A senior partner plugs his tablet into a public charger at the airport, hopeful to have enough juice for the flight. A junior partner dashes off a quick work email on her phone before handing it to her 7-year-old who downloads a brand new game. A summer associate, after spending all summer downloading unsecured documents onto his personal tablet, leaves the firm to head back to school.
Each one of these people, without realizing it, just put all of your firm’s data at risk. This is why your firm needs a Bring Your Own Device policy.
Living in a BYOD Policy World
It’s easy to understand why companies and law firms like BYOD (“Bring Your Own Device”). The firm gets increased productivity—allowing employees to perform tasks remotely at any time of the day, with decreased cost.
However, BYOD also introduces numerous new variables into your security system. Any of the situations discussed above provides an opportunity for hackers to bypass all of your expensive cyber security systems.
These new threats come at an already dangerous time for law firms. With generally more lax security, law firms are increasingly being seen as the potential “soft underbelly” by hackers. Your firm has confidential information on your clients’ patent applications, trade secret lawsuits, employment discrimination history, medical records, bank account information, etc.
Most importantly, your firm’s data is full of Personally Identifiable Information, or PII (otherwise known as all the basic questions your bank asks you before authorizing that big purchase you just made).
The price of being hacked is going up as well. Last year, Target reported that malware had allowed a group of hackers to obtain the credit and debit card information for over 100 million customers. While the financial toll was high, the damage to Target’s reputation may have been higher.
It’s worse for law firms that, unlike a national retail chain, depend on their reputation. With more states and ethics rules requiring prompt and complete disclosure of potential security breaches, how eager are you to tell your biggest client that her company’s information is now being auctioned off by Russian hackers?
You Need A Plan
There’s no way to make your information completely secure, but you can minimize your risks.
There are four key steps:
Yes, this is serious business, but overreacting can make the problem worse. They rarely solve the problem they seek to address, and usually have numerous unintended consequences. Bad ones.
Assess Your Risks
What are your risks? What are your capabilities? Figure out what you need, and what your firm’s resources can handle.
Plan For The Future
Set up your policy in a transparent manner. Everyone has to know what it says, who runs it, how it’s changed. Most importantly, everyone needs to understand why it’s important and how their compliance with the plan is essential.
Implement A Policy
One weak link in the chain can bring the whole thing down, so you need everyone’s buy-in for this to work. Don’t exempt anybody. Particularly at the top.