Last month I was privileged to be invited to speak about BYOD (Bring Your Own Device) policies in law firms at the 2014 Clio Cloud Conference (check out the live blog I made of Day 1 here). My presentation, titled Law Firms in a BYOD World, discussed the reasons why law firms need to implement not just any BYOD policy, but the right BYOD policy.
As you can see in the presentation below, the right BYOD policy does more than address the basic elements of any effective workplace policy. To be the right BYOD policy, it must provide for regular updates, it must have universal buy-in among your employees, it must apply universally within your firm, and it must take the privacy concerns of your employees seriously.
Check out my presentation, Law Firms in a BYOD World:
We Live in a BYOD World
Regardless whether you want to allow BYOD or not, odds are you’re probably already doing it. Recent survey indicated that of those using a mobile device for work, 78% use a device they own. Companies large and small have clued in to the benefits of BYOD – despite the potential drawbacks.
- Owners and executives love it:
- Companies no longer bear cost of equipment
- Companies no longer bear cost of service
- Reduced costs for training, as people tend to be more proficient in using personal devices
- Company ends up being more innovative, as personal devices tend to be newer
- Employers like it
- Employees are more productive
- Employees more available during non-work hours
- Employees like it
- Get to use device of their choosing
- Allows work when/where most comfortable
- Eliminates issue of carrying personal AND business phone
Among the most important findings of all these surveys: employees don’t seem to miss having a phone provided to them by work!
Hackers Like a BYOD World
How much valuable information is on your smartphone?
- Even the United States Supreme Court has recognized that a person keeps their entire life on their smart phone – many observers have noted that the Court’s decision in Riley v. California appeared to rely heavily on how the justices themselves (who still use ivory paper for memos) rely on their own personal smartphones.
- Hackers, as one would expect, know it too
- Your phone currently probably has all the information anyone would need to gain access to every part of your personal life, including learning most of your passwords – simply losing your phone opens you up to being hacked
- Annually, travelers lose thousands of mobile devices just in U.S. airports
- An estimated 33-50% of smartphone users do not use a password on their devices, the first line of defense against losing confidential data if your phone is lost or stolen.
Despite the important information, we do very little to protect it
Only 19% of people who use a smartphone or tablet for work have installed a full security app on their device, and 64% use only the security that comes pre-installed on their devices.
When it comes to reporting lost or stolen devices, we’re pretty bad too. A recent study found that only 50% of respondents (43% in North America) reported the loss or theft within one day. 38% took between 1 and 2 days, and nearly 10% took up to five days to notify their employer. Worse, 19% of the businesses surveyed that reported an incident of a lost or stolen device experienced some form of related data loss. Those numbers are worse than 2012, and particularly disheartening is the drop in same-day reporting of a loss.
Incidents of Hacking On The Rise
Reports of large and small-scale security breaches have increased significantly. One survey indicated a 25% increase in 2013, following a 42% increase in 2012, corporate and business IT systems are attacked an average of 2 million times each week.
And hackers are becoming more successful in turning breaches into actual data theft (27% increase in reported losses from security breaches in 2013). The ones you’ve heard of: Target, Home Depot, iCloud.
What were they searching for? When it comes to big retailers, it’s pretty basic: names and credit card numbers.
Recently, hackers have been increasingly attacking systems of hospitals and other low-security targets. What are they after? PII (Personally Identifiable Information)
- Medical Records
- Bank Account info
- All the information hackers could possibly need
In a BYOD World, Law Firms are Vulnerable!
What makes your life more convenient almost inevitably makes your life less secure. Law firms have been referred to as the “soft underbelly” of cyber security, an assessment legal security experts apparently agree with. Is this justified? It’s possible.
Your firm is vulnerable – here’s how I know:
We tend to be good at giving advice, bad at following it.
- Only 22% of attorneys encrypt email.
- 14% of firms reported a security breach
- Only 1% of security breaches resulted in stolen confidential client data
- 28% could not say whether their firm had been infected by a virus or malware (45% said their firm HAD been, so…)
- 21% did not know if their firm had a disaster recovery/business continuity plan in place
Generally, based on the ABA Survey reviews, lawyers report an overall lower rate of being attacked than other businesses. Unfortunately, it seems likely that it’s not because lawyers are hacked less frequently.
Consequences are Greater in a BYOD World
- Estimated cost of a data breach in the U.S.: up to $5.4 million per breach
- Costs arising out of breach
- Fixing the damage (Replacing damaged data, new network equipment, etc.)
