How many times have you heard the Desiderius Erasmus quote “Prevention is better than cure?” This quote is often used in the context of health and wellness, but it is quite fitting if you consider the challenges faced by law firms today in protecting client data.In our last post, we discussed the three phases of a data leak. In this post, we’re going to focus on Phase One, the aspect of mobile security where you have the most influence and impact: “Prevention.”
Simply put, addressing Phase One: Prevention allows you to choose your destiny. Preventing a data leak from happening allows you to avoid the painful stages of containing a threat and notifying clients. Here are four ways to prevent a data leak at your firm:
#1: Implement Mobile Device Management (MDM)
In life, we have many choices. However, in this instance, there isn’t much of a choice. MDM is a must-do in order to prevent a data leak. MDMs offer a range of features, some of which are essential and some that are not. Essential MDM features address specific threats and directly impact the likelihood or potential scope of a data leak.
MDM Essential Features:
- Two-factor authentication for device registration
- Jailbreak detection (not foolproof)
- Encrypted “App Containers” (make sure you disable offline access)
- PIN/Fingerprint to use App
- Remote Wipe (not foolproof)
- Restricting “thumbnail” images
- Restricting “Open In” functionality
- Mandating proprietary browser & email apps (users often work around these restrictions and create more security risks)
Beware of Offline Mode!
There is a widespread practice saying that if data is encrypted with MDM then there is no need to notify clients about data leaks. For an App to work offline, your MDM must store in the device enough encryption material to be able to decrypt the data while offline. If the device is lost, so is the encryption material, thereby nullifying safe harbor provisions. Apps in Offline Mode are ticking time bombs. You will find yourself in a better place if you do NOT configure your MDM to work offline.
#2:Select the Right Mobile Apps
Consider this scenario:
You would like to offer your attorneys the ability to enter time on their mobile devices. After evaluating several available Apps which offer this functionality, you narrow the list to a couple of options:
- App #1: Stores all* clients/matters on the device in order to support “offline mode.”
- App #2: Does not store any data on the device and thus does not support “offline mode.”
*Why do we say ALL of your clients? App #1 stores all matters on the device. Remember: which companies is Google trying to buy? What is Apple working on? What is Bank of America up to? All of your matters are on the device, therefore all of your clients are affected by the leak. This is because App #1 made the decision to store this data on the device and you made the decision of deploying App #1.
How can you evaluate mobile apps in order to determine if they are the best fit for your firm? Ask yourself two simple questions:
- Is it possible to eliminate or minimize the amount of data Apps store on devices?
- Will it minimize App access to your backend systems?
At the end of the day, MDMs do not do anything by themselves. It is the Apps that provide the functionality your attorneys want. Selecting the right Mobile Apps is where you are going to have the most impact.
#3: Configure your Mobile Apps
Let’s pretend that you would like to offer your attorneys the ability to send and receive email on their mobile devices. Your Email app gives you several options regarding how many emails are stored on the device:
- Option #1: Stores 30 days worth of email on the device.
- Option #2: Stores 3 days worth of email on the device.
- Option #3: Does not store any email on the device.
Another area that can have a considerable impact is in the proper configuration of your mobile Apps. The criteria has not changed: you still want to minimize the amount of data stored on the device. Whatever configuration option you select, you need to be able to tell which clients have been affected. With email, this is relatively simple. You can go to your Exchange server, find out which emails have been sent or received by this user, and find out which clients are affected. If you chose 30 days maybe that affects 100 clients. If you chose three days maybe that affects 10 clients. There is a big difference between having to notify 100 clients and having to notify only 10 clients. Big difference. That’s why we say that how you configure your mobile apps has a huge impact. Of course, if you chose Option #3, to not store any data, that puts you in the best possible position.
#4: Conduct User Training
At best, this method is indirect. However, user training does give you the opportunity to have influence on behavior that may influence security outcomes. When it comes to security, user behavior is always a part of the equation. It is your responsibility to find optimal overall security posture.
Remember, the best way to deal with a data leak is to prevent it from happening in the first place. While there is no sure-fire way to prevent a breach, there are several opportunities for you to protect your firm’s data.
How have you prevented data breaches at your firm? Share your comments below.
Catch up on the whole Mobile Security Post Series here: