Bring It On
Transcription
Bring It On
legal management VoLume 32 The magazine of The associaTion of LegaL adminisTraTors 40 BYOD SeCURItY anD SUPPORt training, policy and tools for law firms navigating new tech management models June 2013 number 4 • OM 40 W W W. A L A N E T. O R G BRING IT ON EIGHT TIPS FOR TACKLING BYOD SECURITY AND SUPPORT BY MARY K ATE SHERIDAN When it comes to modern technology, employees may no longer be asking what your firm can give them but rather what they can contribute. Welcome to consumerization and the Bring Your Own Device (BYOD) movement. With newer, faster, more innovative gadgets constantly emerging – and no doubt luring your attorneys and staff with their bells and whistles – your firm is hardly immune from this phenomenon. In fact, according to the International Legal Technology Association’s 2012 Technology Survey – which polled 487 small, mid-sized and large law firms – attorneys at more than 40 percent of the responding firms are buying their own devices. BYOD is more than a passing fad within the legal industry, with law firms themselves anticipating its significant future impact. More than a quarter of respondents in ILTA’s 2012 Legal Technology Survey believe that BYOD/ Consumerization/Mobile Devices “will create significant change or be a major factor in the legal technology profession” during the next three to five years. LEGAL MANAGEMENT J U N E 2 0 13 41 Natalie Lambert, Director of Product Marketing, Citrix Systems “Enterprise mobility management is all about being able to secure and manage the mobile device, the mobile applications and the mobile data and [being] able to do this in a way in which you can ensure ... the flexibility of users to access all of this content.” Adopting BYOD isn’t as simple as turning over the mobile-technology reins to employees, though. Firms must consider how BYOD affects critical issues like client confidentiality, privilege, records management and general security – a challenging task given that the practice is still evolving. As your firm ventures into the BYOD world, consider the following tips for developing your security and support strategies. 1. ESTABLISH A POLICY. Allowing attorneys and staff to use their own smart phones, tablets, laptops and other devices may seem like a technology “Wild West.” That’s precisely why firms offering BYOD should create a formal policy. “It’s very important to have a BYOD policy,” said Silas McCullough, mindSHIFT Technologies General Manager, Legal Professional Services. McCullough suggests that firms include five key points in a BYOD policy: 1. device security; 2. device support; 3. who controls the device; 4. which applications are permissible; and 5. data backup. A clear policy will give users an understanding of their responsibilities and potential consequences if things go awry with the device, as well as delineate the firm’s expectations and the level of support it will offer. Even if your firm eschews BYOD as a formal program, you should still address use of personal devices in the firm policies, said Kathryn Ossian, Principal at Miller Canfield. The firm doesn’t want to be unprepared if a defiant employee uses a personal device for firm matters. When creating its BYOD policy, a firm should consult with legal counsel to ensure that its BYOD standards and procedures (including all of the areas discussed below) comply with the law and properly protect employee privacy. 2. PROVIDE BYOD TRAINING. Thorough training is essential for ensuring that attorneys and staff understand the firm’s policy and why 42 W W W. A L A N E T. O R G responsible use of the devices is critical. Firms should offer in-person training or some type of virtual session and provide users with an agreement, “so that everyone understands what the rules are and what the policy requires and they’re not going to be surprised then when something happens,” said Ossian. Central to any training or intranet materials should be proper security habits and safe computing, said Shane Swacus, Manager at HBR Consulting. Swacus recommends that firms train users on the importance of applying password protection, securing devices correctly and not using software that isn’t firm approved. Explaining the significance of such measures and how missteps may compromise security can encourage users to think more deeply about their technological actions. 3. EMBRACE ENTERPRISE MOBILITY MANAGEMENT. Securing and supporting various types, brands and styles of devices is a daunting task, especially when such devices are controlled by the users, not the firm. One set of tools that allows firms to balance firm security and support with users’ personal experience is enterprise mobility management (EMM). EMM encompasses mobile device management (MDM), mobile application management (MAM), and enterprise file synchronization and sharing (EFSS). “Enterprise mobility management is all about being able to secure and manage the mobile device, the mobile applications and the mobile data and [being] able to do this in a way in which you can ensure ... the flexibility of users to access all of this content,” said Natalie Lambert, Director of Product Marketing, Citrix Systems. • M obile Device Management MDM provides firms with the capability to secure the device itself. “At the end of the day, MDM is there to provide a security line to any device,” said Lambert. “It gives the administrators the ability to manage and control all of the different devices and how they act Silas McCullough, mindSHIFT Technologies General Manager, Legal Professional Services “You have to think about this as a close partnership between the person using the device and the firm itself. Be clear and say, ‘If you lose the device, these are the steps you should take.’” when they connect to corporate resources.” Among the security measures possible through MDM are: • Remotely wiping the device • Detecting jailbroken devices and restricting their access • Restricting access to devices that lack the required antivirus protection • Enabling data encryption • Gaining visibility of the devices connecting. “A good BYOD policy and, in my opinion, a strong MDM platform go hand-in-hand,” said Swacus. “It’s a lot of work up front [and] a lot of money up front, but the benefits far outweigh that.” • Mobile Application Management Firms shouldn’t focus solely on protecting the physical device, however; they should also strive to safeguard firm content by managing the applications on the device. Lambert advises against blanket prohibitions on applications. Instead, firms can use MAM to concentrate on the applications used for firm data, while users maintain control over their personal applications. One MAM tool, known as “wrapping,” allows firms to put an application in a container and assign rules to it, said Lambert. For example, firms can designate how applications interact or can require data encryption within a specific application. Users will complete work-related tasks through these