October 2018 • Volume 106 • Number 10 • Page 22
Thank you for viewing this Illinois Bar Journal article. Please join the ISBA to access all of our IBJ articles and archives.
Safe, Secure, and on the Go
Lawyers must lock down devices whether working from the office, home, a hotel room, or a coffee shop.
Gregg Garofalo, founding partner of the Garofalo Law Group in Chicago, handles a portion of his estate planning, probate, and real estate law practice from a second home in northwest Georgia, not far from Chattanooga, Tennessee.
The firm's four other attorneys also work remotely for various reasons, such as having small children at home. They all use personal cell phones and firm-issued laptops and tablets for work.
Highly mobile attorneys like Garofalo and his colleagues take a variety of steps to set up their devices, servers, cloud storage services, email, and other client communication tools to ensure they're cyber-secure and safe from hackers.
"All of us travel a lot," says Garofalo, who maintains a physical office across the street from the Daley Center in downtown Chicago. "I don't know where [my colleagues] work on their days out of the office. …All of our attorneys have a firm-issued iPad and either a MacBook or [other] laptop issued by us or configured by us. They have their own cell phone."
Due to his own knowledge and the serendipity of having an information technology (IT) consultant down the hall from his Loop office, Garofalo has handled his own cybersecurity. But that's about to change. "It was just research, and reading up on it, and talking to other attorneys and IT companies," he says. "We are in the process of hiring an IT company to take it over. It takes a lot of time. We need somebody who's more focused on it."
While attorneys and law firms need to be focused on, and aware of, cybersecurity, they often must turn to specialists to ensure their devices, storage, and communication tools are adequately locked down, according to lawyers like Garofalo and technology experts.
"You need a general understanding of what information the firm maintains," says Joe Marquette, president of Accellis Technology Group. "The type of exposure that data represents directly ties to the type of defensive technologies, policies, and procedures that you want to employ-and that directly affects what policies need to be employed from a mobile standpoint."
Although Garofalo has handled most of his own cybersecurity until now, he has used a firm called firewalls.com to erect, manage, and update the firm's firewall (for $80 per month). To keep all the firm's devices encrypted, the IT vendor configures each one to have access to a virtual private network (VPN), which is necessary when working in a coffee shop or any other public space that provides an unsecured Wi-Fi network, he says.
"If there are issues or possible breaches, or somebody opens something they shouldn't have, his consultants come in and take a look," Garofalo says. "The firewall company is great because they're not that expensive. They manage the firewall and take care of anything. That's invaluable. We've never had an issue with our firewall since we hired them."
The VPN provides another layer of protection for those outside the office-assuming attorneys use it. "Sometimes it's easier to just open up your laptop, turn it on, and get something done. But I think everybody's pretty good about it," he says of his colleagues. "Most attorneys that are practicing, starting out, they can buy a laptop, buy a cell phone, and open up shop in Starbucks. But you have to be careful with regard to unsecured networks." He adds that his firm prohibits attorneys from using cell phones to transmit client information.
Burton Kelso, a technology expert, speaker, and entrepreneur who will present "Six Smart Tips to Keep Your Mobile Law Firm Connected" at ISBA's Solo & Small Firm Practice Institute on Oct. 26 in Carbondale (see isba.org/soloinstitute), says firms and attorneys should invest in either a wireless access point from their mobile provider or install a VPN on their mobile devices. "It depends on how you want to access your network," he says. "If you're accessing firm-sensitive data, you don't want to take any chances." He suggests NordVPN and TunnelBear as good VPN options.
Paul Unger, an attorney and founding partner of Affinity Consulting Group, cites an ethics decision from California that prohibits lawyers from using public Wi-Fi unless they are sending and receiving data over a VPN. "What we recommend is that if it's highly sensitive, if it's highly damaging, if it's intellectual property, and you connect to Wi-Fi, you should be sending through an encrypted tunnel," Unger says. For $10 per month, a firm can subscribe to services such as ExpressVPN or, "excuse my language, HideMyAss.com," he adds. [Editor's note: Yes, HideMyAss.com is a real website.]
Kelso says that attorneys and firms should always upgrade their mobile devices and computers to the latest operating system version, since many updates include improved security features. Windows-based devices should be using the Windows 10 operating system, which includes updated firewall and antivirus software. Apple computers should be running on macOS High Sierra (to be replaced this fall by macOS Mojave). Apple users should especially pay attention "because Apple has a tendency to make their [older] devices obsolete once new software [versions] come out," he says. Apple iPads and its other iOS mobile devices need at least iOS 11 (iOS 12 was released on Sept. 17). Android devices also should be kept up to date "to make sure you're not susceptible to ransomware or viruses on the internet," Kelso says.
