(This article was originally published by Legaltech News by Ian Lopez on May 27, 2016)
Cyberthreats abound, lawyers are increasingly called upon to secure their clients’ information. Vaporstream’s Galina Datskovsky talks taking security mobile.
As mobile continues to repurpose the way we communicate in our daily lives, it also changes the ways we share our business information. This had led to a number of challenges, touching upon everything from the conflation of the professional and the personal to leaving valuable and sensitive data accessible to those who seek to exploit it.
Vaporstream’s CEO Galina Datskovsky is no stranger to this reality. Having worked in information governance and compliance for over two decades, her experience has versed her in the nuances of law firm data security as well as attorneys’ perceptions to these technology-fueled changes. She told Legaltech News that the mobile market is currently, in many ways, “where email used to be twelve years ago.”
“Law firms are usually slow adapters of new technology,” she said. “I distinctly remember when emails sort of first started taking hold everywhere else.” Attorneys would say “I don’t get this whole email and Blackberry thing.”
Nevertheless, she explained that “the mobility practice of the mobile lawyer” is “really important” in the modern Big Data environment, a place where law firms, overseeing sensitive client information, are more vulnerable than ever before. With mobile, the stakes are elevated.
In demonstrating how law firms may react to mobile security, Datskovsky discussed an experience in which she provided data governance and policy consulting for a law firm, where the topic of texting was an issue. “I said, ‘Well what about text and chat? What do your attorneys do? And none of the people in the firm said, ‘Wait a minute, our policy strictly says right here that that’s not allowed.’ I said, ‘How’s your compliance with that policy,’ and they said, ‘Well, everybody texts.’”
When asking about the company policy, “the answer I got that kind of blew my mind, although what’s very typical of law firms again, is that, ‘If it’s in the policy that we can’t, then we can defend ourselves by saying it’s not sanctioned,” she noted. “Really, it’s in your policy but everybody does it, and you know everybody does it, you think it’s going to be secured?”
“In particular, with the kinds of breaches that we saw in law firms I think this is going to become a front and center issue because it’s mobile security,” she added. “And coupled with device governance and compliance,” mobile policies “make the firm safer in general.”
Here are some of Datskovsky’s tips for law firms to improve their mobile security:
1. Accept it – Everyone is mobile. Enact policies that reflect this reality.
In Datskovsky’s view, mobile security is something that comes “in various shapes in forms,” and when considering this, it’s important to differentiate securing the device from the lawyer using it.
A first step in getting the firm more secure is accepting that “lawyers clearly have mobile phones.”
Thus, “there should be very, very clear guidelines and policies on how a device should be secured. And this could be some very simple things, like everybody has to have a pin and a password, to everybody must encrypt all data on the device, to making sure that there is a mobile device management application in place where the policies are actually pushed to the device by the IT department, so it’s not optional. It’s not up to the lawyer. It’s up to the firm.”
Getting the firm to observe the policies, she explained, is “very realistic, but only if the people who are in charge of policies – IT, general counsel – really take the time to think it through to make it almost seamless for the attorney. Otherwise, I don’t think you can get compliance.”
“I don’t think it’s realistic to have a policy in place that says, ‘do not touch.’ Because people will do it anyway. I think is frankly a naïve to approach things,” she added.
2. Take back control – in the form of mobile device management.
While there are a number of ways to theoretically secure a lawyer’s device, sometimes it’s advisable to place the task in IT’s hands.
As previously noted, one route comes in the form of mobile device management applications. Datskovsky said in using this, “‘I could push my security practices and policies then in general manner to everybody.”
Additionally, “I feel more comfortable with having a bring your own device (BYOD) policy if such a play is in place because in that case, I could separate the partition the personal and the business, and I don’t have to worry about the personal being unlocked and somebody seeing the personal.”
This is important, she added, “because a lot of the breaches happen not because somebody hacks … but because somebody is careless.”
3. Keep the personal personal – know what’s SFW
Given that many lawyers can now work from any location at any time, it’s fairly easy to enmesh the personal with the professional. However, some methods of communication are more suitable for work than others.
To demonstrate this, Datskovsky pointed to text messaging. “I would never think that texting in my normal native form of text is appropriate for business,” she said. This is partially because, often, it isn’t necessary for a task you’re undergoing, and furthermore, it’s not always encrypted in transit. Also, upon sending, the sender has no control of the text. “If I send you a text, you could forward that to anybody, you could put it on Facebook. Whatever you do, I have no control over it.”
“If you look to secure text, especially a text that can be ephemeral in the sense of control and disappear from devices, we can secure those types of communications much better,” she said. This means that some communications may be better for email, and by using it, there is “a single source of truth, a single copy of records of which you could search, you can go for e-discovery to and for completeness of records to without sacrificing privacy and security.”
However, Datskovsky also warned, “Not everything belongs in a mail box in a system where I don’t know how [information is] secured from the other end. You might be discussing terms and conditions or prospective terms and conditions of appeal, and it’s highly confidential, or I may be saying, ‘My preliminary examination of an e-discovery set has yielded these things what do you think?’ This is something that can live forever in an email system that can be hacked.”
4. Be aware of what goes in, out, on with and around your mobile device.
Given the variety of apps available to mobile devices, it’s easy at times to forget every tool we have at our disposal.
Lawyers, Datskovsky said, “need to be very aware of anything else that goes to a mobile device. For instance, if you have email going to a mobile device, you might want to want to check policies on that mobile device, or your mobile device management.”
She explained that firms might want to consider enabling themselves to do a “remote wipe of a device” so “if somebody lost a device or it was stolen or something happens, you have a way to get rid of those things that are still lingering on that device.”
Datskovsky also noted that it’s important to know the distinction between “accessibility and permanent storage” as tools like cloud repositories are now accessible through mobile devices. “You can still make [information] readily available for available for the mobile worker to get to what they need without having to permanently store at the device level.”
“I think with mobility, you have to think in those terms. You have to think about governance and compliance, you have to think about convenience, but you also have to think about the fact that not everything belongs on your mobile device, not everything belongs there forever,” she added.
Lewis for Vaporstream: Shannon Felder
202-507-4714 | Vaporstream@teamlewis.com