- Necessary upgrades to prevent future attacks
- LOST TIME
- Notification expenses – it’s required in at least 47 states (identify, locate, notify… time consuming and expensive)
- Damages? It’s becoming more and more likely. WHATS THE DIFFERENCE BETWEEN THE TARGET AND HOME DEPOT HACKS? – Home Depot has been ignoring warnings about the vulnerability of their customer data since 2008.
- Were your security measures reasonable?
- Used to be limited to demonstrable injury
- Now, at least includes the cost of mitigating the breach
- Additional damages in tort
“So this is going to cost me money, AND I’m being investigated by the state bar?” – You’d better believe it! You have a duty to protect client confidences – did you take all reasonable steps to do so? Were your actions appropriate to the risk, considering the capabilities of your firm’s data security?
Target survived because they’re Target, but even they took a hit. What about your firm?
- You just told a client that their confidential information was accessed – will they keep you? Will they recommend you? Will they be repeat customers?
- What about your other clients, who you likely need to inform of the breach anyway – same questions.
- How many are going to hire the law firm that was just hacked?
A serious breach, particularly one that could have been prevented by simple, reasonable measures could decimate your firm. Have doubts? Could your practice survive these hits simultaneously?
- Paying millions to investigate a breach, and repair the damage? The average cost of a successful attack on a U.S. company has been estimated between $2.4-5 million.
- Paying millions more to clients whose confidential information was stolen?
- Receiving a reprimand from your state bar for failing to protect client confidence?
- Having your law firm’s name announced by the local news as the subject of a massive data breach?
- Having the story of the breach appear in the top of any search results for your firm?
- Along with companion stories about the lawsuits your former clients have filed and your ethical issues?
You Need the Right BYOD Policy.
Step 1: Breathe
Oftentimes, an overreaction can be worse than no reaction. Users frequently do not properly evaluate technology risks until an event occurs, at which point they overvalue the risk. Like the guy’s house above.
HOWEVER – the RIGHT BYOD Policy can both dramatically reduce the risk of a breach, AND limit the damage any successful breach causes.
There’s no question that BYOD increases risk
- If something in your life becomes more convenient, you can pretty much guarantee it’s going to be less secure than what you had before
- The key is to understand the risk, and to plan effectively to minimize that risk
- Avoid knee-jerk decisions and security plans based on paranoia, rather than assessment and common sense.
Step 2: Assess
What are you trying to protect?
First and foremost, everyone must understand the presence of a risk. Recent surveys indicate that the general tendency is to understate the risk – over 90% underestimated the risk posed by malware, some to the extent of absolute ignorance.
Second, understand what confidential information your firm retains Two areas data at risk – data at rest and data in transit. Must understand how data is encrypted in both scenarios.
- Learn WHAT information is stored (PII, health records, trade secrets, etc.), WHERE it is stored (local server, computer hard drive, cloud storage), HOW it is stored (encrypted?), and WHO has access.
- Create a cybersecurity risk profile to make sure you are investing your security dollars where they’re actually needed, rather than where the most recent news story suggests.
Third, determine what resources you have.
Are there any other key factors?
- Corporate cybersecurity audits?
- Specific statutory or regulatory requirements
- Cybersecurity Insurance Policy
- Do you have it?
- If not, are you aware that your general, comprehensive, umbrella and E&O policies unlikely to provide coverage for cyber security breach?
- Like many insurance policies, they may require certain steps be taken by an insured
- Do you have it?
Step 3: Plan
- Not a “Fire-and-Forget” issue
- The thing I love about movies is the suspension of disbelief – we suspend our disbelief the Paul Giamatti could EVER be a hacker
- The nature of technology requires vigilance – any plan must not only allow for updates and changes, they should be required
- Requires universal buy-in
- Your employees, with the proper training on identifying potential threats, as well as a full understanding of the damage that could be caused by a data breach – including loss of bonuses, perks, or even their jobs – can be a formidable front line.
- Any device presents a potential risk
- This is a TRUE “weakest link” situation
- Involve Everyone
- Every person should at least be represented in the planning
- Best way to ensure failure is an opaque decision-making process
- Educate everyone as to why the security policy is needed – and don’t stop the education once a plan is drafted!
- In one survey, respondents indicated that employee participation in drafting any BYOD policy was much more important than concerns about the employer installing security apps on personal devices.
- 61% of companies responding to survey say that even when sought, employee input and concerns have little to no influence in final policies for security
- Respect privacy
Step 4: Implement
Put it in place, and let it run. There are other considerations, though:
- Some recommend making any BYOD policy a part of your firm’s employment agreements, and making sure it is signed.
Is BYOD Optional?
- In a survey, 46% of respondents claimed they would stop using personal devices for work if their company requires them to install a security app.
- I call BS
Privacy Bill of Rights
Who Watches the Watchers?
Sources for the information in this presentation can be found here.