Anti-malware and anti-ransomware software that Garofalo's firm has installed on each computer scans for corrupted files and viruses every day. Kelso recommends that firms and attorneys password-protect and encrypt their devices. Android and iOS users enjoy automatic encryption once they password-protect their mobile devices, he says. But protecting Apple and Windows computers requires a more manual process. Encryption software is built into Apple devices, he adds, but users need to activate this feature in the device's settings. Windows users need Windows 10 Professional, which is equipped with a feature called BitLocker.
"For smaller firms, it's tempting to run out to Walmart" and buy any Windows-compatible device, Kelso says. "But it's better to order a business-class computer."
Marquette insists that any professional firm must use the "Pro" version of Windows 10. "That's not a good corner to skip," he says. "If the device is lost or stolen, information on [a Windows Pro computer] cannot be hacked. You create a safe haven for yourself as a firm when you encrypt all your mobile devices. …Anything that maintains client information, including laptops, phones, tablets-they all need to be encrypted. Period. End of story. No ifs, ands, or buts."
In case your laptop or device gets lost or stolen, encryption is especially important, Unger agrees. "You can't buy a mobile device today and not turn on or invest in encryption," he says. "Ten years ago, encryption was expensive-and hard. There wasn't a disciplinary board that would hold somebody accountable, probably. But today, under Rule 1.6 of the Model Rules, a lawyer has to take steps. It's free and it's incredibly easy."
iPhones need to have passcodes on them, and firms of any size-particularly those with bring-your-own-device (BYOD) policies-should use mobile device management to register their devices so that if they're lost, they can be tracked, and then wiped clean as soon as they are reconnected to the network. "That's a requirement-it's easy, it's inexpensive, and think about the kind of data we send and receive from these mobile devices," Unger says.
Firms that have a BYOD policy need to make sure those devices have the right system requirements to access their cloud storage-and be able to block an attorney who leaves the firm from accessing its data, Kelso notes.
The cloud is more secure than your office
Attorneys and law firms who haven't embraced cloud-based storage over concerns that moving their information and data offsite is risky need to realize their data actually would be more secure in the cloud, Kelso says. "Get used to the concept," he says. "Understand that if your information is in the cloud, it's not...out there for everyone to see. Cloud firms have built-in security."
Having said that, the free versions of cloud-based storage software such as Google Drive and Microsoft OneDrive are not very secure. Firms should avoid the temptation of these no-cost options, Kelso says. "Those services are more susceptible to being hacked. If you pay for their business-class cloud service, that's going to give you the security you need to access documents in the cloud," he says.
Unger says cloud storage vendors offer higher levels of security and technical sophistication than a law firm could ever achieve with an in-house server. Moving to the cloud "is going to give them secure access from home and from mobile devices when they're out and about," he says. "Those systems have encryption at rest and encryption in transit." They're going to be much more dependable than what you can create, he adds.
Law firms that recently have installed in-house servers and don't want to change still need to ensure their data is secure, Unger says. "They need to engage in a cybersecurity assessment," he says. "That involves penetration testing and vulnerability testing, and having an expert look at their network and making sure they're doing all the proper things to configure their software and hardware."
Mobile security is much easier and less time-consuming in the cloud, he adds. For those who prefer to stick with their own server, "I would encourage firms to think about migrating to the cloud as their hardware fails or needs to be replaced."
After moving to the cloud, firms should move toward cloud-based software for functions like timekeeping and billing, Kelso says. "If you can find a cloud version of your software, that makes it easier. You're paying a monthly fee to access data, and you have the peace of mind that your data is secure."
In-house servers also have become increasingly expensive, including IT maintenance fees and extra charges for add-ons such as client-access licenses, Kelso says. The Garofalo Law Group had servers for many years, but no longer.
"We're exclusively in the cloud, with the server as a backup," Garofalo says.
Training and communication
Then there's the human error side of cybersecurity. Garofalo has promulgated a policy that attorneys and staff should not open emails that seem the slightest bit suspicious. "My staff has gotten emails that look like they're from me, with my name on it and everything else." These emails might say, "Click here on this document." He adds, "You have to be really careful. On their work computers, including the desktops, we tell them, 'Don't download any software apps without checking with our office first.'"
