By Tom Lambotte from GlobalMac IT
Last time, we discussed the benefits of attorneys and their staff to embrace a BYOD strategy: using their home computers for work, or perhaps their work laptops for personal uses. This is where we will dig into the biggest security risks that this can introduce and some tips on how to address them. Given that we only support Mac-based law firms, this article will be Apple-centric, but the same concerns apply if you are on Windows-machines, although the specific tools will vary. The 3 biggest concerns we will address are the proper legal documents to have in place, full disk encryption and securing your backups. This is in no way comprehensive, but these are some big ones.
Who needs this document in place? Anyone allowing firm data to be accessed by any type of mobile device - phones, tablets, and yes, laptops as well. If you'd like a template to start with, shoot me an email at email@example.com and I'll send you one to use as soup-starter. Not doing your due diligence here greatly threatens the attorney-client privilege and legitimately jeopardizes your firm (legally and otherwise).
The next on this list is using full disk encryption. Why is this necessary? Unlike a standard password-protected computer, which leaves the contents of a hard-drive accessible to anyone with the patience to remove the drive, FileVault encrypts the entire contents of a device at disk level, rendering it impossible for anyone without the login password to access the data on the computer. To be clear, just because you have a password on your laptop, does NOT mean the data is secure if you do not have this enabled. Anyone could open your computer, remove the drive and plug it into another computer and have FULL ACCESS to everything on there.
Apple has gone as far making the default setting when setting up a new Mac, as of 10.10 Yosemite. Ticked by default are two boxes, “Turn on FileVault disk encryption” and “Allow my iCloud account to unlock my disk”. That means that unless the user actively declines the offer, their hard drives will be encrypted. To check this status, go to System Preferences > Security & Privacy > FileVault. You'll see here if it has been enabled or not. If not, enable it and make sure to store the recovery key where you won't lose it! Preferably in a password management software like 1Password by Agilebits.
The third and final security is the security of your backups, not something often discussed. Similar to the full disk encryption, many home users will have a local backup hard drive that they use. Many Mac users utilize Time Machine due to its simplicity. Many others like making a bootable clone, which is a bit by bit copy of the entire hard drive. The same issue we just discussed applies here and can threaten your law firm. If you have firm data on your computer, go home and back it up, if that backup drive gets into the wrong hands, you've got a serious security issues. You are responsible for finding out how people in your firm may be backing up the computers at home and whether it is being done securely.
Just like FileVault on the Mac, Apple has added the ability to encrypt the entire Time Machine backup. Go to System Preferences > Time Machine > Select Backup Disk. On that window is a checkbox "Encrypt Backups." For the clone there are a few more steps. Carbon Copy Cloner is one of the most popular cloning applications and our preferred tool. The full instructions to enabling encryption on the backup volume for the clone can be found here: https://bombich.com/kb/ccc4/working-filevault-encryption.
I hope this has raised a few security concerns you may not have considered and, most importantly, provided you with some action steps you can take to improve the security in your firm, and to ensure you are doing your due diligence to protecting the attorney-client privilege.
About the Author: GlobalMac IT was founded by Tom Lambotte – renowned nationwide as an author, speaker, trusted IT advisor, and cutting edge, successful provider of the #1 complete end-to-end IT solution for Mac-Based Law Firms in the world. Private firms from throughout North America – and as far reaching as American Samoa - running with a staff of 5-50 - have relied on his expertise to help them put their IT headaches behind once and for all. Using his real world experience, where results rule and dollars can't be wasted on negligent computer consultants, he wanted to help managing partners and office managers of Mac-based law firms to put an end to wasting their time and money on IT support that does not work and rescue them from the frustration. Our unique “TotalCare” approach integrates classic IT support with proven proactive support that truly converts IT from something to be dealt with, into a tool that truly increases law firm profits, increases staff productivity, and provides piece of mind that firm and client data is secure and that their security is never at risk.