firm-controlled applications but will also have personal-use applications without such controls. • Enterprise File Synchronization and Sharing The final piece of an EMM strategy is to manage firm data on a device through EFSS. With an EFSS tool, firms can control how users access and share firm-related data and also can manage storage of such data. WHEN BYOD IS TOO PERSONAL While some of your attorneys and staff may be clamoring for the latest technology and pushing to use their own high-tech devices, others may be satisfied with any functional device. In fact, some may prefer to segregate their work and personal technology. Or some employees may not be comfortable exposing their personal devices to the firm’s security and support measures, even if those measures are executed through EMM. Firms that adopt a BYOD practice may still want to offer firm-owned devices to those employees who prefer not to use personal devices for firm matters. LEGAL MANAGEMENT J U N E 2 0 13 43 Shane Swacus, Manager, HBR Consulting “A good BYOD policy and, in my opinion, a strong MDM platform go hand-in-hand. It’s a lot of work up front [and] a lot of money up front, but the benefits far outweigh that.” • Beware of Sidesteppers While firms can limit how firm content is sent, used and stored on the device through EMM, firms must also prepare for employees who circumvent the system (e.g. an employee who sends a firm document to his or her personal email and then uses personal applications to complete work). Even with a well-developed EMM strategy, the firm’s BYOD policy and training remain critical in educating users on the importance of security and their actions. 4. SET SECURITY STANDARDS. Whatever services and methods the firm employs to secure and support personal devices, it should establish basic security standards to protect confidential firm data and the firm’s network. Some of the security measures that McCullough and Swacus suggest include: • Requiring passwords on all devices • Implementing two-factor verification on the devices, with a pin and a rotating token • Encryption • Ensuring the device can be remotely locked and wiped • Identifying which applications are permitted for workrelated tasks. 5. P REPARE FOR MISSING DEVICES. One downside of portability is that devices may be easily lost or stolen. Firms should outline the procedure for missing devices in the BYOD policy and training. “You have to think about this as a close partnership between the person using the device and the firm itself,” said McCullough. “Be clear and say, ‘If you lose the device, these are the steps you should take.’” And when it comes to lost or stolen devices, the first step that firms should require is notification, said Ossian. Once notified, firms may decide to wipe or lock the device. Firms using EMM may have the ability to wipe only the firm-specific data. But wiping the device can be 44 W W W. A L A N E T. O R G a delicate matter if the firm decides to wipe everything, including the user’s personal data. “This is definitely one of those grey areas that firms struggle with: to what degree do you force on them wiping or getting that material off the machine?” said McCullough. 6. DON’T FORGET: THIS IS PERSONAL. Typically, with firm-owned devices, departing employees turn in the technology on their way out the door. But with BYOD, those devices will be hitting the exits with the employees, and firms must determine how to clear them of all firm-related data: wiping firm-related data, wiping the entire device, asking the user to clear firm data, or some other method. In the end, it all goes back to the firm’s policy: “It’s got to be addressed in the policy itself and that way there’s no doubt or question about what’s going to happen,” said Ossian. 7. MANAGE THE DATA. One area that is likely at the top of every firm’s BYOD agenda is records management. McCullough recommends that firms leverage the records management tools they already have. As with all aspects of BYOD, firms should outline how records management will work in the policy so users understand their obligations and the extent of the firm’s support. Intersecting with records management is the issue of litigation holds. If the firm already controls all firmrelated data through EMM or has an organized records management system in place, preservation may be straightforward. But if users control some or all of the data or if a firm is concerned that data has somehow been saved outside of its EMM controls, preserving data may become more cumbersome. “There has to be an agreement by the employee and as part of the policy ... that any content that’s on the phone that relates to firm business is owned by the firm and that the employee is certainly obligated to take any direction that the firm imposes ...” said Ossian. “In the event of a litigation hold, it may mean that they turn their phone in.” Of course, firms must be wary of privacy concerns and any other legal obligations when dealing with employees’ personal information and should consult counsel when developing their strategy. important is the understanding that issues can arise 24 hours a day, said McCullough. Firms with fewer resources may seek outside help to ensure appropriate security. “One thing that I think is effective is that they outsource not only the MDM but the management,” said McCullough, who urges firms to “set the right expectations.” g About the author 8. UNDERSTAND YOUR CAPABILITIES. When it comes to security, the last thing you want is to have insufficient resources. Firms that embrace a BYOD program should assess the security and support needed not only to successfully manage BYOD but also to tackle any issues or crises that materialize. Particularly BREAKING Mary Kate Sheridan is a writer, editor, blogger and attorney. She received her JD from Columbia Law School and her bachelor’s degree in English from Mary Washington College. Contact her at [email protected]. THE GOLDEN RULE OF SHARING With all of the interactive offerings that modern devices provide, it’s easy to see why users may frequently share their devices with others, whether they’re letting their kids play games, asking someone to take photos, paying for their lattes, scanning their airline boarding passes or showing a friend the latest headline. From the firm’s perspective, however, these devices aren’t merely personal toys; they contain confidential firm data for the user’s eyes only. Firms must consider what guidelines are appropriate in these circumstances and include such standards in their policy. Silas McCullough, mindSHIFT Technologies General Manager, Legal Professional Services, has seen two approaches: one in which firms place the responsibility on the attorney to preserve confidentiality and another in which the firm specifically restricts device users to the attorney only. When placing any restrictions on personal use, however, the firm should consult counsel to ensure it is in compliance with the law. LEGAL MANAGEMENT J U N E 2 0 13 45