We all know that lawyers have a duty to protect confidential client information and other sensitive data. However, as a whole, they rarely do a complete and thorough job of it on their computer systems. Fortunately, there are key lines of defense that you can easily implement.
Given the many threats posed by viruses, worms and other malware these days, securing and controlling access to confidential client data may be keeping you up at night. To help quell your fears, here are some of our favorite security tips that you can—and should—implement in your practice. Portions of the following are adapted from our ABA book The 2010 Solo and Small Firm Legal Technology Guide: Critical Decisions Made Simple . You may be doing some of these things already, but read on to see which additional steps you should be taking, too.
Integrated Protection for Small Offices
Solos and small firms may want to consider a single integrated product to deal with spam, viruses and malware. Norton’s security suite is a top seller for the single-computer market, but we highly recommend avoiding the Symantec Norton Internet Security 2010 software. It can put a heavy load on computer processing and cause stability problems with other programs. It is also on the expensive side. Recent reports indicate that Symantec is addressing the performance issues, but you might want to wait a while before trying this product to make sure they get it right.
We recommend using Kaspersky Internet Security 2010 instead. It contains firewall, antivirus, antispyware, rootkit detection, anti-spam capabilities and much more. It’s currently available directly from www.kaspersky.com for a price of $79.95 for one-year protection on up to three computers. This is an excellent choice for the small office environment.
Integrated Protection for Larger Environments
Trend Micro Worry-Free Business Security is a highly regarded product that is available in three editions: Standard, Advanced and Hosted. You may want to stay away from the Hosted solution, though, since the entire configuration is set up and maintained by Trend Micro.
All of the editions include antivirus and anti-spyware capabilities and will protect both your servers and individual computers from malicious threats, monitoring active processes and applications to prevent unauthorized and harmful changes. Plus, the software will automatically change settings on laptops to set them for protection when employees are traveling out of the office. The Advanced Edition includes anti-spam filtering for Microsoft Exchange Servers as well as InterScan Messaging Hosted Security. Pricing starts at around $40 per license for the Standard Edition and $60 per license for the Advanced Edition, which includes technical support and upgrades for a year. This product is offered in both one- and two-year subscriptions, and licenses can be purchased from www.trendmicro.com.
If you don’t go with the integrated protection products, you’ll want to make sure that you have a good anti-spyware product in addition to any antivirus product. Webroot Spy Sweeper 2010 has been the highest-rated antispyware solution in recent years. The latest version, which is compatible with Windows 7, has simplified configuration settings and a completely revamped interface. Also, the software now has fewer pop-up warnings and additional layers of security features to specifically target devious keylogger utilities and malicious programs that use rootkit techniques to hide.
Spy Sweeper’s various “shields” provide active protection to keep spyware from invading a clean system, and it can be set up to automatically check for program and spyware definition updates and to run automatic start-up or scheduled scans, almost eliminating the need for user interaction. A spyware scan should be set to scan automatically on at least three days a week—a good tactic for scanning a system on a regular basis without being overly paranoid. Webroot offers free support to customers who submit a support request online or call technical support. A one-year subscription for Webroot Spy Sweeper 2010 is available from www.webroot.com for $29.95. Two-and three-year subscriptions are also available.
In this category, we have come to love a great product called Postini. And, compared to other e-mail anti-spam and antivirus service alternatives, it has a lower cost than almost any other implementation. Note that your e-mail flow will be re-routed so that it goes through the Postini servers before being delivered to your mail server or e-mail client. Postini’s Web-based interface then holds spam messages in a “quarantine.” Users receive a quarantine message once a day, which provides them with a summary of the e-mails quarantined throughout that day. From this message, users can choose to release a quarantined message, such as a captured “false-positive,” with just a simple click of the mouse.
As an option, Postini also has a “mail bag” feature available for an additional charge. This feature spools your e-mail in the event you lose your Internet connection or your mail server goes down. Once your connection or server comes back up, Postini will feed you all of the e-mail that it was holding during the outage, which means you won’t lose any e-mail even if your server goes down for a period of time.
You can purchase the service directly through www.postini.com (note that Postini is now a subsidiary of Google) or you can go through a reseller. When you purchase directly, the costs are lower, but you have to configure and set up the installation yourself and you do not receive any support. Purchasing through a reseller costs slightly more money, but you obtain 24-7 support and assistance with the complete operation.
