups
On a regular basis, personal devices used for work should be checked by the firm to ensure security settings and features comply with firm and client requirements.
HAVE A WRITTEN POLICY
Once you have these tips in place, follow it up with a written BYOD policy. By formalizing established best practices for your firm, you get employees on the page regarding the safe use of their personal devices.
The policy should outline required minimum security standards, such as who has access to specific systems and data through a personal device, answer questions like what data is allowed to be stored on the device, if any, and enable the firm to wipe personal devices in the event of a cyber emergency. (Harrison recommends prohibiting the storage of any confidential data on a personal device.) In addition, the policy should include a written agreement signed by each employee stating that they've read the policy and agree to it.
By taking the steps above to help ensure personal device security, staff can still enjoy the conveniences of their personal devices, while minimizing the risk of exposing firm or client data to the wrong people.