Precautions for Lawyers to take in the Wireless World
|Follow us on|
The modern smartphone and, to a lesser extent, the tablet have become indispensable tools in the management of your practice. Such power, mobility and convenience, however comes with some security vulnerabilities that can be somewhat mitigated with a few security practices that should become part of your professional life. In todays world practice management is carried out almost entirely with laptops and mobile phone and both these devices are predominantly wireless. Practice management and legal accounting software such as uLaw, PcLaw and others, contain all your client and business data. You will want to take extreme care to protect yourself and your business in this capable but vulnerable wireless world. Let us examine in this article the potential problems and remedies that you can take to reduce risk.
The Potential Problems:
- The device can be lost or stolen, (unauthorized access)
- Messages and files can be intercepted when in transit, (eavesdropping)
- The user can unintendedly download malicious software. (mobile malware: Trojans, worms viruses and the latest rising threat - ransomware)
- A hacker can gain access to the device through an unsecured port while it is connected to the Internet.
- Users themselves can create modifications (sometimes called rooting or jailbreaking), perhaps for the purpose of installing unauthorized functions or software or to avoid being tied to a particular wireless carrier. These modifications increase security risk by disabling security notifications from the manufacturer or because they are bypassing the application vetting processes established by the manufacturer.
- The user can easily, perhaps even unwittingly, connect to an unsecured WiFi network putting himself at risk for data and identity theft. (enabling the so called “man in the middle”)
- The user with the phone’s Bluetooth feature open or in discovery mode allows his device to be discovered by a nearby Bluetooth-enabled device. This can allow an attacker to install malware through that connection or turn on the device microphone or camera and send the resultant data to a third party.
- With caller ID, the party you are calling can see your phone number before the call is answered. This may be the user’s intention but on some occasions perhaps not what was intended. (Can be easily disabled by preceeding the calling digits with *67)
- The user most likely conducts both personal and business affairs on the same mobile device thus mixing personal and business data.
Mobile Device Policy
Ensuring that your workforce has a consistent security measure starts with a written policy. The policy should cover the following:
(i) who gets a phone
(ii) which devices are supported
(iii) how are costs to be covered (i.e. consumption limits)
(iv) acceptable use (no text while driving, acceptable sources of apps,...)
(v) password and data backup rules
(vi) pre register before connection to company network(vii) encryption of business data
The Lost, Stolen or Broken Device
The time to think about this is before the device gets lost, not afterwards. First of all, enable your password access to the phone. Even a crackable password will slow down a random theft. Most modern phones have fingerprint access options. They work well but have some drawbacks - sweaty or soiled hands will be a problem, which will lead automatically to a backup PIN. Don’t pick an obvious PIN such as 0000 or 1234. Here is a list of 20 to avoid. Also, there is such a thing as fingerprint theft and you do have your fingerprint for life.
Use local wipe and remote wipe features. Local wipe (auto wipe) is a security feature that wipes a mobile device after a pre-specified number of failed login attempts. Remote wipe allows the user to reset the screen lock PIN and erase all data on the phone (factory reset), you can do this for both Android phones and iPhone
Intelligent & Smart Use
Your phone is a pretty powerful computer - your window on the World that you would not want to become the World’s window on you. Keep the Operating System up to date. The updates do not just add features, they patch known security vulnerabilities. Don’t download every app that looks like fun and definitely go only to respected app sources: basically Google Play and the Apple App Store. They are both tightly screened to minimize the likelihood of malware in the posted apps.
When working in your mobile browser, stay away from questionable sites and as much as possible, unknown sites. Separate your business files from your personal files. Encrypt at least the business files. Backup your data - your personal files to one location and your business files to your business backup account. Don’t use public WiFi for sensitive data without connecting to a virtual private network (VPN).
Finally, and this advice is somewhat controversial, don’t root your device. To me it’s just not worth it
Location, Location, Location
The information that ties the device to the registered user is stored by the network operator and will be disclosed by your provider should a lawful government access request be provided. The information could also be accessed by hackers should they gain unauthorized access to the mobile network infrastructure. If you are worried about your location being tracked, the safest thing to do is avoid mobile networks entirely: use Wi-Fi data networks for all communications (with trusted access points and data encryption enabled) and disable the mobile network recorded in your device settings.
Note down your IMEI numberIMEI numbers (15-digit International Mobile Equipment Identity) are unique to every device and identify it no matter where it is located. It is easy to get the IMEI number of your phone (printed inside the battery compartment). Storing the IMEI number will be beneficial when your phone is either lost or stolen. You will need this when reporting the theft to your carrier. IMEIs can be blacklisted rendering the phone almost useless (only 911 works) to anyone who stole it. (Unless it has been moved to countries and carriers not participating the GSMA IMEI Database - China and Russia for example). The IMEI can also be used to trigger an alarm when the stolen device is reactivated. (There is an app for that)
Practice management and Legal Accounting software in your device
Since both your laptop and cellphone carry practice management data you will want need to ensure the security of the devices.
- uLaw White Paper on Power of SOLO
- uLaw White Paper on Canadian Priviacy Laws
- uLaw Integrated payment options
- uLaw Legal Analytics and its power
Your cell phone is a complete computer and a valuable resource for your business. You naturally think of keeping it safe from the physical world - doing what it takes to protect it from damage, loss or theft. Take the same care to keeping it safe from the virtual world where it is just as vulnerable - perhaps more so.