Data accessibility is a double-edged sword
By Thomas Berman, Principal, Berman & Associates
Security issues for any law firm fall into two primary categories today. The first is the threat to the firm’s computer servers; the basic computing structure of the firm. The second relates to mobile computing and the growing availability of applications for such devices.
Managing computer security for the firm’s core computing operation is, in a sense, more controllable (though certainly not easy). There is a multitude of systems that are designed to provide defence against malware, denial-of-service or direct attack. Web filtering, virus scanning and spyware screening are a necessarily part of a well-designed system, but security is a continuing and extremely urgent threat.
Changes need be made on a regular basis to ensure processes and procedures are in place to authenticate or verify network users. Verification must be also made that there is more than one subsystem that has to be violated to compromise the integrity of the entire system.
Security protocols must be installed correctly, evaluated constantly for a period of time and then maintained at the appropriate level of watchfulness. In other words, it’s not a one-time effort. It has to be continually renewed in order for IT staff to further develop capability for responding to incidents, mitigating damage, recovering systems and creating a regular process to assess, remediate and monitor the network’s vulnerabilities.
The second category is a good deal more complicated, simply because of the enormous growth in mobile computing devices. Two years ago, security concerns related primarily to laptops, particularly confidentiality of client and case information and the repercussions of failing to protect that vital data.
Mobile computing platforms have now raised that risk of loss several fold. A tablet computer or a smartphone presents the same or even greater threats to firm security that a laptop may have presented just a short time ago.
However, one important development today is cloud computing. Although the jury is still out on the security levels it may constitute, this development may provide at least a partial answer to the tremendous threat of data loss and theft from mobile devices.
Cloud computing takes the form of web-based tools or applications that users can access and use through a web browser, as if the programmes were installed locally on their own devices.
Simply put, the data used by lawyers or staff involved does not physically reside on the mobile device (conveyance). Instead, to access information from the cloud, the individual must comport with appropriate protocols to access and utilise the information, which then stays safe from the eyes or computers of prying third parties. If the device is lost, there shouldn’t be any loss of data and, more importantly, there’s no obvious portal into the firm’s proprietary information base.
This in turn gives the firm the necessary ability to limit access to individuals and the ways in which they may wish to access client and case information. Services such as those at AT&T, Barracuda, Postini and Proofpoint, all of which are cloud-based email scanning solutions, provide substantially more control and protection from spam, viruses, phishing and denial-of-service attacks. In fact, these services may be part of a complete package that protects both the servers and mobile devices.
None of this of course replaces care in the handling of data and the potential for disaster through charges of violating HIPPA (personal health information statute) requirements, for example.
Law firms (through their IT teams) must still train everyone in the need for security in the operation of their practice. There is indeed a balancing act that plays out, particularly with the development of mobile computing.
For the first 15 years in the history of the utilisation of ‘personal’ computers, the object was to make information available to everyone whenever they needed it. Now, the challenge is to provide the necessary information on demand, but to do it in such a way that it is still in a protected environment. We’re a long way from a settled proposition.
tberman@bermanassociates.net