Using Bring-Your-Own-Device Technology Securely

Law firms have become a big target for hackers seeking insider information on their clients. Earlier this year, there were news reports of a Pittsburgh law firm that was hacked by a former employee and a Virginia-based law firm that had its servers wiped clean of client e-mails by the notorious hacker Anonymous. In January, Bloomberg reported on China-based hackers who hit seven different law firms. The article, “China-Based Hackers Target Law Firms to Get Secret Deal Data” (Jan. 31, 2012) (http://bloom.bg/vZZh0L), quoted one security organization that estimated that 80% of U.S. law firms were hacked last year. Hackers are after personal identifiable and financial information, patents, trade secrets, and details around mergers and acquisitions. BYOD, if not used securely, opens one more window of opportunity for hackers.

Attorney-client privilege is not the only consideration. If your law firm or online client accepts credit cards, it must comply with Payment Card Industry (PCI) Data Security Standards. Organizations that accept credit card payments are responsible for protecting cardholder information and must demonstrate ongoing PCI compliance. If they don't, they could face steep non-compliance fees from the payment card brands (Visa, Master Card, et al.). Additionally, if your law firm handles healthcare records, it is bound by the Health Insurance Portability and Accountability Act (HIPAA) security and privacy guidelines, and could be subject to penalties for data security breaches and non-compliance. Law firms and their clients may also be subject to other federal or state regulations regarding information security safeguards, depending upon the state they are in and the states in which they conduct business. The choices you make regarding BYOD can impact your ability to comply with these and other regulations. If your firm and/or client use BYOD or is considering it, it needs to know how to implement and deploy it to help ensure the security of your firm and its clients.

Company Computers vs. BYOD

It's hard enough for companies to secure their company owned computers (servers, desktops, laptops, tablets and mobile phones), networks and devices (printers, PBX phone systems, etc.). It's even more difficult for organizations to secure equipment they don't own and control, especially when that equipment is used outside of the office where items can be lost or stolen and can release private information if proper security is not in place. When a company issues its own computers, its IT team can actively manage the ways in which they are used. For example, IT can implement security policies that ensure a computer's operating system and software are patched (security flaws are fixed as soon as the device maker and software company release the latest remedies for known security flaws), and anti-virus software (AV) is up-to-date. IT can also block users from visiting websites known for spreading malware and from downloading applications that have known vulnerabilities or are malicious. However, companies can't control what people do on their own personal computing devices. Many personally owned computers are infected, unbeknownst to users. If an employee connects his infected device to the company network, the device could infect the network and allow hackers to enter it.

Corporate-Owned Computers

If an employee uses a corporate-owned computer that only connects to the company network inside the office or outside the office with a virtualized private network (VPN), the company owned computers should be relatively secure, assuming the company follows best security practices. A VPN allows people outside of the office to work on the corporate network the same way they would as if they were in the office. From any Internet connection ' public wireless or a home Internet services provider (ISP) ' the employee clicks on an icon that has been installed on his or her company computer and inputs security codes to connect to the corporate network. At that point, the employee is tunneled in securely to the company network, allowing access to any files that are available at the office. And now that he is inside the company network, he surfs the Web just as if he were inside the corporate network, where he is protected by firewalls and other security controls the company has in place. Essentially, it's as if he is sitting right inside of the office even though he may be thousands of miles away.

What Are Those Security Best Practices?

• Employees are trained to never click on links or open attachments from unverified sources.
• IT applies computer patches as soon as they're available and tested as secure.
• IT has correctly installed and configured firewalls, intrusion detection/prevention systems and anti-virus software.
• IT monitors the corporate network 24×7 for anomalies in incoming and outgoing traffic.

But what happens when employees use their own devices inside or outside the office to connect to the corporate network?

BYOD

When personally owned computers connect to the company network either inside the office or through a VPN, users bypass security systems that protect the network from outside threats. So if an employee connects her personally owned device that has malware on it to the corporate network, that malware could migrate to the network. This is because network protections are typically configured to focus on preventing access from external computers and pay no attention to the traffic between two computers already inside the network.

Protecting the Corporate Network

Think of your computer network as its own country with a network of roads and the computers on the network as individual cities. Traffic from one city to another is monitored to some degree but is not closely controlled. On the other hand, stronger security controls are in place at the borders of your country (your network). Border guards generally ensure that visitors with a legitimate interest in passing through your country are permitted to enter and the rest are turned away. In a computer network, the border is guarded by a firewall. When someone outside of your organization connects to your website or corporate e-mail, the request comes to your server wrapped in a package like an envelope. The firewall examines the package and looks at the Internet Protocol (IP) address from where it was sent. If the package is not from a blacklisted source known for being unsafe, the firewall lets it through. Also on the border is the IDS/IPS (instruction detection system/intrusion protection system), which examines the contents of the package. If anything inside the package looks suspicious, the IPS blocks it. Once traffic has passed the border crossing, anti-virus software blocks known malware specimens that may have gotten through the firewall and the IDS/IPS. But be advised: you cannot depend solely on AV because it does not protect as well as the guards at the border.

When connecting to the company network through a VPN, a computer is given a free pass through all the border protections. Neighboring computers (cities) are still protected by their individual anti-virus software but do not benefit from the deeper border controls. With corporate supplied computers, bypassing the border doesn't pose a significant additional risk because the connecting computer is maintained in a way that is consistent with the rest of its peers and is equally likely to be safe.

Personally Owned Devices

But personally owned devices are another story. Their owners may not have kept software up-to-date and may not have installed anti-virus software. They may have unknowingly visited websites that have infected links or downloaded applications for personal use that are infected with malware. In the absence of a fully patched environment and updated anti-virus software, computers are easily infected, often within minutes of connecting to the Internet. Once malware infects a user's computer, the malware can spread to anything to which that computer is connected. And, as outlined above, if that device connects to the company network either inside the office or outside of the office via a VPN, that device's malware can slide onto the network, bypassing all of the border security and ultimately allowing a hacker access to company servers that house private data.

As a precaution, a law firm should never allow any of the following:

• A personally owned computer (mobile phone, laptop, notebook, tablet) or USB stick to connect into a USB port on a company computer or company network cable.
• A personally owned computer to connect to the firm's wireless network inside or outside the office. An exception can be made when that wireless network is not connected to the corporate network, such as Wi-Fi used solely to provide Internet access.
• A personally owned computer to connect to the company network through a VPN or any wireless channel.

Remember, the VPN provides a private tunnel to the company network so hackers cannot see traffic that flows from one computer to another. The VPN does not secure the network from malware. Some employees have surreptitiously downloaded software to their personal devices, giving them access to the company's VPN. This should be prohibited.

BYOD Can Work Safely

Despite these cautions, BYOD can work safely. Fortunately, there are systems that can be put into place so that employees can interact on their personally owned computers with corporate applications and data without being directly connected to the company network. One such system is called Virtual Desktop Infrastructure (VDI). When a company deploys VDI infrastructure, the personally owned device acts as the keyboard, monitor and mouse for a corporate owned computer. The user runs applications and interacts with data that is living on a company controlled machine. The corporate server connects to the user's computer only via the mouse, the keyboard and the screen so the server cannot become infected. Another type of system places a containerized virtual “bubble machine,” like a software application, on each employee's personally owned computer. When a lawyer needs to work on a document or office application, she requests the document or company application from the server. The server sends an “instance,” or copy of the document, directly to her safe containerized bubble where it is stored so the employee can disconnect from the Internet to work anywhere, like on a plane, and make changes to the document. Because the bubble is containerized in the computer, it is protected from any malware on the computer. The next time the employee hooks up to the virtual system, the latest edition of the document is uploaded back to the server. If her personally owned device is lost or stolen or she leaves the firm, the containerized bubble inside the employee's computer can be remotely wiped.

Before jumping into any of these systems, it is wise to work with an independent security professional to review all your needs, risks and budget to choose the type of system that suits you, preferably before your firm implements BYOD.

