Law Firms in a BYOD World [Slideshow]

Last month I was privileged to be invited to speak about BYOD (Bring Your Own Device) policies in law firms at the 2014 Clio Cloud Conference (check out the live blog I made of Day 1 here).  My presentation, titled Law Firms in a BYOD World, discussed the reasons why law firms need to implement not just any BYOD policy, but the right BYOD policy. As you can see in the presentation below, the right BYOD policy does more than address the basic elements of any effective workplace policy.  To be the right BYOD policy, it must provide for regular updates, it must have universal buy-in among your employees, it must apply universally within your firm, and it must take the privacy concerns of your employees seriously. Check out my presentation, Law Firms in a BYOD World: Law Firms in a BYOD World from Brian Focht We Live in a BYOD World Regardless whether you want to allow BYOD or not, odds are you’re probably already doing it.  Recent survey indicated that of those using a mobile device for work, 78% use a device they own. Companies large and small have clued in to the benefits of BYOD – despite the potential drawbacks. Owners and executives love it: Companies no longer bear cost of equipment Companies no longer bear cost of service Reduced costs for training, as people tend to be more proficient in using personal devices Company ends up being more innovative, as personal devices tend to be newer Employers like it Employees are more productive Employees more available during non-work hours Employees like it Get to use device of their choosing Allows... read more

What’s the Point of Voluntary Cyber Security?

A recent publication by the FDA regarding cyber security for medical devices got me wondering how ready law firms are for the true cyber security needs of the future.  The publication, official guidance to the medical device community, informs the manufacturers of medical devices that utilize wireless connectivity that it is necessary for them to consider cyber security in making their products.  Necessary, but not required. Huh?  I don’t understand.  If the FDA believes, as their report says, that the risk of hacking medical devices is significant, why aren’t they simply requiring cybersecurity steps?  Why, before even stating the purpose of the rule, do they take a whole paragraph to emphasize that the word “should” as contained in the remaining NINE paragraphs does not indicate required action? For reference: “FDA’s guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.” And how on earth does this have anything to do with lawyers?I’ll tell you how: plausible deniability. Why would the FDA, the supposed “watchdog” of the medical device industry, make recommendations about such a critical issue, but make the fix voluntary?  In my opinion, it’s because the fox is running the hen house.  The rules are written with too much influence from the medical device industry, who – like all other industries – wants the standard to be permissive.  That way, should there be... read more

Awareness is the Key Ingredient for a Successful BYOD Policy

I looked up at the 40-50 people who were attending my presentation at the 2014 Clio Cloud Conference, Law Firms in a BYOD (Bring Your Own Device) World, and asked how many used a passcode lock on their phones.  Every hand went up.  “Well, this will be easier than I imagined,” I thought.  It was my first presentation at a conference like this, and it’s easier preaching to the choir, so to speak. “How many use your phone for work,” was my next question.  Again, every hand in the room went up.  Then the bombshell hit. “How many do so pursuant to a written Bring Your Own Device policy?” Two hands.  In a room of 40-50 tech savvy lawyers. Before I made my presentation, I decided that it would take far too much time for me to walk through a BYOD policy step-by-step, particularly considering my belief that making sure attendees understood the dangers was important (it was about half of my 45 minute presentation). Ok, I admit it, I spent half my presentation attempting to scare the audience into action, although it was entirely based on real information.  Based on the Q&A at the end, it worked. While I addressed the individual components of a thorough BYOD policy, I decided that a different approach would be more effective: what are the real elements that make the difference between a successful and unsuccessful BYOD policy.  (For more information about BYOD, and for some template BYOD policies, check out my presentation sources page.) What sets a successful BYOD Policy apart? I found four things that differentiated a successful BYOD policy... read more

Law Firms in a BYOD World

Due to the significant volume of sources that I relied upon in putting together my presentation at the 2014 Clio Cloud Conference, Law Firms in a BYOD World, I have elected to provide the primary and secondary sources here in my blog.  Below, you will find the following sections: 1) Direct sources – sources for specific pieces of information or statistics cited in my presentation; 2) Secondary sources – sources that I relied upon for general thematic information; 3) Further reading – sources that I read and found generally informative while I was researching this presentation, but which I did not directly rely upon for my presentation. For additional information, I have also provided links to several example or template BYOD Policies, should you need any assistance in drafting the right BYOD Policy for you and your firm.  In the coming days, I hope to also make my presentation available. 1) Direct Sources IT Security Risks Survey 2014: A Business Approach to Managing Data Security Threats, Kaspersky Lab (last viewed September 21, 2014). Key Findings from the Global State of Information Security Survey 2014, PricewaterhouseCoopers, LLC (last visited Sept. 17, 2014). Julie Cresswell and Nicole Perlroth, “Ex-Employees Say Home Depot Left Data Vulnerable“, New York Times (Sept. 19, 2014). New Webroot Report Reveals Disparities Between Corporate Mobile Security Policies and BYOD Practice, Webroot (July 10, 2014). 2) Secondary sources Gartner Says Bring Your Own Device Programs Herald the Most Radical Shift in Enterprise Client Computing Since the Introduction of the PC, Gartner (August 28, 2012). Susan Bassford Wilson, BYOD Requires BYOB: How to Handle the Challenges Inherent in a “Bring Your Own Device”... read more

Why Have We Given Up on Email?

Recently, I needed one of my clients (an insurance company) to provide me a copy of their standard policy so I could see some of the specific language as I performed my research. It was important, since the case law I’d already found said that the issue would hinge on the language of the contract. Instead of emailing me a copy, it was sent to our managing partner via secured email portal. When the email was forwarded to me, it couldn’t be opened. Instead of printing a 90-page document so I could use two pages, the partner simply called me into the office to view the pages. That was when I first encountered the clumsy, unintuitive document reader program in which I was allowed to access the document. At that point, I realized that we have given up on email. I’m all for security in email, particularly for issues of confidentiality or proprietary information/trade secrets. But aside from a few good cloud-based systems, secure internet portals tend to be cumbersome and difficult to use for most people. That’s why I’m officially taking a stand in support of regular email! We’ve given up on email. Really, we have. And it’s been remarkably quick. For the longest time, attorneys shunned email just as we tend to do with every kind of technological advance that’s come our way. Yet, over time, it became a part of a lawyer’s routine just like it has for anyone else involved in business. Therein lies its inherent utility – it’s used universally. Since lawyers, doctors, construction workers, bankers, teachers, students, and everyone except for the members... read more

You Really Thought Cloud-Based Services Were Totally Secure?

Lets be honest, many people were completely shocked by the revelations from Edward Snowden’s release of classified NSA documents last year about the width and breadth of the NSA’s spying. Unless you had seen the Will Smith movie Enemy of the State. From 1997. Which basically was a movie about how the NSA did EXACTLY what Edward Snowden said they did. And that movie came out before things like the Patriot Act. Amazingly, people were still shocked, shocked I say, to discover that the NSA was spying on, well… everyone. Newsflash: electronic data is not totally secure. Never will be. If you are able to access the information, someone else can too. It’s pretty basic. That’s why I was so surprised to read this article from the Lawyerist, by one of my favorite legal bloggers, Sam Glover, discussing how he’s re-thinking his use of the cloud for his legal files. In other words, he’s “shocked, shocked I say” to learn that the cloud isn’t totally secure. Sam talks at length about ways that attorneys can use various cloud-based systems to accomplish particular tasks, such as email communication, calendar and to-do list updates, and document storage, while maintaining some security. He also talks about which of these items are more or less appropriate for cloud-based systems. Yet, at the end, he still says that although he’s not abandoning the cloud for his law practice (that he decided would be his default storage only a year ago), but he’s only using it for things he absolutely needs to. I want to be clear, I’m not criticizing Sam’s decision. What puzzles me... read more

