Your law practice was minding its own business when a global pandemic struck. You found yourself in a place where not only you, but members of your staff—many of whom may have never worked remotely before—had to do their work from wherever they might be sheltering in place. Some law practices went virtual months ago and have been wrestling with practical issues related to getting work done away from the office. Of course, for any modern law practice, getting the work done is only part of what must be done. Another part is employing the kind of security policies and procedures that ensure both firm and client data are well protected.
Going remote changes the security equation. With an in-person office, you likely had keycard access to ensure that only appropriate people in your workspace could get to the areas that they needed, or at least you had locks on the doors. Your keycard system generated detailed logs of the comings and goings of people within your organization. You may have had security guards patrolling the building at all hours of the night, along with video surveillance cameras watching the hallways and parking areas. Your office likely had network drives, network printers and jumbo shredders. Physical access to the workstations in your office enabled technicians to make quick repairs or run software updates at need.
Your teams could meet in conference rooms to discuss the latest strategy for a case, and your clients could meet with you face-to-face. When a new person joined your firm, you could take them around to meet their colleagues, show them where they’d be sitting and help them get oriented on available technology tools. When a person left your firm, you could conduct their exit interview, collect computer equipment, disable their keycard and escort them out of the building. Going virtual requires rethinking this “working on-site” equation and updating our baseline assumptions.
The "Remote Work Security" Equation
One of the tacit assumptions in the working on-site equation is physical security. Controlling access to a physical space goes a long way toward keeping confidential and privileged information from falling into the wrong hands. So, when elements of the practice leave the office’s protective walls behind and travel to home offices, we must take a hard look at what controls are available to protect them.
Do physical papers need to leave the office? If so, keep track of them and keep them organized. Return them to the office to be filed or security destroyed when possible. Need to destroy physical papers at a home office? Invest in a shredder for home.
The remote work equation may have required your firm to provide loaner hardware to some of your lawyers and staff for the duration. Keeping accurate records of equipment on loan will help ensure that the equipment returns to the firm when transitioning back to on-site operations.
Firm laptops are made for going remote. They take advantage of full-disk encryption and require a password to log in to them. They require a password to unlock them after a period of inactivity and include remote access software, like a VPN. They are also outfitted with the standard collection of software your firm employs—like Microsoft 365, redlining software, access to your firm’s intranet and more.
Personal Computers and Equipment
While many law firms have robust work-from-home software and tools to enable working from anywhere, making the jump to a nearly 100 percent virtual workforce may have led firms to leverage the personal computers and equipment their employees already have. When there aren’t enough company-owned devices available, an employee’s old Mac or Windows computer might be repurposed as a makeshift workstation.
There are at least three items to consider when using a personal computer for firm work. Do you have an encrypted backup of important files? Are you using full disk encryption? And, does this computer have up-to-date anti-virus software installed?
Both Windows 10 and macOS offer options to create backups and restore data at need. Microsoft calls the feature Backup and Restore, and Apple calls it Time Machine. Backing up your personal computer protects against hard drive failure. If your computer fails to start normally and the hard drive—or maybe the entire computer—needs to be replaced, you can restore from backup to put things back to the way they were before the drive died. Encrypting your backups guards against both hard drive failure and theft of the backup itself. Only an authorized person can recover data from an encrypted backup.
Full disk encryption guards against theft of your personal computer. By default, full disk encryption isn’t always enabled on Windows 10 or macOS. If you plan to store work documents on a personal computer using either of these platforms, enable full disk encryption—after creating an encrypted backup, of course. It’s called Device Encryption on Windows 10 and FileVault on macOS.
To protect the integrity of personal computers used for work, run some form of anti-malware or anti-virus software, even on a Mac. Windows 10 comes with Defender, however you can find tons of articles online that will tell you, “What’s the best anti-virus for Windows 10.” Similarly, you can find plenty of articles that will let you know the “Best Anti-Virus Software on Mac in 2020.”
Strengthening Your Home Office Network
It’s time to take another look at your home office setup. Over the past few months, I have spoken with dozens of lawyers who have home office setups that were in need of some serious attention. The foundation of a solid home office rests upon two things: (1) high-speed internet, and (2) fast, reliable Wi-Fi.
