Lawyers often reach their work product using data networks. The speed and reliability of those networks can affect their productivity. At the same time, network security can determine whether lawyers keep client information confidential — or not.
Duncan Fraser, the Ottawa-based vice-president and senior legal counsel of e-discovery and information governance consultancy Wortzmans, voices a concern of many knowledge workers when he says: “My interest is in enabling agile, flexible workers and work product while maintaining security and integrity of the network.”
The complexity and continual evolution of modern networks makes attaining this balance between performance and security a never-ending process. Networks within an office can be part of a multi-office wide area network. Tentacles stretch outside a firm’s network to include resources like cloud-based services and disaster recovery backup sites. People use all manner of computers and mobile devices to work on the network, both inside and outside the firewall.
A perfect balance might be unattainable, but law firms can use the tips that follow to bring their networks closer to this balance.
Don’t worry about “bandwidth hogs”: There’s no need to, for instance, prevent streaming of sporting events like the Olympics. Modern data networks tend to be robust enough to handle the load.
Use offsite disaster recovery backup sites: Bennett Jones LLP’s Calgary office lived through events like the 2013 flood and a fire that took out a downtown server farm. Both events knocked many downtown Calgary businesses offline.
With these outages in recent memory, they recently brought a second offsite backup system online, for extra peace of mind. If a failure happens, people go on working without noticing the failure.
Backup servers “must be up and running in full redundancy,” says Lionel Cochey, director of information security governance and risk management for Bennett Jones.
Consider using several tools for one job: Cochey notes that phishing e-mails pose one of the greatest security threats to the firm. That’s why several systems monitor incoming messages for malicious payloads or links. “No one tool stops everything,” he says.
Train staff: Cochey admits network security sophistication isn’t enough. People need to learn why security matters and how to maintain it. “One wrong click in an e-mail and your computer is compromised,” he warns.
Don’t speak too openly about your network: When asked, Fraser did not mention any specific components of his firm’s network. “It’s easy to guess a port number,” he offers as an explanation.
Don’t leave unused ports open: If the firm uninstalls software that used ports on the network, those ports must be closed.
Schedule regular network penetration tests: Have ‘white hat’ hackers look for ways into the network that ‘black hat’ hackers might use.
Review security of cloud-based services: Many law firms use cloud-based services, so their networks consist of both internal resources under their control and “outside-the-firewall” assets they trust other companies to manage. Cochey recommends lawyers carefully read the service level agreements (SLAs) of each provider they use for firm business.
To relieve the burden of remembering various passwords, Kevvie Fowler notes that certain organizations are considering bring- your-own-identity (BYOID) approaches. “They allow people to log in using credentials from another website,” says KPMG Canada’s national cyber response leader. This could be a smart move depending on the controls the third party offers.
Fowler points out that user names and passwords are inherently weak, so he recommends using two-factor authentication: people who access the network use something they have (like a security fob with a code that changes after each login) and something they know (a password).
Access for outsiders: “When we work on review projects, review attorneys connect to a database that is not connected to our client files,” Fraser says.
Use a mobile device management (MDM) system: Network administrators need MDMs to manage mobile devices that can access the network. In extreme cases, administrators can remotely wipe lost or stolen devices to keep firm data from falling into the wrong hands.
Remotely wiping computer storage is trickier, so Cochey recommends lawyers avoid this issue by entirely encrypting their hard disks. “Full-disk encryption doesn’t impede performance like it used to,” he says.
Don’t over-restrict the network: “If knowledge workers are impeded from doing their jobs by technology, they will find a way around the technology that will enable them to do what they’re being paid to do,” Fraser states. “Security needs to be developed based on what people do and not just keeping information safe.
“Information is made safer when people can do their jobs within a secure environment.”
Improve network performance where possible: For instance, remote access to a company’s servers might be slow if people need to sign in to a PC inside the firewall and access the network from there, creating a “two-step” connection.
Talk about your network: Fraser says discussions about network security and performance have moved from side-of- the-desk informality to a regular part of the company’s discussions. Cochey exhorts lawyers to include their IT people in those discussions.
Consider a ‘no-meddling’ policy: Don’t let people modify networks without IT staff ’s knowledge. Doing so could cause problems and necessitate unnecessary hours of troubleshooting.
Learn about network security from the misfortunes of others: Fowler notes that the media do a good job reporting data network breaches. He mentions a blog by Brian Krebs (http://krebsonsecurity.com), noting Krebs “sometimes uncovers breaches before an organization experiences a breach.”
This article originally published by Lawyers Weekly Magazine. To view the print version, click here or here.