GPSOLO June 2008
Computing security means not only protecting your systems, your data, and your clients’ information from malware, but also protecting them against catastrophic loss.
Catastrophic loss can result from a variety of causes. There are the “acts of God,” such as fire, earthquake, hurricane, tornado, and flood, that damage your systems beyond repair—or damage your facilities beyond recovery. If you are in a metropolitan center, acts of terrorism can inflict similar damage on your operations. There can be power spikes from lightning or other causes that “fry” your electronics. You can lose information from catastrophic disk failure or from theft of hardware or data. How do you protect yourself?
First, make sure that you back up every computer and file server in your office every day before the last person leaves the office. If you do not back up to a secure off-site facility, the last responsible person to leave the office should take the backups for that day home with him or her. In order to implement your duty to preserve inviolate the secrets and confidences of your clients, any secure off-site backup solution should require encryption of the data before it leaves your office, transmission using a Secure Socket Layer (SSL) line or an encrypted dedicated line, further encryption of the data at the off-site facility, and distribution of data across multiple disks or data silos.
Don’t use the backup application that comes with Windows. It has limited capabilities that may not be enough to back up your kids’ computers at home. Use serious backup software—something like EMC’s Retrospect ( www.emc.com), which can handle large amounts of data from multiple drives on single workstations or multiple networked computers in an intelligent incremental fashion.
Back up to a high-capacity portable hard drive, such as the 500 gigabyte or 1 terabyte USB drives from Western Digital ( www.westerndigital.com). These drives are about the size of a thick paperback novel and will fit in any briefcase or large purse. Alternatively, if you are using file servers on your network, back the workstations up to a backup file server, and back that up to something you can remove from the premises.
If you are using file servers, make sure you are using a redundant array of independent disks (RAID) configuration of at least three redundant disk drives for each lettered drive. You also should have a RAID configuration on any computer or file server that regularly records important information during the day because it probably will be cheaper to install a RAID configuration than it will be to reconstruct the lost data.
To protect your hardware and data against power spikes, use heavy-duty surge protectors appropriate to your location and the weaknesses of your power grid. If your service drop (the wires between the utility pole and your building) is sagging and the insulation is worn off, the wires can bang together in the wind, causing large voltage spikes. An inadequately grounded or protected service grid—or building—also can be susceptible to voltage spikes from lightning. Also consider an uninterruptible power supply (incorporating surge protection) attached to each of your computers (servers and workstations) that will permit them to run long enough to save all data and shut down if there is a power failure. For systems that run 24/7, get uninterruptible power supplies that will shut them down automatically.
To protect yourself against data theft, consider using “dumb” terminals for staff and temporary personnel; such workstations only can access the file server and have neither USB ports, nor portable media devices (such as CD burners or so-called floppy disk drives) to which data can be copied, nor access to the Internet for the transmission of files off-site. In addition, run background checks on your existing employees and new hires with their consent. Use both boot passwords and operating system passwords on all your workstations—and make sure the users log off during breaks and the systems are shut down at the end of each day—to protect against unauthorized access by maintenance workers, cleaning crews, and other visitors. For the same reasons, make sure your client files are stored in locked file cabinets at the end of each day—ideally in a locked file room to which “strangers” do not have access. Consider converting all of your archived paper files stored off-site to encrypted digital files.
Malware is a class of software that includes viruses, worms, Trojans, bots, etc., that can be used to disable your systems and/or to steal data. Anti-malware software is ubiquitous in the marketplace and should be installed and automatically updated on every computer in your environment (office, home, and portable). If you are running a file server, you should have a hardware firewall installed between the file server and the Internet and should have anti-malware software installed on the firewall. (If you are running a public-facing web server, it should be outside the firewall and should have access to your network, if at all, only through the firewall.)
Mere anti-virus protection is not enough. You need in-depth anti-malware protection against all possible sources of intrusion. Some vendors, such as Symantec/Norton ( www.symantec.com) and McAfee ( www.mcafee.com), offer integrated anti-malware solutions as well as standalone solutions (e.g., anti-virus applications). Other vendors offer solutions targeted at specific types of malware—such as Lavasoft’s Ad-Aware ( www.lavasoftusa.com; the paid version works automatically in the background; the free version works manually) and Spybot - Search & Destroy from Safer Networking Ltd. ( www.safer-networking.org; this is freeware and works manually).
For anti-virus applications, you need the support of the R&D labs operated by the substantial vendors such as Symantec, McAfee, and Kaspersky ( www.kaspersky.com), which are constantly monitoring the Internet for new malware, developing solutions, and distributing them. Freeware sources simply do not have the resources to develop and distribute solutions in a timely manner. This is one of those situations where you do get what you pay for, and trying to do it on the cheap is not in your best interests or those of your clients.
The old adage—an ounce of prevention is worth a pound of cure—applies here with a vengeance. Be safe, so you won’t be sorry.
J. Anthony Vittal is in private practice with The Vittal Law Firm, based in Los Angeles, California. A former member of the ABA Standing Committee on Technology and Information Systems, a member of the editorial boards for Tech eNotes and the Technology & Practice Guide issues of GPSolo , and a member of various technology-oriented committees of ABA Sections, he speaks and writes frequently on legal technology topics.He may be reached at firstname.lastname@example.org.