Partnering

It's usually impractical to expect your own organization to manage BYOD. Partnering with a mobile device management (MDM) vendor can help organizations deploy and support the use of mobile devices and corporate applications on mobile devices. Implementing an MDM solution can often be less costly than managing BYOD in-house because MDM outsourcing companies have the knowledge and staff to work with countless types of old and new devices and operating systems. MDMs can manage multiple types of computer systems, password policy enforcement, remote-device wiping, real-time monitoring and configuration settings, and can also address the major requirements for providing users with access to data and applications.

Employer-Employee Agreement

In order to provide security for personally owned devices, organizations may need to have employees download software to their personal computers so they can be enrolled in the device management plan and can access corporate resources. Organizations supporting a BYOD program should have existing employees and new hires sign an Acceptable Use Policy Agreement that applies to the use of both corporate and personal computers. The agreement should outline prohibited actions for BYOD participants: They should be prohibited from interfering with security controls placed on their personal devices or downloading any unauthorized software that gives them access to the company network. The Agreement should also state what corrective actions will be taken should an employee attempt to circumvent the security controls. Additionally, the firm should provide a Privacy Policy that governs the company regarding what it can wipe remotely and what type of information, such as company e-mail, to which it can have access.

Security Advice

There are many security rules, regulations and procedures your firm should follow to protect its clients and reputation. And while a few appear below, an independent security consultant can best educate you on the risks and rewards of BYOD and help you develop the best solutions to fit your firm's budget and needs.

• Provide employees a list of which computers your IT Help Desk can support.
• Incorporate policies that require strong authentication and encryption solutions.
• Educate employees so they understand the reasons behind the rules and policies.

For Twitter, LinkedIn, Facebook and Google+ followers, click here to subscribe to Internet Law & Strategy at a special introductory rate of $269. This offer is valid for new subscribers only.

Bring-Your-Own-Device (BYOD) programs, which allow employees to use their personally owned smartphones, tablets and laptops in and out of the work environment, are significantly changing information technology (IT). Law firms around the country are embracing BYOD as it lets executives and employees use the mobile devices, service providers and operating platforms of their choice.

IT research analysts predict that by 2013, 80% of businesses will support a workforce using tablets, and by 2014, 90% of organizations will deploy corporate applications on personal devices. See, “Gartner Reveals Top Predictions for IT Organizations and Users for 2011 and Beyond,” Gartner.com, http://gtnr.it/gUFPRk. The benefits of BYOD are clear: BYOD allows employees to be more productive and conduct business activities outside of traditional working hours. But just as there are huge benefits, there are big information security concerns for law firms and their clients.

Considerations

Law firms have become a big target for hackers seeking insider information on their clients. Earlier this year, there were news reports of a Pittsburgh law firm that was hacked by a former employee and a Virginia-based law firm that had its servers wiped clean of client e-mails by the notorious hacker Anonymous. In January, Bloomberg reported on China-based hackers who hit seven different law firms. The article, “China-Based Hackers Target Law Firms to Get Secret Deal Data” (Jan. 31, 2012) (http://bloom.bg/vZZh0L), quoted one security organization that estimated that 80% of U.S. law firms were hacked last year. Hackers are after personal identifiable and financial information, patents, trade secrets, and details around mergers and acquisitions. BYOD, if not used securely, opens one more window of opportunity for hackers.

Attorney-client privilege is not the only consideration. If your law firm or online client accepts credit cards, it must comply with Payment Card Industry (PCI) Data Security Standards. Organizations that accept credit card payments are responsible for protecting cardholder information and must demonstrate ongoing PCI compliance. If they don't, they could face steep non-compliance fees from the payment card brands (Visa, Master Card, et al.). Additionally, if your law firm handles healthcare records, it is bound by the Health Insurance Portability and Accountability Act (HIPAA) security and privacy guidelines, and could be subject to penalties for data security breaches and non-compliance. Law firms and their clients may also be subject to other federal or state regulations regarding information security safeguards, depending upon the state they are in and the states in which they conduct business. The choices you make regarding BYOD can impact your ability to comply with these and other regulations. If your firm and/or client use BYOD or is considering it, it needs to know how to implement and deploy it to help ensure the security of your firm and its clients.