7 Top Tactics Hackers Use to Steal Your Data!

Doing my daily research for this blog, I stumbled upon an interesting looking article by PC World about seven of the top tactics that hackers use to get data off of your computer. Many of us think about hackers as people aggressively attacking systems, like medieval soldiers attempting to breach castle walls. However, as was learned by the hacker Kevin Mitnick, sometimes it’s a whole lot easier to just call up your target and ask them for their password! The PC World article listed seven ways that hackers essentially get you to hand over the information they need to get access to all of your important data. So many articles and posts talk about what you can do to your equipment to make it safer, while other articles remind you that it’s all nonsense. The real trick is knowing when NOT to be the guy whose only question when Kevin Mitnick asks for secure source code from Motorola is “[w]hat version do you want?” So for you and your clients’ security, here are PC World’s 7 Top Tactics Hackers Use: Photo credit: Wikipedia 1) Fake wireless access points. With the right basic software, any computer can become a wireless access point (“WAP”), connected to a legit WiFi network. A hacker may sit outside a coffee shop and name their fake WAP “Starbucks Wireless Network.” Or go to the airport and use the name “Atlanta Airport Free Wireless.” You connect your computer, and all the unprotected data sent back and forth via the WiFi connection is saved right on the hacker’s computer. According to PC World, “[y]ou’d be surprised how... read more

Lawyers and the Cloud: Better Check Your Internet Connection!

Part II in a continuing series on adoption of cloud-based systems by law firms. Part I: 5 Things to Consider Whether your firm is going to be fully automated, with cloud-based practice management software and full paperless implementation, or if you’re just checking out the option of storing your electronic documents with a third-party service such as Dropbox, the VERY first thing you need to do is make sure that your office’s internet infrastructure can handle it. Most people know that they need to have WiFi routers or sufficient ethernet connections to plug in to. However, neither will matter much without sufficient internet service from your ISP. If you don’t check your internet connection, your transition to the cloud could bring the operation of your firm to a screeching halt. For addressing the ever-growing problem of what to do with all the data your business accumulates, adopting cloud-based services can be a cost-effective solution. Want to know just how much data your office accumulates? Just look at how big your own Outlook data file is, and you’ll get a glimpse of how much is being stored on your firm’s servers. Now that you’ve decided to move to the cloud, all that data has to be able to move smoothly from your third-party vendor to your office’s computers and your mobile devices via your firm’s internet connection. Ok, I get it. We need to have sufficient internet. So… how do I know what is sufficient internet? Now is when we get a little technical, so try to stick with me. Your internet connection really comes down to two things: 1)... read more

More Security Problems for Dropbox?

Two hackers are reporting, in a paper they published at USENIX 2013 conference, that they have found more security problems for Dropbox. Using a code published along with their other findings, were even able to intercept SSL data from the Dropbox servers, completely bypassing the two-factor authentication system. The paper, which reports that the purpose of the project is to aid in future development of advanced security systems for software programs such as Dropbox. This is not the first time that hackers have exposed vulnerabilities in the Dropbox system by academic researchers. A previous security vulnerability was discussed in a previous article. Dropbox, which according to the American Bar Association is the preferred cloud-based data storage provider for attorneys, claims over 100 million users worldwide, reporting upward of one billion file uploads daily. PR representatives from Dropbox claim that the research does not actually demonstrate any vulnerabilities in their system. “We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email reply to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.” The authors of the paper, Dhiru Kholia, with the Openwall open source project and a faculty member at the University of British Columbia, and Przemyslaw Wegrzyn, with CodePainters, reported that they do not believe that Dropbox has not been adequately analyzed for security. Their system, detailed in a recent PC World article, is based on reverse-engineering the Dropbox program. Using the reverse engineering, they... read more
Page 3 of 41234