October 2010 | Practical Technology Tips
Ten Best Practices for Securing Your Practice's Data
If you are considering taking your firm's technology to the next level - or, you already have - consider these 10 steps to ensure your security risks are minimized.
Securing confidential data is one of the most important objectives of any law firm’s information technology (IT) platform. The modern law firm’s IT platform will generally consist of three primary classes of resources: on-premises resources (servers, desktops, and other on-site equipment), mobile resources (laptops, smartphones, netbooks, iPads and other portable equipment), and cloud-based resources (Web-based application and data storage).
While best practices for on-premise computing have been widely discussed over the past decade, the increasing use of mobile devices and cloud computing present new security vulnerabilities and considerations. The following list of security “best practices” will help secure all three classes of your IT infrastructure:
1. Use unique and strong passwords. Password strength is a simple but often-overlooked aspect of IT security. Ensure the passwords you select are strong (at least 8 characters long and a mix of letters, symbols, and numbers) and unique to each computer/Web site you use. The uniqueness of each password you use is critically important, as it prevents a thief that has compromised a single computer or Web site from gaining access to your other accounts. To help generate and keep track of your various passwords use a password manager such as KeePass (Windows) or 1Password (Mac OSX).
2. Encrypt your hard drives. In the event a computer is stolen, it is trivial for a thief to retrieve information from an unencrypted hard drive, even if it is protected with a Windows or OS X password. An encrypted hard drive requires you to enter a password as soon as it is activated; without the correct password, the drive remains completely inaccessible. TrueCrypt is an excellent (and free) disk encryption tool. This is especially important for laptops and other mobile computers, but is also a good security practice for desktops and servers.
3. Perform Backups of both on-premises and cloud-based data. Disk drives fail more often than you think, and a critically important aspect of securing your practice’s data is ensuring you completely back up your data at least once per day. Ensure backups are made of both on-premises data and of any cloud-based data your office may be depending upon. Move your backups to a secure off-site location (for example, a safe deposit box) on a daily basis. Also, ensure you regularly test your backup recovery process; all too often backups are discovered to be corrupt or missing key data when a recovery is attempted.
4. Use SSL encryption for cloud computing. Ensure any Web site you exchange confidential data with employs Secure Sockets Layer (SSL) encryption. Without SSL encryption, data is transmitted in plain text, and as such is easily eavesdropped upon. SSL encryption allows for the secure, encrypted transmission of data even over public networks (like a free WiFi hotspot). You can easily verify a Web site is using SSL encryption by looking for “https://” at the beginning of the Web site address (e.g. https://www.gmail.com) and a “lock” icon in the Web browser’s status bar.
5. Access Control. Most applications, whether cloud-based or on-premises, allow you to configure specific permissions and access rights for groups of users. Make use of these permissions systems to ensure the number of users that have access to sensitive or confidential data is kept to a minimum. Examples of such access controls include restricting access to confidential files stored on a network server and limiting users to certain types of reports in a practice management system.
6. Use a secure Web browser. Internet Explorer, while one of the most widely-used browsers, is also the most insecure. Switching to a more secure Web browser, such as Google Chrome or Mozilla Firefox, is easy to do, and will deliver other benefits such as increased speed and reliability.
7. Implement a firewall and appropriate application filtering policies. A firewall helps protect your local network from hackers and other threats. Most cable and DSL routers implement a rudimentary firewall; more sophisticated firewalls can also filter specific types of Internet traffic and prevent unauthorized protocols or software programs from being used in your local network. For example, the unauthorized use of peer-to-peer software from within your network could present a security threat as well as a legal liability; a properly configured firewall would block such traffic from leaving (or entering) your local network.
8. Use anti-virus and anti-spyware software. Viruses and spyware are both types of malware – malicious software – that can compromise the security, performance, and integrity of your computer systems. If you are running Windows, make sure you are running both anti-virus and anti-spyware to defend against malware threats. Commercial vendors such as Symantec, McAfee and AVG offer combined anti-virus and anti-spyware packages. Google offers Google Pack, a free offering that offers protection against both types of malware. Mac OS X doesn’t suffer from viruses and spyware, which obviates the need for anti-malware software if you’re an Apple user.
9. Physical security of on-premises hardware. All too often mission-critical hardware, such as servers, backup media, and other sensitive elements of IT infrastructure, are stored in broom closets or in a common area. To prevent unauthorized access, theft, or tampering, place sensitive elements of your hardware infrastructure in a secured room with access limited to key employees.
10. Protect your mobile devices. The proliferation of mobile devices – BlackBerries, iPhones, iPads, netbooks, and more – present newfound freedom and opportunities for the mobile lawyer, but they also introduce a range of security concerns. New mobile devices not only contain sensitive information stored locally on the devices, but they also are often connected into a firm’s cloud-based document, calendar, contact and practice management databases. To protect against the loss or theft of a mobile device, enable the passcode lock feature on your device. Additionally, some devices, including the iPhone and BlackBerry, offer “remote wipe” functionality that allow users to remotely erase data from a device should it fall into the wrong hands.
While not exhaustive, the best practices above provide a solid baseline for any practice’s data security across its on-promise, mobile and cloud-based IT infrastructure.
Jack Newton is cofounder and president of Clio, a leading provider of cloud-based practice management software. Jack holds an M.Sc. in Computer Science and holds three software-related patents in the United States and the European Union. He has also spoken at CLE seminars across the United States about how cloud computing can help law practices run more effectively and efficiently.