LAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan

Transcription

1 LAW OFFICE SECURITY for Small Firms and Sole Practitioners Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan 1. Introduction CONTENTS 2. Security Consciousness Having a Firm Security Policy 3. Paper File Security 4. Computer Hardware security i) Minimizing Risk of hardware failure Hard disk replacement Hard disk redundancy ii) Preventing loss of information Backups Off-site storage Know how to Restore the Backup 5. Computer Operating System and Application Security i) System Log ii) System Passwords iii) Application Passwords iv) Anti-Virus Software v) Malware avoidance vi) Keeping systems up-to-date 6. Network Security i) Firewalls. ii) Wireless Security Encryption iii) Remote access iv) Network Intrusion Detection v) Portable computers and USB sticks vi) Recovering a lost/stolen computer 7. security 8. Internet security 9. Conclusion

2 2 1. Introduction Security used to be a simple matter: Turn off the lights and lock the door behind you when you leave. That is still good advice, of course. But, in this age of electronic information and world-wide online access, it is not enough. Office technology and the internet have transformed the practice of law and present daily challenges in maintaining law office security. In this paper I will present an outline of the security issues that small firms and sole practitioners face with office technology and the internet. These are issues that large city firms usually hand over to information technology specialists to manage. In the small firm or in rural or remote communities where IT support may not be affordable or available, these tasks have to be managed in-house by you. The goal is to take advantage of the benefits of technology while meeting the standard of security that the Law Society and your clients reasonably expect. 2. Security Consciousness - Having a Firm Security Policy Good law office security starts with the people in your office who access information on a daily basis. There should be a simple, general, firm policy regarding office security that everyone in your office should be aware of and understand. The policy need not be complicated: It is the responsibility of every lawyer and member of staff to strive to ensure that client information is preserved, protected and accessible for the benefit of the client only. This means that you will strive to ensure that confidential information remains confidential and that client information is accessible for client purposes only; that you will avoid practices that may put client information at risk of being lost or accessed by unauthorized persons; that you will not open from an unknown source; and that you will lock the doors when you are the last to leave the office. If you have every member of the firm read and sign such a policy, you have made a good start.

3 3 3. Paper File Security Paper is a pain. It accumulates and it has to be manually filed. Despite all your attempts to move toward the paperless office you still seem to be managing more and more paper. I dislike paper. I do not manage it well. Be wary of taking your advice on how to manage paper from me. The Law Society of Upper Canada has some pretty good advice at this site: 4. Hardware Security Hardware breaks down. When it does, you can lose the information stored on it. You can minimize but you cannot eliminate the risk of hardware failure. You need a twopronged strategy. Here is what you can do: i) Minimizing Risk of hardware failure Hard disk replacement. The information on your computers is stored on mechanical devices called hard drives. A hard drive consist of high speed rotating metal wheels and fast little pointy things that move in and out to read what is on the wheels. They are well made and are reliable for a long time but they will eventually wear out or fail. You want to replace them before they stop working. The reliability of a hard drive is measured in mean time between failure - MTBF or mean time to failure MTTF. Desktop drives typically have a MTTF of 600,000 hours or 68 years. This does not mean that they all last that long before failing. What it means is that out of 1000 drives running for one year, about 15 of them will fail. If you use computers with single desktop drives, a good policy would be to replace the hard drives every two to three years. Hard Disk Redundancy. Since hard drive failure is an unlikely event, the chance of two drives independently failing at the same time is miniscule. So a better solution is

4 4 to have redundant drives using a RAID 1 controller (usually found in a file server but some desktop computers can have RAID controllers). Using two Enterprise class 2 hard drives in a RAID1 (mirror) configuration (you will need a RAID controller board - they are found in some higher end computers and all file servers), identical copies of all information are maintained on each drive so if one drive fails the data can be retrieved from the one that is still working. Monitoring Drives: With a RAID system, you should monitor the drives. This may be accomplished by having the server configured to send an in the event of a drive failure or other major problem. ii) Preventing loss of information Backups. If your office catches fire, is flooded or suffers a malicious attack, redundancy alone may not save you. RAID mirroring does not replace backing up your computer data and storing the backup data in a secure offsite location. Backing up Office Data. You should backup your office time/billing/accounting data on a daily basis. This can be done on Windows machines using the Backup utility (for Xp Home and Vista/Windows 7 Home users you will have to install the backup program manually from your Windows CD). If you backup the data to a hard drive on your system, once a week you should also back it up onto a CD or DVD to be stored off site (your home, for example). Be sure to have a reliable labeling system. You can also use an off-site backup service (see below). Backing up Document files. It is not practical to backup your client documents on a daily basis to an offsite server. I suggest keeping them on mirrored (RAID1) drives and doing weekly incremental backups onto a DVD, which is then stored off-site, or use an off-site service. 1 RAID means Redundant Array of Independent Disks and is the industry standard for configuring redundant disk storage. 2 Enterprise drives, which must be used on servers in RAID configurations, are also more reliable. They have a MTTF of 1.2 million hours or 136 years.

5 5 Live document backup: Have you ever accidentally erased or copied over a document that you are working on? Word processors can be configured to perform live backups at short intervals. You should configure the program to store the backup on a different drive than you are using to store the document. Caution: Live backups may only work if you have a file name for the document. So when you create a new document save it and give it a name before you begin to work on it. Off-site Storage: You can use an online backup service to backup your data to an off-site server. SaskTel ( ) offers a service. Other providers include Fibercloud ( ) and VaultLogic ( ). Be sure to ask how the off-site service maintains security of your data. Know how to Restore the Backup. It is important that you periodically test the restorability of your backups. So at least once a year you should do a complete system restore to be sure that your backup system is working. This will also keep you conversant with the restore process so you will know what to do in the event that you need to restore data. 5. Computer Operating System and Application Security The key here is to balance accessibility with security. Multiple levels of simple security may be just as secure, or more secure, than one level of elaborate security. i) System Log. Start by having a paper notebook for your system maintained by your office or system manager. The purpose is to store all technical settings, computer passwords, and other sensitive information relating to your system. It should be kept in a locked filing cabinet or other secure place. ii) System Passwords. Passwords can be a pain, but they are a good starting point for maintaining office security. Each computer should have a user password to control access. Access to the file server, if you have one, should also be secured with a logon password. These passwords should be written down and kept in the system log.

6 6 iii) Application Security. Access to office data (eg. PCLaw, Easilaw, Quickbooks) should be by user and password. These should also be kept in the system log. It is generally not a good idea to password protect documents on your office system. If the password is lost, the document is lost. There can be exceptions to this rule for very sensitive documents, in which case special care must be taken not to lose the password. Generally, document passwords should be used when putting the document on a portable computer or portable media. In these cases, an unpassworded copy should be maintained on your office system. Beware of meta-data. If you send a word-processor file to someone you may think it just contains the information that is displayed in the printed document. But it may contain a lot more. It may contain all the confidential original draft and revisions to the draft that you made that your client may not want to disclose. To avoid this, it is best to provide PDF copies of the document or send a non-metadata version of the word-processor file. iv) Anti-Virus Software. Your network should be protected from viruses, ad-ware and other malicious software (generally referred to as malware). This should be installed on each workstation. Good anti-virus programs are Norton, McAfee, VIPREE, Kaspersky, and ZoneAlarm. These must be kept up-to-date using the online updating service that is provided by the software developer. v) Malware avoidance. When a new virus gets established it may defeat even the most up-to-date anti-virus software. So it is always a good practice to instruct your staff and lawyers on how to minimize the risk of infection. Be careful about s Never click a link in an or open an attachment if you are not 100% sure of its origin. If you are unsure, phone the sender to confirm. Internet sites offer all sorts of ways for you to unknowingly pick up annoying and malicious ad-ware that can potentially slow your system down or cause it to become unstable. It is recommended that office computers be used for office purposes using reliable sites.

7 7 vi) Keep Systems up-to-date. Internet browsers and programs are supposed to prevent unauthorized persons or programs from gaining access to your system. But hackers are constantly coming up with new ways of getting through them to your computer to wreak havoc. The first line of defence is to ensure that the operating system and internet software is kept up to date. This can be done with the Automatic Update feature in Windows and MacIntosh operating systems. Once an operating system ceases to be supported by the developer you should look at upgrading the operating system. This will likely mean that you will have to upgrade or replace your computer as well. 6. Network Security. i) Firewall. A firewall is a software or firmware program that prevents packets of information from being sent between your network and an unauthorized user or site. It prevents unauthorized outside users from receiving packets from your system and it prevents your system from receiving packets from unauthorized outsiders. It is an essential tool for network security. In order to connect to the internet your network must use a router. A router is a hardware device that handles network traffic between your local area network (your office computers) and a wide area network (the one your internet service provider - eg. Sasktel - is connected to) so you can access the internet. Built into the router is a firewall. This is the most efficient and effective place to eliminate unauthorized network traffic: the router knows the IP addresses of your computer and the computers with which your office computers are communicating. It is highly recommended that you do not turn this firewall off. Your computer operating system also has the ability to act as a firewall but use of this firewall together with your router firewall can cause technical headaches and limit legitimate access within your office. Unless you need to secure someone s computer from access within the firm, the firewall on the router should be adequate.