Company Computers vs. BYOD

It's hard enough for companies to secure their company owned computers (servers, desktops, laptops, tablets and mobile phones), networks and devices (printers, PBX phone systems, etc.). It's even more difficult for organizations to secure equipment they don't own and control, especially when that equipment is used outside of the office where items can be lost or stolen and can release private information if proper security is not in place. When a company issues its own computers, its IT team can actively manage the ways in which they are used. For example, IT can implement security policies that ensure a computer's operating system and software are patched (security flaws are fixed as soon as the device maker and software company release the latest remedies for known security flaws), and anti-virus software (AV) is up-to-date. IT can also block users from visiting websites known for spreading malware and from downloading applications that have known vulnerabilities or are malicious. However, companies can't control what people do on their own personal computing devices. Many personally owned computers are infected, unbeknownst to users. If an employee connects his infected device to the company network, the device could infect the network and allow hackers to enter it.

Corporate-Owned Computers

If an employee uses a corporate-owned computer that only connects to the company network inside the office or outside the office with a virtualized private network (VPN), the company owned computers should be relatively secure, assuming the company follows best security practices. A VPN allows people outside of the office to work on the corporate network the same way they would as if they were in the office. From any Internet connection ' public wireless or a home Internet services provider (ISP) ' the employee clicks on an icon that has been installed on his or her company computer and inputs security codes to connect to the corporate network. At that point, the employee is tunneled in securely to the company network, allowing access to any files that are available at the office. And now that he is inside the company network, he surfs the Web just as if he were inside the corporate network, where he is protected by firewalls and other security controls the company has in place. Essentially, it's as if he is sitting right inside of the office even though he may be thousands of miles away.

What Are Those Security Best Practices?

• Employees are trained to never click on links or open attachments from unverified sources.
• IT applies computer patches as soon as they're available and tested as secure.
• IT has correctly installed and configured firewalls, intrusion detection/prevention systems and anti-virus software.
• IT monitors the corporate network 24×7 for anomalies in incoming and outgoing traffic.

But what happens when employees use their own devices inside or outside the office to connect to the corporate network?

BYOD

When personally owned computers connect to the company network either inside the office or through a VPN, users bypass security systems that protect the network from outside threats. So if an employee connects her personally owned device that has malware on it to the corporate network, that malware could migrate to the network. This is because network protections are typically configured to focus on preventing access from external computers and pay no attention to the traffic between two computers already inside the network.

Protecting the Corporate Network

Think of your computer network as its own country with a network of roads and the computers on the network as individual cities. Traffic from one city to another is monitored to some degree but is not closely controlled. On the other hand, stronger security controls are in place at the borders of your country (your network). Border guards generally ensure that visitors with a legitimate interest in passing through your country are permitted to enter and the rest are turned away. In a computer network, the border is guarded by a firewall. When someone outside of your organization connects to your website or corporate e-mail, the request comes to your server wrapped in a package like an envelope. The firewall examines the package and looks at the Internet Protocol (IP) address from where it was sent. If the package is not from a blacklisted source known for being unsafe, the firewall lets it through. Also on the border is the IDS/IPS (instruction detection system/intrusion protection system), which examines the contents of the package. If anything inside the package looks suspicious, the IPS blocks it. Once traffic has passed the border crossing, anti-virus software blocks known malware specimens that may have gotten through the firewall and the IDS/IPS. But be advised: you cannot depend solely on AV because it does not protect as well as the guards at the border.

When connecting to the company network through a VPN, a computer is given a free pass through all the border protections. Neighboring computers (cities) are still protected by their individual anti-virus software but do not benefit from the deeper border controls. With corporate supplied computers, bypassing the border doesn't pose a significant additional risk because the connecting computer is maintained in a way that is consistent with the rest of its peers and is equally likely to be safe.

Personally Owned Devices

But personally owned devices are another story. Their owners may not have kept software up-to-date and may not have installed anti-virus software. They may have unknowingly visited websites that have infected links or downloaded applications for personal use that are infected with malware. In the absence of a fully patched environment and updated anti-virus software, computers are easily infected, often within minutes of connecting to the Internet. Once malware infects a user's computer, the malware can spread to anything to which that computer is connected. And, as outlined above, if that device connects to the company network either inside the office or outside of the office via a VPN, that device's malware can slide onto the network, bypassing all of the border security and ultimately allowing a hacker access to company servers that house private data.