Kelso says that while such policies are a good idea on firm-issued devices, those with BYOD environments in place can't exercise as much control. "If you've got your own [firm] equipment, you need to set policies so people aren't lousing up company laptops with viruses and spyware," he says. "If they are using their own equipment, you need to set a policy on whether the firm is responsible for repairing that device-or does the individual need to pay for that, if they infect their [own] computer [while working]."
Firms should hold occasional trainings, perhaps via webinars, to remind attorneys and staff to watch out for phishing schemes and other attempts at hacking, Kelso says. "If someone clicks on the wrong link, it can definitely compromise the law firm," he says. "You might want to employ an IT company to occasionally send out a fake email, to see if someone clicks on the link. If someone does, you might want to retrain the employee."
Fool me once...
Phishing emails are socially engineered to elicit a response, like the ones sent to Garofalo's employees that appear to come from him. "They see an email that they think is from the firm, they click on it, and the whole firm is at risk," Kelso says. "Education is the key. You can't just go out and buy a bunch of antivirus software and hope it's going to protect your firm."
Marquette advises firms to invest in services that educate end users on what fraudulent emails might look like and what types of social engineering attacks and techniques they need to watch out for. "And then, they need to send fraudulent emails to the end users, and the firm can see who opens them-and increase training and education of those individuals most likely to be fooled by an outsider," he says. Such policies must be somehow enforced, which not all firms do, he adds.
Attorneys need to think through all the ways they communicate when outside their firm's walls, Marquette says. "Are you collaborating with other firms?" he says. "How do you secure information traveling between those two organizations? That's critical. And then you need an ongoing measure of security training for your team. People have to understand how easy it is to be tricked."
Phishing attacks are the most common method of trickery. Ransomware is receding but is still a threat, Marquette says. "We see firms inadvertently losing tens and hundreds of thousands of dollars at a time. The only way to be aware of that is to know how to spot it," he says. "Every wire transfer should require a verbal signoff from people. It's not all about technical solutions. It's making sure people are aware. The checks and balances, particularly for activities involving financial transactions, need to be very clear."
Client information should never be transmitted through unencrypted personal devices like cell phones. Garofalo admonishes attorneys to never use email or text messages when sending client information, especially sensitive documents "or information like the Social Security Numbers of kids when putting together an estate plan," he says. "Don't use text messages-even when [clients] want to use text messages. We have a secure portal for clients. …It's as secure as you can be in this day and age. It's much more secure than…[Microsoft] Outlook."
Email encryption is an increasingly hot topic for clients of Affinity Consulting, Unger says. "The black-letter laws generally say there's no duty to encrypt email, but if you read the ethical decisions carefully, they will tell you there's special circumstances that require special precautions," he says. "That language is starting to be interpreted and enforced. A lot of our clients are forcing us to encrypt. If your client is a financial institution or a hospital, they're forcing your hand."
Ultimately, Garofalo figures even tech-savvy attorneys will want to turn to IT experts for their cybersecurity needs given how challenging it is to keep up with the latest developments. "That's the most time-consuming," he says. "Somebody says, 'Did you hear about this?' And [the answer is] no, because I've been practicing law instead of reading articles about cybersecurity." (For more on email security, see Is Your Email an Open Secret on page 50.)
Unger increasingly hears predictions that attorneys and law firms soon will need to purchase cybersecurity insurance. "And it's not going to be cheap," he says. "In order to get cybersecurity insurance, you're going to need a cybersecurity assessment."
Bottom line, Garofalo concludes, "The most important things are having a good firewall and making sure it's up-to-date and managed; having a policy in your office about using your computer and what you download; being aware there could be fake emails; and making sure staff understands what VPNs are, how to use them, and why."
Ed Finkel is an Evanston-based freelance writer.
For a glossary of cybersecurity terms mentioned in this article, visit the U.S. Department of Commerce's National Institute of Standards and Technology website
ISBA RESOURCES >>
ISBA Solo & Small Firm Practice Institute, Six Smart Tips to Keep Your Mobile Law Firm Connected and Secure, Oct. 26, 2018, Carbondale.
Jeff Strand, Expanding Coverage Offsets Risks for Closing Firms, Cyber Liabilities, 106 Ill. B.J. 46 (Feb. 2018).
Leonard F. Amari, Cyber Fraud and Cyber Security-What's This All About, Senior Lawyers (Oct. 2016).
Ed Finkel, Client Confidentiality in the Digital Age, 103 Ill. B.J. 20 (May 2015).
Alan Wlasuk, The Illusion of Digital Security, The Bottom Line (Mar. 2012).