According to the ABA’s 2015 Legal Technology Survey Report, nearly 40 percent of lawyers in the U.S. use public Wi-Fi to access client data, but only 22 percent are using an encrypted connection. Clearly, mobile security isn’t always front-of-mind for all lawyers.
Understandably, information governance isn’t exactly a big part of the law school curriculum. But with high-profile data breaches affecting law firms regularly making the news, as well as the wealth of confidential client data firms are sitting on, lawyers can no longer afford to sit idly by and hope for the best.
Mobile lawyering offers a range of benefits, but in order for your mobile practice to be successful—and ethical—you need to ensure your mobile device is secure.
We feel very strongly about security at Clio. To protect user data:
- We’re audited every day by McAfee Secure to help ensure your data is protected from security vulnerabilities and other online threats.
- All information travelling between your browser and Clio is protected with 256-bit Secure Sockets Layer (SSL) encryption, and is validated by Norton Secured by Symantec.
- We have multiple servers backing up your data in real time to provide geographic redundancy (i.e., if a server in one location fails, the server in the other location will still keep your data intact).
- And more.
However, there’s a limit to what your legal practice management provider can do to protect your data—there are also key steps you need to take yourself.
It’s your practice on the line, so please take action on the mobile security tips in this list immediately if you have not done so already.
The importance of mobile security for lawyers
Joe Kelly wrote an article with Law Technology Today suggesting that lawyers specifically are doing many things to compromise their firm’s security. These include opening attachments from unknown senders, using poor software solutions, and storing unencrypted firm data directly on their devices.
That’s a problem, as cyber threats are on the rise for mobile devices. A Nokia report released earlier this year looked at malware infection rates across all mobile devices, and found that the number of malware infections that took place in the first half of 2016 doubled compared to the second half of 2015. Android phones (74 percent) were mostly at risk, but Apple (4 percent) and Windows devices (22 percent) weren’t safe either.
In fact, many of the greatest cyber threats target mobile devices specifically, with attacks designed to track location and monitor text messages, emails, and even screen activity.
But it’s not just malware that puts firms at risk. Mobile devices are easy to misplace or leave behind—and they’re easy to conceal. With just one moment of absentmindedness, you could forget your phone or tablet in a cab, leaving your clients’ data vulnerable.
This is more common than you might think. According to a report from Bitglass, 25.3 percent of data breaches in the financial services sector since 2006 have been a result of lost or stolen devices.
Tips to secure your mobile phone
“Tips” might actually be a bit of a misnomer. Without taking the proper precautions, lawyers who work on mobile devices may be inadvertently leaving confidential client information at risk of public exposure.
However, by taking a few key steps—and by keeping a few rules in mind—you can secure your mobile devices and know you’re keeping client data safe.
1. Use common sense
This might seem fairly straightforward, but it’s worth mentioning: Be careful when working with client information in public. This alone will go a long way towards keeping your mobile device secure.
Don’t speak loudly about the details of a case, and don’t work where others can easily look over your shoulder (you never know, opposing counsel could be sitting right behind you).
2. Password protect your phone (and tablet and laptop)
This is a basic step, and you need to do it now if you haven’t already.
Which brings us to step three …
3. Use strong passwords
Your password shouldn’t be your first name, or 1234, or anything else that someone trying to get access to your data could easily guess. Ideally, your password should have:
- A mix of numbers and upper and lower case letters
- More than 12 characters
- No dictionary words (better: no words at all)
A password manager, such as KeePass, can help you keep track of tough passwords.
Ideally, you should also be changing your passwords often. This way, if someone does get a hold of your password, they won’t have access to your account for long.
In Clio, you can require that users use strong passwords, and you can set these passwords to expire after a given amount of time. Monthly, for example.
4. Use two-factor authentication
Even the strongest passwords can be hacked. That’s why it’s a good idea to enable two-factor authentication for an extra layer of security for all your accounts.
Two-factor authentication requires not only your password, but a temporary code that gets sent to your mobile device as well, via text message, or via the Google Authenticator app. The codes usually only last 10–15 seconds before a new one is required. If a person trying to access your account guesses your password, but they don’t have your mobile phone, they won’t be able to access your account.
While we say “extra layer of security,” the practice of adding two-factor authentication is actually becoming fairly standard. In fact, as of November 15, Clio will require that all users use two-factor authentication to access their accounts (we’re removing the ability to access accounts with email verification codes, as this is not secure enough).
5. Encrypt your devices
Encryption might sound technical, but it’s actually fairly easy to encrypt your mobile device.
First, make sure you have a lock-screen password (see notes on strong passwords above). This is your first line of defence—if someone gets a hold of your device, they won’t be able to access it without your password.
Second, enable encryption on your device. It’s simple: Just follow the steps on your provider’s website:
If you have an Android device, instructions will vary depending on the phone you have. Look for instructions on how to turn on encryption on the phone manufacturer’s website, or simply search online for articles outlining the steps (here are the steps for a Samsung S6).
If you haven’t done this yet, do it now. Right now.
Don’t stop at your mobile device. Encrypt your laptop hard drives and USB drives as well:
- Encrypt your Mac’s hard drive by turning on FileVault.
- Encrypt your PC hard drive by using the professional version of Windows (device encryption should be automatically enabled, but you can double check with these steps).
- Encrypt USB drives using Bitlocker.
Finally, for an extra layer of security, you can use CloudMask. Even in the event of a data breach, data that has been “masked” by CloudMask remains protected, meaning that you can rest easy even in a worst-case scenario.
To be clear, if you’re using cloud-based tools on your mobile devices—such as a cloud-based practice-management solution like Clio—your data will be extremely secure (see the measures we take above). For some, it simply might provide additional piece of mind to invest in another security tool.
6. Communicate via secure channels
Now that you’ve encrypted all of your mobile devices, you’ll need to make sure you’re communicating via secure channels as well.
When sending client data back and forth, unencrypted messages and emails are vulnerable to interception. It’s best to use a secure portal like Clio Connect to share client information, and a secure messaging app like the Signal App from Open Whisper Systems to send short messages.
7. Have a BYOD policy
If you’re working with partners, associates, or staff, they may be using their personal mobile devices to do work and access firm data. You need a Bring Your Own Device (BYOD) policy to govern how this works—and what to do in the event of a data security breach.
At a minimum, your policy should require that:
- All lawyers and staff use firm-specified services to work with client data. There are over 2 million apps out there, many of which can help make your working life easier. But not all are safe to use with client data. Choose wisely, and make sure the rest of your firm respects those choices.
- All devices have a remote wipe option enabled. If someone steals your paralegal’s phone, what do you do? You need to be able to remotely wipe all data from the device to protect sensitive client information.
- All devices are encrypted. Again, this is super important. You should encrypt data on any and every device you work with client data on.
8. Keep apps and operating systems up to date
Older apps and operating systems are more vulnerable to attack. Consider: Israel’s NSO group was at one point selling software that could spy on iPhones without being detected. Passwords, emails, text messages, phone calls, and even the location of the phone were all put at risk—for those who hadn’t upgraded their iOS software.
Always. Update. Your. Apps.
9. Back up firm data
Finally, always back up your firm data to an encrypted location. This way, you’ll have access to most of your data in the event of a ransomware attack.
Ransomware infects your computer and encrypts all of its data. A hacker then demands payment to unencrypt the data. Maybe they’ll actually unencrypt the data if you pay them. Maybe not.
In addition to keeping your firm’s data more secure, this will provide a backup in the event that your phone and laptop happen to die on the same day. Backups should be done weekly, at a minimum, and should ideally be automated.
These mobile security tips are a great starting point for keeping your mobile law firm secure, and you should definitely take action on all of them now to ensure your client data is protected.
That said, make sure to do your own research and find other ways of keeping your mobile practice secure as well. Technology changes much faster than the law, but by staying one step ahead with your security standards, you can enjoy peace of mind while running a mobile practice.
Mobile security is just one key part of running a mobile practice. Get everything you need to know by downloading your free copy of our white paper, The Mobile Revolution: What Law Firms Need to Know.