This post is the first in a four-part series where we explore challenges in mobile security faced by law firms today.
Cybersecurity in its most simple explanation is the need to protect against the bad guys. But what is it that these “bad guys” want?
They want data.
Data is a form of internet currency, which can be used for either good or bad. Cybercriminals are after data that empowers them to achieve their objectives, which range from obtaining credit card numbers or a foothold in an organization that will allow them to access critical information.
As a law firm, your client’s data is extremely appealing. This type of data is special because it creates ethical/legal and –very important- notification requirements. If you lose your client’s data, you are ethically, and in some places, legally obligated to pick up the phone, call your client, and say: “sorry, we lost your data”. You do not want to be the person making that call, and you do not want to be the person that gets the blame for putting the managing partner or the billing attorney in the position where they *have* to make that call.
If you focus on the DATA and on the consequences of losing it not only for your clients but also for your firm, it will help you make the right day-to-day decisions about how to protect it.
So, how does a data leak unfold, and how can you protect your firm?
When we look at the anatomy of a data leak, we are going to see three major phases.
Phase One: Prevention
During this phase, you install a Mobile Device Management solution, you select the right Mobile Apps, you train your users, etc. You have lots of options and you have lots of decisions to make here. This is your opportunity to make a difference and to choose your own destiny.
- Mobile Device Management (MDM): MDM is a must and it is something we encourage you to implement. The most important thing is to make sure you configure it to NOT work offline.
- Selecting the Right Mobile Apps: At the end of the day, MDM does not do anything by itself. It is the Apps that provide the functionality your attorneys want. Selecting the right Mobile Apps is where you are going to have the most impact.
- Configuring your Mobile Apps: Another area where you can have a big impact is in the proper configuration of your mobile Apps. You should focus on minimizing the amount of data stored on the device.
- User Training: This is your final area of influence. Train often, but do not expect wonders. Assume user failure.
Phase Two: Containment
When an incident occurs, you enter the containment phase. Here is where you do your remote wipes, password resets, etc. One thing you will notice is that this phase is mostly procedural and you do not get a lot of decisions to make. Most of your decisions will happen during prevention, not during containment. So if you want to make a difference, focus on prevention.
Phase Three: Notification
Finally, after the leak has been contained, you go into the notification phase, where you tell your clients about it. Nobody wants to be in that situation, so let that be the motivation to help you make the right decisions during the prevention phase, because during the Notification phase, you also do not get to make many decisions.
In future posts, we’ll take a deeper look at each of these phases, and how you can best take action against negative outcomes.
Catch up on the whole Mobile Security Post Series here: