Protection begins with assessment of access

Law firms handle plenty of sensitive information, both their own and that of their clients. A client’s competitor and opponents in a lawsuit are just two parties who may want to steal that information. “Security matters because it is not a theoretical risk,” says Martin Felsky, a lawyer and partner with Harrington LLP in Toronto.

If a firm has an information technology department, it may already have a handle on security. If not, the first step toward better security is a threat and risk assessment (TRA).

Felsky insists this is not a “boilerplate” exercise. “Threats can differ depending on the types of law you practice, the types of clients you serve,” he explains.

At minimum, firms need to secure all work devices using passwords and protect them from malware. Mobile devices, which can be encrypted, can also erase themselves after a certain number of unsuccessful login attempts, a great way to thwart thieves trying to guess at passwords.

Malware comes from places people already know about, like e-mail links and Word documents, as well as places previously thought safe. In the past, people PDFed documents, in part to keep from transmitting malware. Today’s “reality is that PDF documents can become infected just like any other file can,” says Michael Legary, chief strategy officer for Winnipeg-based information assurance integrator Seccuris Inc., who advises firms to differentiate between files generated internally and those from an external source.

Despite news headlines that document the nefarious deeds of Chinese hackers, most Canadian law firms need to look much closer to home for issues that are likely to cause them grief. They’re far more likely to suffer data breaches from physical theft of devices, accidental loss of devices or unauthorized access to devices, according to Jack Newton, president and CEO of Vancouver-based cloud practice management system vendor Themis Solutions Inc.

Loss of a device should not mean loss of the data on that device. “Encrypt any drive that has any remotely sensitive data,” Newton urges. He notes that today’s operating system-based encryption tools make phones, USB memory keys, PC and server hard disks and other storage devices unreadable without the right password.

Many lawyers won’t like what Newton has to say next: “Law firms should outright ban USB keys, or at least keep them encrypted.” Their small size makes them easy to lose or steal, he argues, adding that portable hard drives are equally vulnerable.

Indeed, today’s highly portable data storage devices can easily be stolen if an office isn’t secured against unauthorized visitors. Law firms can deter incursions by requiring ID badges, setting up offices so all visitors must pass by reception, and even physically separating offices from meeting rooms.

Lawyers who travel outside of Canada should take “bare” computers (that contain no data) that allow them to establish a secure connection back to the office using tools like Windows Remote Desktop. All data stays on secure servers and, should a computer be lost or confiscated by a country’s border services, no data is compromised.

When faced with the task of securing all sorts of endpoint devices, from PCs to laptops to tablets to phones, IT pros may long for the days of dumb terminals accessing mainframes. The terminals did not store data, so if you secured the servers, you secured your data.

To a degree, cloud computing services replicate this centralized model in which tablets and smartphones act like dumb terminals. Even though devices do, in some instances, store information, the right cloud service can improve a firm’s data security.

Legary red-flags firms that use “consumer-grade” cloud offerings like DropBox to share documents between the office and mobile devices, and in some instances, with clients. “Will you be notified of third-party access?” he wonders. Law enforcement, for instance, may demand files, “but what we’re finding right now is that administrators of online services sometimes need to inspect files manually. Nobody is being notified of this.”

As businesses tighten up physical and digital security, hackers turn to social engineering, the “scamming” of employee user names and passwords. All it takes is a call to an assistant from somebody purporting to be a partner saying, “Hi, I forgot my password. Please tell me what it is.” Attacks can also come via links in e-mails. Firms need to train all staff to recognize and deal with social engineering attacks. (If you want to understand how easy this can be to pull off, read Kevin Mitnick’s hacker memoir Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.)

Firms seeking to better their security can use various sets of standards. If clients adhere to a standard, they “must state what level of information security they’re looking for,” Felsky says. “Have a client send you its security standards as a checklist. These checklist requirements then get targeted to contractual provisions in a retainer agreement.”

Standards specific to the legal industry include the Canadian Judicial Council’s Blueprint for the Security of Judicial Information, which Felsky has been involved with since inception and through several drafts.

The Barreau du Québec offers a checklist and tips in the French-only (for now) Guide des technologies de l’information pour l’avocat et son équipe (guideti. barreau.qc.ca). Another resource to check out is the 2011 Guidelines for Legal Professionals, published by the International Legal Technical Standards Organization (iltso.org).

International standards, such as ISO 27001 and 27002, offer high-level policy statements and specific policy implementation methods.

“Law firms need to adopt a standard and work hard towards complying with that standard. That shows due diligence,” says Felsky.

For all this, he warns against turning a firm into Fort Knox. “If you lock things down too tight, people go around the system and security is even worse.”

This article originally published in Lawyers Weekly Magazine. For a PDF of this article, click here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.