8 8 ii) Wireless Security Encryption. Wireless access can be very useful within your office, particularly if you have portable computers. This can be easily accomplished with a wireless router or access point. However, wireless access also adds to your network s vulnerability. Be sure to use secured encryption. WEP 128 bit, or WPA encryption are the standard methods and should be adequate. Be sure to write down the encryption key in the System log. With wireless access to your network, anyone in the immediate area (which could be anyone in your building) can access your network if they have the encryption key. So BE VERY CAREFUL about who obtains the key. You should not give it to clients to use while in your office. If you do, be sure to change it afterward. It is a good idea to change the encryption key periodically, in any event. iii) Remote access: With a variety of software products 3 you can access your desktop computer - and everything it can access -from anywhere in the world. When I say you I mean anyone who has the passwords that control access to your computer. So, while this can be a very useful tool, it exposes your system to a potentially huge security risk. Not only can someone with the passwords access your computer and network, but they can also do nasty things and make it appear that YOU are doing it! So, if you are going to allow remote desktop access to computers on your network, you should use only a reputable service and you must strictly control the passwords. You should never, ever, configure another computer (especially a portable computer) so that a user can access the remote desktop automatically without having to manually enter the passwords/keys. iv) Network Intrusion Detection: Some routers (eg. Cisco Systems) will keep log files of network activity. These are not terribly useful. But there are some more sophisticated programs that are available to alert you to suspicious network activity. Just Google: Network Intrusion Detection Systems or NIDS. 3 The remote desktop features of Apple or Windows operating systems provide limited access. Third party providers such as Logmein.com, gotomypc.com, are very easy to use and offer free versions of their remote access software.

9 9 v) Portable computers and USB sticks. These are very handy devices. But if your portable computer or USB stick has client data on it and it is lost or stolen, that information falls into the hands of - who knows? So at least you should password protect access to the device. All computers and some USB sticks will provide this. That just makes it difficult to access not impossible. For better security, you could have the data on the drive encrypted so that it cannot be read by anyone without the encryption key. Just make sure you write the encryption key/password down in your System log. Recovering a lost/stolen computer: There are programs and services that you can purchase that will enable you to locate your computer if it gets lost or stolen. These programs may even work in the event that the disk is erased or reformatted. Some newer Apple computers have tracking chips built into them. Google: computer tracking software. 7. Security is an essential tool for the lawyer. Clients expect you to use it. Other lawyers expect you to use it. But use poses potentially serious security risks. For office use, you should use Outlook, Outlook Express or Thunderbird or other reputable program. Be mindful of the fact that anyone who has access to your computer can access your if you store the password in the program, as most of us do. (If you are using an program on a portable computer, it is probably a good idea to not have the program automatically insert the password). Most services provide web-based access. This comes in very handy when traveling. But be very wary of using Web-Access on public computers. If you are in a hotel and you access your over the web be sure to log off and erase the browser history. Otherwise, the next user may be able to access your confidential !

10 10 As mentioned earlier, and it bears repeating: Never click a link in an or open an attachment if you are not 100% sure of its origin. If you are unsure, phone the sender to confirm. 8. Internet Security Your internet browser - eg. Internet Explorer, Firefox, Google Chrome or Safari (for Mac users) - is a potential source of infection from viruses, worms, trojans, adware and other malicious software. Make sure you have the latest up-to-date version of your browser (you can do this with automatic update from the software supplier) and make sure that you do not have any of the browser settings configured for automatic download for such things as executable files and ActiveX controls. Be sure to use an anti-virus program that provides , intrusion prevention and anti-spyware protection. 9. Conclusion Proper use of modern computer technology is essential to providing the legal services that clients expect from you. But they also expect that you will preserve important client information and protect its confidentiality. To do this you should have some understanding of the essential means of ensuring that your office systems are secure. If you follow the steps that I have set out above you will very likely meet the standard of care that can be reasonably expected of a law practitioner at least for the present. Andrew Mason October 26, 2011