The very first place you should start when thinking about digital threats to your law practice’s confidential information is not hackers in hoodies. It is the hardware and software you use. It doesn’t matter whether you use a Macintosh computer, a Linksys router, or an Android phone. There are some fundamental steps to take with any technology.
Is it a Consumer Product?
Somewhere between 2/3ds and 3/4ths of lawyers in Canada and the United States are sole practitioners or in small law firms. Based on responses to years of the ABA’s technology survey report, fewer solo and small firms budget for technology than their larger counterparts. It is hardly surprising to think that a solo lawyer would buy technology that enabled her personal productivity, without regard to whether it was designed for a home user or a business user.
But that can be a critical distinction. You do not need to buy business or so-called enterprise technology for your law practice. If you don’t, however, and buy consumer-grade technology, you should understand some of its limitations. One of the most important is that it may never get updates or fixes for security and other flaws, where a more expensive, business-focused device might.
Here’s an example. When you connect your home or office to the internet, you use a router to make the connection. A router is a piece of hardware that has a very small computer inside it, with its own operating system. That operating system is probably open source, and therefore free, to keep the cost of the device as low as possible. When you purchase it, that software (also known as firmware) is probably up to date. But over time, flaws and other defects in that software may be discovered. If you do not update your device, then those flaws can be exploited. In some cases, your router’s manufacturer will release an update, which you then need to apply; in others, your router’s manufacturer will not provide an update.
Imagine, then, the role your router plays. You send email through it. You may upload documents or case information to an online – or cloud – practice management tool. You may take telephone calls over the internet. So a router can be a key piece of technology. And an unpatched or out of date router can be exploited to (a) intercept your communications and (b) access your law firm or home network.
When you use consumer-oriented technology, you need to understand how to keep it up to date. When you open your Apple iPhone, it will tell you when a new version of an app or the iOS operating system is available. Devices like that are easy to maintain. If you are unable, either because the updates don’t exist or because you can’t apply them, to keep your technology hardware and software up to date, you should plan to discard it regularly and replace it with current technology.
The upside of the $50 consumer router is that, two years from now when this one is no longer current, you can replace it with another $50 router. What you can’t do is set-and-forget consumer technology and assume, after many years, that it is still securing your information as well as it did when you first bought it.
Most law firms aren’t enterprises, even the biggest firms, as the term is defined in the software world. However, larger law firms will use so-called enterprise technology because it is designed to support the activities of hundreds and thousands of users. Solos and smalls may purchase enterprise or SMB (small medium business) technology, as an alternative to consumer technology. It will cost more but it will provide additional functionality and benefits, the most important of which is probably updates.
I don’t think it’s unreasonable for a lawyer to purchase consumer grade technology, though. Enterprise technology – like the Cisco routers exploited in 2015 – can still be vulnerable. The key is to make sure that, whether by replacing the hardware or applying a software update, you are keeping your hardware and software current.
Your computer, tablet, and phone are designed to be updated easily. Windows 10 doesn’t even let you opt out of some updates. But Apple or Android, Windows or Mac, you are probably being regularly notified about new updates. Microsoft is so regular that their updates are known as Patch Tuesday. Be sure to enable these updates so that your computer and other devices remain current.
You may even want to follow along with US CERT to hear about the latest significant exploits and make sure they don’t impact you. But even if you don’t tap into current awareness related to updates and patches, you should be utilizing the options in your operating system and applications to automatically update to the latest versions.