By Catherine Sanders Reach
Solo and small firm practitioners might think that systems security is not a priority for them. But in today's world, no one is safe from thieves, hackers and malicious intruders. Here are steps for protecting your practice and your clients.
Among all the many things involved in running their law offices, solo and small firm practitioners might think that systems security is not a priority. But in today's world, no one is safe from thieves, hackers, phishers and other malicious intruders. A lawyer's duty is to protect the confidentiality of clients, which extends to the clients' information. Because much, if not most, of the information in a law practice is in electronic form these days, you have an ethical obligation to safeguard the client data on your computer systems against security breaches.
The first step toward good security practices is awareness. While computer automation of a law practice brings great advantage in your ability to zealously represent clients, it comes with some inherent danger. You need to recognize this and adopt appropriate policies and measures to protect your practice and your clients. Think of your practice as your castle—here are pointers on how to lock the doors, bar the windows and dig a moat.
Hardware is vulnerable in many ways. Laptops, desktops, servers, storage devices such as thumb drives and external discs, and cell phones and handheld devices hold tremendous amounts of firm data. Ask yourself, "What if anyone was to get unfettered access to any of these items?"
Desktops and laptops. First, employ password protection for start-up on all your computers. It is a simple measure but one that is imperative. Strong passwords combine a string of at least eight characters, including uppercase and lowercase letters, numbers and symbols. Consider also using a password-protected screensaver, which is easy to set up under "Display Options" in MS Windows. Take some measure to tether or secure CPUs as well as valuable peripherals, such as monitors.
Tether laptops to a desk or an immovable object, too, whether in the office or on the road. Targus ( www.targus.com/us/accessories_security.asp) makes a number of devices for this purpose. While this measure is not infallible, it will hamper a thief, who is looking for the path of least resistance. When you are traveling with a laptop, use a nondescript travel bag and keep an eye on it. Make a habit of backing all the information on your laptop up onto the office server or an external device. A new service, LoJack for Laptops from Computrace ( www.lojackforlaptops.com), includes a piece of software that will "phone home" if the laptop is stolen. This type of security will give you a fighting chance to retrieve a laptop should it be stolen.
Storage devices. Small storage devices such as thumb drives, discs and the like can hold a tremendous amount of data. But they are also easy to lose. Password-protect these devices, and consider encryption if you frequently place confidential information on them. You can download a freeware encryption software such as TrueCrypt ( www.truecrypt.org), or purchase an encryption-enabled thumb drive from Lexar ( www.lexar.com). Also, consider a keychain device, lanyard or carrying case.
Cell phones and handheld devices. Today's cell phones, smart phones and PDAs also carry tremendous amounts of information. Contacts, calendars, documents, phone numbers and other data are all easily accessible on the go to users of these devices. Password protection is imperative to keep that data secure, even though it can seem like a hassle. New options, such as the ability to lock down or wipe the hard drive of the device upon failed login, are now available.
Computer disposal. Many lawyers dispose of old equipment by donating it to schools or charities, selling it on auction sites like eBay, or simply throwing it in the garbage. Keep in mind that "deleting" the data on a hard drive or even reformatting the drive does not delete the information. To truly remove data from a hard drive, users must "wipe" the drive by using software, such as Darik's Boot and Nuke ( http://dban.sourceforge.net), that overwrites the data. Keep in mind that peripheral devices such as smart phones and cell phones must also be wiped, following the manufacturer's instructions. Likewise, thumb drives, CDs and DVDs must be erased before disposal.
Firm documents are the lifeblood of any law practice. Accordingly, you want to implement measures to control access to them. First, consider a document management system or case management system. These systems have built-in capabilities to restrict specific users' access to specific folders. Programs such as Worldox and iManage may be overkill for a solo practice or small firm, but they do offer security, as well as a searchable, indexed archive of documents with versioning and many other extremely useful features. Some practice management packages, including Time Matters and Amicus Attorney , also have more rudimentary document management functionality and, at the least, create a place to save documents in a protected environment.
When working with a truly sensitive document, be aware that traces of the document will still be left on your hard drive after you delete it. You can use a wiping program, but be aware also that copies may have been sent out via e-mail, saved in multiple folders, and reside in any number of places, in a number of formats. Fortunately, all documents that are created electronically, whether originally generated by software or scanned in, can be protected. In Microsoft Office, Adobe Acrobat and WordPerfect, documents can be password-protected at a number of levels. Note that saving a Word or WordPerfect document to PDF does not automatically protect the PDF document. You must apply appropriate security in the conversion program for full protection. For documents that are particularly sensitive, consider encryption, which provides more protection than the above programs. You can also encrypt folders, so that you place sensitive documents in a single folder and encrypt that folder.
In addition, consider "locking down" access to confidential data that employees do not need access to on the firm's network. Information on a network can be limited by password, so that you only allow employees access to what they need. Remember, too, an unpleasant reality is that employees who are leaving the firm may attempt to download information such as contacts and documents on the way out. If an employee is terminated, limit access to computer files and documents immediately. Also, untrained or unaware employees can inadvertently jeopardize firm data, either by downloading a keystroke logger, by allowing unauthorized access to firm documents, or by using e-mail or instant messaging to reveal confidential information. Set policies to help keep such activities at bay.
E-mail constitutes much of the communication that goes on today. Unfortunately, e-mail is also the breeding place for all sorts of security risks and issues. Spam, phishing, viruses, Trojans, worms and other threats flood users' inboxes on a daily basis. You have two major forms of defense: common sense and up-to-date antivirus software.
Common sense will help protect you in many cases. Never open an attachment unless you know who sent it and are expecting it. If you are unsure, call or e-mail the sender to double-check. Be aware of phishing attempts, which are made by unscrupulous people trying to trick unsuspecting users into following a link where they inadvertently download spyware or a virus, provide information such as user names, passwords and confidential information, or both. By now, you can be assured that most financial institutions and large e-commerce companies will not e-mail you to request account information. If you are unsure, open a browser window, type in the name of the institution, and follow links to your account information or call to double-check.
Up-to-date antivirus programs, such as McAfee, Symantec, ZoneAlarm and Trend Micro range in prices and all give adequate antivirus protection. Whatever program you use, make sure that the definitions stay up to date. Automate that process so that you do not have to wonder. And consider a spam filter even beyond those resident in your e-mail software, to eliminate this nuisance.
Here is another security concern for e-mail: Inadvertently sending e-mail to the wrong recipient can be as damaging as any security breach. Programs such as Microsoft Outlook try to "help" you by suggesting e-mail addresses as you type into the "To," "Cc" or "Bcc" fields. These suggestions are based not only on your address book, but also on people you have e-mailed or received e-mail from recently. If you find that the system often prompts you to send an e-mail to Lisa Jones, opposing counsel, instead of Lisa Jones, your client, consider turning this auto-complete feature off. At the very least, be excruciatingly aware of who is in the recipient fields before hitting the Send button on any e-mail.
Also, if you are using privacy disclaimers, consider putting them at the beginning of your messages, rather than at the end. If you are sending sensitive information via e-mail, you can encrypt it or attach an encrypted or password-protected document to the e-mail. And be very, very careful what you say in e-mail because it is easy to forward and copy. There are many, many examples of e-mail used against the sender. A rule of thumb is to never send an e-mail that you wouldn't want published on the front page of The New York Times.
The Internet is a great tool for research, collaboration, marketing and transactions. Unfortunately, it is also the playground for nefarious characters. Spyware, malware, keystroke loggers and rootkits are but a few of the dangers lurking in the dark alleys of cyberspace. You have a few key defenses.
If you use Microsoft Windows, you need to automate Windows Updates. Hackers, script kiddies and others find new exploits for Windows frequently. True, some updates can cause computer problems, but if you do not have IT staff to evaluate the updates, it is best just to accept them. If you use Internet Explorer, you should disable Active X in the browser. (Look under Tools-Internet Options-Security and check your default settings for the Internet.) Let's say that you're running Microsoft Windows but use an alternate browser like Firefox, instead of Internet Explorer. Be aware that you must still keep Windows updated, since the Explorer browser is part of the operating system and can still be exploited, even if you don't use it.
Install a software firewall, such as ZoneAlarm or McAfee, to limit outward and inward traffic over the Internet. Also install antispyware programs like PestPatrol or Spysweeper. Regardless of the product, you need to look for something that will update and run automatically. Some free products, such as the popular Spybot and the free version of Ad-Aware, must be updated and run by the end-user. And you know that you can pick up drive-by malware from simply visiting an infected Web site, right? Rootkits and other forms of malware are becoming almost undetectable. McAfee has come out with a free tool called McAfee Site Advisor ( www.siteadvisor.com) for Internet Explorer or Firefox that shows the safety ratings of sites, displaying red, yellow or green indicators in the browser toolbar to warn of known malicious sites or potential danger. In addition, it applies the same alerts to Google, Yahoo and MSN search results, so you are forewarned before you even click on a link.
When downloading software from the Internet, especially freeware, be sure to check the end-user license agreement (EULA) to make sure you are not inviting spyware or adware into your computer. Only download programs from reputable sources. Before you install any new downloaded software, run an antivirus check on it.
Many lawyers are enjoying the freedom and advantages of wireless networking in their offices and at home. However, wireless networks come out of the box with little security enabled. If you're using a wireless network in your practice, take precautions to secure it, since anyone in the vicinity can access an open wireless network. Enable encryption, change all default settings, limit the number of open connections to the number of users on the network, and use hardware and software firewalls. Consider consulting with an IT professional if setting up a secure wireless network is beyond your skill set.
Security Is Not a Technology, It's a Process
Security breaches, theft, time lost in recovering from a virus infection, and exposure of clients' confidential data are just some of the security threats in modern computing. Solo and small firm practitioners need to prepare an action plan to protect, prevent and recover from security issues. Create a policy and consult a security professional so that best practices are being followed to protect your firm and your clients. For more information, see the webliography of security resources at: