As the trend BYOD, “bring your own device,” to work becomes increasingly popular, law firms are faced with the growing concern of safeguarding and protecting data on mobile devices. By allowing the use of personal smart phones, tablets, laptops and USB sticks for work-related tasks, law firms save money and grant users autonomy when selecting and utilizing their devices. There are caveats, though, to this trend. Inconsistencies between operating systems can create unforeseen difficulties with file sharing and communication. Moreover, when these devices are not part of the firm’s network, it becomes much more difficult to implement firm-wide security policies.
Mobile devices have the capacity to store large amounts of data, and if the device is authorized for company use, that data could include confidential company and client information. It seems logical to implement security measures when such sensitive information is stored on or accessible by a mobile device, especially now that it is common to use these devices to conduct financial transactions. If the device is not a part of the company network, security status is more difficult to monitor and enforce.
Whether protected or unprotected, mobile devices present risks by nature of their design. Mobile devices are intended to be portable, which is both a benefit and a gamble because they can easily be lost or stolen, along with all the data stored inside of them. If a mobile device is used for work-related tasks, they often contain passwords or security certificates that provide access to email accounts, VPNs, and remote access. There has also been an increase in malware/madware from downloading applications and content from untrusted sources. Furthermore, because mobile devices are designed to connect to wireless internet, they can be subject to ‘sniffing’ during wireless communications.
There is a range of easy options available for protecting sensitive data on mobile devices, and these measures can and should be used concurrently. First, label all mobile devices with the user’s name and phone number. Require the configuration of a strong password/passcode that contains lowercase and capital letters, numbers and symbols. This password/passcode should not be shared with anyone. Most devices come with the ability to set a ‘timeout,’ meaning the device will lock after a specified period of inactivity. Be sure to employ this ‘timeout’ to secure the device. Many devices also allow users to set a limit for incorrect logins, which would forbid access to the device for a specified period of time.
Encourage users to avoid free WiFi in efforts to prevent ‘sniffing’ and only download from trusted sources, such as iTunes, Google Play and the Amazon App Store. Always apply updates and patches to the operating system, software and apps in a timely manner, which can help protect against malware/madware. Do not ‘jailbreak’ or ‘root’ any devices, a process that could allow the installation of malicious software and would void the device’s warranty. Use encryption on the device, data and hard drive, use secure key flash drives and turn off USB ports. Finally, if an employee leaves the firm, wipe their mobile device back to factory settings and check their online accounts (such as the cloud) to ensure that sensitive information remains in the right hands.
If employees intend to use their own personal devices for work-related tasks, there should be a dictated security policy in place. For a more thorough approach to mobile device management, there is software available that monitors mobile devices. With this type of software, a set of security policies is applied to the device, which then must stay within certain security protocols. Additionally, this software will track the location of the device in the case that it is lost or stolen, send a message to the device, and wipe it back to default settings.
It is important to remember that as mobile devices become more prominent in the business world, so do ‘sniffers,’ malware and madware designed to target such devices. There are simple ways to safeguard data, starting with a password. Make it a habit to enforce the aforementioned security measures to ensure the integrity of the firm and the safety of confidential data.
Published in the January 2014 issue of the ACBA Lawyer’s Journal.