As a precaution, a law firm should never allow any of the following:

• A personally owned computer (mobile phone, laptop, notebook, tablet) or USB stick to connect into a USB port on a company computer or company network cable.
• A personally owned computer to connect to the firm's wireless network inside or outside the office. An exception can be made when that wireless network is not connected to the corporate network, such as Wi-Fi used solely to provide Internet access.
• A personally owned computer to connect to the company network through a VPN or any wireless channel.

Remember, the VPN provides a private tunnel to the company network so hackers cannot see traffic that flows from one computer to another. The VPN does not secure the network from malware. Some employees have surreptitiously downloaded software to their personal devices, giving them access to the company's VPN. This should be prohibited.

BYOD Can Work Safely

Despite these cautions, BYOD can work safely. Fortunately, there are systems that can be put into place so that employees can interact on their personally owned computers with corporate applications and data without being directly connected to the company network. One such system is called Virtual Desktop Infrastructure (VDI). When a company deploys VDI infrastructure, the personally owned device acts as the keyboard, monitor and mouse for a corporate owned computer. The user runs applications and interacts with data that is living on a company controlled machine. The corporate server connects to the user's computer only via the mouse, the keyboard and the screen so the server cannot become infected. Another type of system places a containerized virtual “bubble machine,” like a software application, on each employee's personally owned computer. When a lawyer needs to work on a document or office application, she requests the document or company application from the server. The server sends an “instance,” or copy of the document, directly to her safe containerized bubble where it is stored so the employee can disconnect from the Internet to work anywhere, like on a plane, and make changes to the document. Because the bubble is containerized in the computer, it is protected from any malware on the computer. The next time the employee hooks up to the virtual system, the latest edition of the document is uploaded back to the server. If her personally owned device is lost or stolen or she leaves the firm, the containerized bubble inside the employee's computer can be remotely wiped.

Before jumping into any of these systems, it is wise to work with an independent security professional to review all your needs, risks and budget to choose the type of system that suits you, preferably before your firm implements BYOD.

Partnering

It's usually impractical to expect your own organization to manage BYOD. Partnering with a mobile device management (MDM) vendor can help organizations deploy and support the use of mobile devices and corporate applications on mobile devices. Implementing an MDM solution can often be less costly than managing BYOD in-house because MDM outsourcing companies have the knowledge and staff to work with countless types of old and new devices and operating systems. MDMs can manage multiple types of computer systems, password policy enforcement, remote-device wiping, real-time monitoring and configuration settings, and can also address the major requirements for providing users with access to data and applications.

Employer-Employee Agreement

In order to provide security for personally owned devices, organizations may need to have employees download software to their personal computers so they can be enrolled in the device management plan and can access corporate resources. Organizations supporting a BYOD program should have existing employees and new hires sign an Acceptable Use Policy Agreement that applies to the use of both corporate and personal computers. The agreement should outline prohibited actions for BYOD participants: They should be prohibited from interfering with security controls placed on their personal devices or downloading any unauthorized software that gives them access to the company network. The Agreement should also state what corrective actions will be taken should an employee attempt to circumvent the security controls. Additionally, the firm should provide a Privacy Policy that governs the company regarding what it can wipe remotely and what type of information, such as company e-mail, to which it can have access.

Security Advice

There are many security rules, regulations and procedures your firm should follow to protect its clients and reputation. And while a few appear below, an independent security consultant can best educate you on the risks and rewards of BYOD and help you develop the best solutions to fit your firm's budget and needs.

• Provide employees a list of which computers your IT Help Desk can support.
• Incorporate policies that require strong authentication and encryption solutions.
• Educate employees so they understand the reasons behind the rules and policies.

For Twitter, LinkedIn, Facebook and Google+ followers, click here to subscribe to Internet Law & Strategy at a special introductory rate of $269. This offer is valid for new subscribers only.