As someone who has spent years working on-site and remotely, having the fastest available internet has been a requirement for my household since the late 1990s. However, no one in my family would have predicted that we would—all of us—be remote workers in 2020. When your whole family is working remotely at the same time, you may discover that your internet speed requirements might need an adjustment.
Most consumer-grade internet is asymmetric, meaning that the download speed (how fast the internet comes into your home) is different from the upload speed (how fast things you send from your home go out to the internet). In most cases, download speed is much faster—nearly 10 to 20 times faster—than upload speed. Go grab your bill to see how fast your download and upload speeds are supposed to be.
So, how fast is fast enough? I’m glad you asked.
Let’s say you have a household of four people who need to be on Zoom meetings at the same time. A quick Google search for “Zoom bandwidth requirements” tells us that Zoom needs between 1.5 and 3 Mbps (megabits per second) when sharing and receiving video, for both download and upload, for a single screen. For most of us, upload speed is the limiting factor, which is what matters when we want to share our own screen with other meeting participants. So, 1.5-3 Mbps times four people in the house meeting at once means that you’ll need at least 6-12 Mbps upload speed. If you also want to allow someone in the house to stream Netflix, which is primarily a download service, you’ll discover that, “Netflix recommends a 3 Mbps connection for one standard-quality stream and 5 Mbps for a high-definition stream.” Practically speaking, if you have a plan like mine where you get 400 Mbps download and 25 Mbps upload, then you can run somewhere around a dozen Zoom meetings at once on your home network where each person is sharing their screen to other participants. And, you’ll also be able to stream a 4K Netflix movie without issue. However, if your home internet plan only gives you 5 Mbps of upload speed, you may need to make a change.
By the way, in this section, I assumed your internet service provider is delivering either DSL or cable internet. Satellite internet has reasonable download speeds, but slow upload speeds. If you have satellite internet, it may be best to let someone else do the screen sharing and for you to turn off your camera when attending Zoom meetings to preserve bandwidth.
Fast, Reliable Wi-Fi
Before we delve into a discussion about Wi-Fi, if you’re doing any important work at your home office, ensure that you have lengthy Wi-Fi passwords, both the password that’s required when a device joins your network as well as the one that allows you to change how your network is configured. Last year, it was reported that an eight-character password can be cracked in just two and a half hours.
Does your home have Wi-Fi dead spots, or places where the internet drops, is slow or spotty? If so, you may be in the market for a range extender. I’m not talking about an old-style range extender that creates a secondary network, with a name like “HomeWiFi_ext.” Instead, I’m talking about mesh networks.
A mesh network does the job of replacing your router, or of at least working in conjunction with a router that you already have. Most mesh networks come with two or three “nodes” that all work together to blanket your home in fast, reliable Wi-Fi. Each node covers roughly 1,500 square feet, and you can get as many nodes as you need to cover your home. They support modern Wi-Fi protocols, which can accommodate speeds of up to several hundred Mbps within a network. To say it in plain English, a mesh network gives every device in your home an equal shot at accessing the high-speed internet you are paying for.
Earlier this year I added two more nodes to my existing mesh network and extended my Wi-Fi to the garage, where one of my sons does most of his work. That investment was well worth the money. Our internet now extends throughout our backyard and into our front yard with no dead spots at all; it is rock solid. And now the lightning round, where we touch on possible security concerns related to various remote access software.
Remote Desktop: VMware Horizon or Citrix
If you are using Remote Desktop or some form of virtual machine technology, the data you’re working on is stored on a computer elsewhere. To mitigate potential security issues, ensure that you keep the computer you are using up to date with software and security patches. And, if possible, don’t save your login password in your computer’s app.
If you are using Microsoft 365, my question is whether you’re saving anything to your local hard drive. On a personal computer, you can minimize risk by running software updates, working in the web browser rather than saving files locally, and signing out when you don’t need office data, assuming you share that home computer with anyone.
Enable 2-factor authentication wherever you can; it’s just the right thing to do.
Web Conferencing Software
Keep your web conference software up to date, regardless of the platform upon which you run it. To secure meetings, use waiting rooms, and when possible, use different web conference links for each new meeting.
The Bottom Line
Make security part of your mental model regardless of where you work. Think about locking your computer when you step away from it or signing out of services when you don’t need them. Review your home office for out-of-date systems and software, and ancient passwords that haven’t changed this decade. Take a fresh look at your home office to ensure that it is as up to date as your software.