It seems like everywhere you go, from a law firm’s kitchen to the airport or an internet café, lawyers are connecting wirelessly to the internet on laptops, PDAs, BlackBerries, cell phones, etc. - but are firms keeping on top of their security obligations in this wireless age?
“I think a lot of the law firms haven’t given that a lot of thought,” says Kevin Lo, leader of the electronic discovery practice of LECG Canada Ltd. “Some of the bigger firms have done a good job, but I think some of the second-tier law firms don’t have a full handle on these kinds of technologies.”
For smaller firms without sophisticated IT departments, or simply for those who haven’t seriously turned their minds to the issue, there are three areas that need to be addressed: (1) wireless connections in the office; (2) wireless devices used by roaming lawyers; and (3) wireless connections on others’ computers.
Wireless connectivity in the office
Firms may set up wireless connectivity in an office for many reasons, including increased mobility for lawyers, “hot-spot” access to the internet in conference rooms or the reception area, or simply to avoid rewiring the office. But Lo cautions those firms to recall their surroundings - their lawyers might not be the only ones trying to connect.
“If you’re in an urban centre such as Toronto, there are so many people that if you just turn on a computer with Wi-Fi capability, you’ll find at least 10, if not more, Wi-Fi access points,” says Lo. “So . . . if you haven’t done the proper due diligence to secure that, that can have a security risk . . . .”
He added that there is “war-driving” in Toronto. “It’s basically people that, as a hobby, drive around downtowns of cities in North America to hunt for insecure wireless network access - so they actually map it on a map and announce it.”
Their intention is generally not malicious, he says. Most are simply looking for free internet access, but some people will use the access point to hack into the company’s network.
“What is going to stop that person from going to the next step?” he asked. “If you can do it for fun, why not get the data and try to sell it or try to use it for another purpose? These are all things that have been haunting the computer world for the past few years.”
“We were one of the first people who put in a hot-spot,” says John Esvelt, director of information technology with Fraser Milner Casgrain LLP in Toronto. “The trick to wireless security is to build it outside your firewall . . . don’t just stick an access port into your firewall.”
He added that in his firm’s hot-spot, there’s a light firewall beyond that so visiting users are protected as well.
“We take that kind of stuff extremely seriously, because of the business that we’re in,” he says. “We didn’t even think about offering wireless to our clients until we knew we could provide them with the safe and secure system.”
Lo says in some firms the biggest danger may actually come from the firm’s lawyers, who secretly go out and buy their own wireless router and hide it under the desk.
“They think the IT department will not give them wireless, because it’s a pain in the ass to deal with, so they think, ‘Why don’t I just go out and buy one? I can set it up in a minute or two, hook it up under my desk, and no one will find out.’ ”
But that Wi-Fi system is not audited, the company will not know about it, and the information can start leaking from that point - that becomes the weakest link in the company.
Lo says he’s heard of firms that hire consultants that drive around the building physically to try to see if there’s any out-of-control wireless access points for that reason.
Connecting wirelessly on the road
Lo says another problem is lawyers who use laptops or other Wi-Fi devices from a wireless router at home or when they travel.
“The inherent danger is that when lawyers are travelling and there’s client information on the laptop and the Wi-Fi part is not properly secured, then if you go into an airport terminal you might not have Wi-Fi signals, but if you turn it on, some of the computers with the Wi-Fi capability have what they call ad-hoc networking, meaning that two computers with wireless turned on can theoretically start exchanging data.”
The danger is that unknown persons could be sitting nearby, maliciously attempting to capture people’s data.
Esvelt says simply being able to access a wireless network does not, and should not, mean an intruder can access the confidential materials.
“I think a lot of times people confuse the security to get on the wireless network with the security for how the work on the wireless network is done,” says Esvelt.
For example, Fraser Milner Casgrain uses a Citrix-based system to remotely deliver information. A central server acts as a gatekeeper authenticating users and authorizing them to access both data and applications from the server, all contained within the firm’s local area network.
The lawyers then use laptops to access the internet, going to a web site that links them to the Citrix server, essentially carrying on business as if they were sitting in their office. When the lawyers fire up the browser before they can access any applications including Word, they must enter a password and a secure ID to access the encrypted information - the number for which changes every 60 seconds to deter intruders.
Lo says some firms have gone to the extreme of stripping out the wireless cards from the computer.
“It becomes a balancing act between security concerns and proper usage,” he says. “The files can be encrypted. Or if they’re highly-sensitive, bring it in - don’t work at home!”
Connecting through a strange computer
The final danger exists even for lawyers connecting to a secure network using a technology such as Citrix, and that is if they’re using a public computer in an internet café where someone could be recording their keystrokes and passwords.
“If you use someone else’s computer, they can be watching what’s going on on your monitor,” says Esvelt. “The security risk isn’t that they’re going to enter you’re network . . . but they can see what you’re typing, they’re reading your e-mails.”
Recommendations for protection? Lo says the best, simple protection for firms dealing with wireless devices is a corporate policy dictating what may and may not be transferred wirelessly over the network. Law firms should not simply pretend there are no wireless devices in their company, or they will risk liability.
“A separate purchase policy definitely helps,” he added, “so that the IT department has strict control over all the devices. So for example, if a device got lost, the IT department will immediately know the account number, and they can notify their carrier . . . to make sure that device is shut down and turned off so no connection can be made to the corporate network.”
For a smaller firm seeking technological help, there are web sites where they can seek advice from their respective bar associations, such as practicePro’s www.practicepro.ca/securitybooklet. However, Lo strongly recommends that firms and lawyers without IT departments not try to render their wireless systems secure by themselves.
“They need to speak with someone who understands the technology,” he says.