Secure mobile computing must contain some method of encryption to protect the valuable personal and client data on your laptop while it’s in transit. We prefer whole disk encryption, which means that everything on the hard drive is encrypted. This way, you don’t have to remember to put files into special encryption folders or on an encrypted virtual drive. Let’s face it—all too often, humans are in a big hurry and can neglect to save the data into the special encrypted areas.
Many of the newer laptops have built-in whole disk encryption. To state the obvious, though, you have to make sure you enable the encryption or your data won’t be protected. Also, for added security, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe at power on. Failure at that point leaves the computer hard drive fully encrypted—which is a very comforting thought should laptop thieves, who constitute a large club these days, make off with your laptop. If you think we are being too cautious, bear in mind that statistics indicate a laptop is stolen every 53 seconds in the United States. We mean it when we say “be careful out there.”
All lawyers should have a PIN code programmed into their smartphone to prevent unauthorized access to the data on it. And they should also have a fairly short “time-out” period for the lock/unlock, since it doesn’t do much good to have an unlocking PIN and then have 40 minutes pass before the phone relocks. We know it’s a pain to constantly punch in the unlock code, but it will keep your data from being accessed by prying eyes. Better yet, it will stop someone from installing spyware on your phone that could effectively trap all of your communications (voice calls, e-mail, text messages, etc.).
Alas, there is just one problem if you’re an iPhone user: The PIN is easily bypassed. To see just how easy it is, check out www.youtube.com/watch?v=5wS3AMbXRLs .
In addition to PIN-protecting your smartphone, you should encrypt any memory cards—we’re talking about the SD, micro-SD and similar cards that you can insert into the phone to increase storage capacity—or else just don’t store any sensitive data on them. Some models have programs available that allow you to encrypt the card contents, so check for those based on the model you use. But the point is that you don’t want any confidential information to be accessible on the card if you lose your phone. The PIN will protect the phone access, but the “bad guys” can pop out the memory card and read it from a computer if it is not encrypted. Unfortunately, there’s again a problem with the iPhone here, specifically the 3GS model—you don’t need any special software or skill to access a fully patched, passcode-protected, encrypted iPhone 3GS. Just connect it to a system running Ubuntu and the data is fully accessible.
Wireless Network Security
Wireless networks need to be set up with the proper security, which first and foremost means enabling encryption on the wireless device. Whether using Wired Equivalent Privacy (WEP) 128-bit or Wi-Fi Protected Access (WPA) encryption, make sure all communications are secure. WEP is a weaker layer and can be cracked very quickly with freely available tools, although the reality is hackers will go for unsecured networks before going after any secured one. Frankly, though, the Federal Trade Commission and the Canadian Privacy Commissioner have both found WEP insufficient to secure credit card information, so we suggest it not be used at all.
But you should also be aware that WPA using the TKIP (Temporal Key Integrity Protocol) algorithm was recently cracked by a group of Japanese scientists in about a minute. This means that you should be encrypting using WPA with the AES (Advanced Encryption Standard) or WPA2 only.
Remember to Change the Defaults
Here’s a final but very important point that applies regardless of whether you are configuring a wireless router or installing a server operating system. In all cases, make sure you change any default values. The default user Ids and passwords for any software or hardware installation are well known in the tech world and beyond. There’s even a default network name when you create a Windows network environment. Apple isn’t immune here either, since there are default values for its products as well. The point is that all default values, especially log-on values, should be changed to prevent unauthorized access.All of these security tips can be easily implemented, so be sure they are taken in your law office. Sleep will come more readily when you know that your law firm data is secure. As Nike would say, just do it.
Sharon D. Nelson and John W. Simek are President and Vice President, respectively, of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, VA. They are coauthors of The 2010 Solo and Small Firm Legal Technology Guide (ABA, 2010).
Portions of this column are excerpted or adapted from the authors’ ABA book The 2010 Solo and Small Firm Legal Technology Guide: Critical Decisions Made Simple. The book, for which Michael Maschke served as a coauthor, is published by the ABA Law Practice Management Section and available through the ABA bookstore at www.ababooks.org .