Effective device management is a balancing act between risk, productivity and firm culture: one size doesn’t fit all. In this article we look at common approaches to device management and present key considerations for developing an effective BYOD policy.
Lawyers and law firm staff use mobile devices every day for professional reasons, both in the office and while working remotely. These days, with more firm members working regularly from home on unsecured or shared personal devices, firms are more vulnerable to security threats.
A conservative approach is to completely bar staff from accessing firm networks from their personal devices, which effectively eliminates all associated risks. Some firms choose to purchase or lease their own mobile devices for employee use, giving them more control over how their systems are accessed and control of the devices themselves, with IT management ensuring they’re updated, protected and functioning optimally. In the event that a firm device is compromised or stolen, its files can be remotely wiped and access to networks promptly severed.
Other firms prefer to avoid the considerable expense of purchasing mobile devices, and allow employees to use their own with one big caveat: they must consent to installation of mobile device management (MDM), a type of security software that manages, monitors and secures the device and its access to firm systems. This includes measures such as regularly updating the OS, installing and updating anti-virus, using two-factor authentication, restricting sensitive file access and more.
Firm managers should be fully aware of the implications of using MDM on employees’ personal devices, with particular consideration for privacy and HR best practices. For this reason, we recommend firms implement a Bring Your Own Device (BYOD) policy.
If your lawyers and staff are using their own devices to conduct business to any degree, at the very least your firm should draft and implement a BYOD policy to mitigate risk and ensure employee needs are addressed.
Three key considerations will determine the extent of the practices and controls your firm will need to put in place: your risk tolerance, tech infrastructure and employee culture.
Employee technology practices are a law firm’s greatest point of vulnerability. A successful BYOD should educate staff about risks and best practices while also restricting technology use to safeguard the firm against potential threats.
It’s unlikely that your employees will be careful to separate their professional and personal use, and they may be unaware of the potential dangers. A small act, such as clicking a phishing email link, saving files to a device’s hard drive (which can be stolen), logging into public WiFi or installing a nefarious phone app can bring disastrous consequences for the firm.
Many firms aren’t even aware of what technology their staff are using to access their systems; employees are using any number of free and accessible third-party apps to complete daily administrative tasks. Programs like WeTransfer, Google Drive and Sync are very popular and commonly used to transfer large files between systems. Are you aware of all the technology your staff is using to access and transmit firm data?
Assess the technology your employees are using independently and determine whether your current system is adequately serving their needs. If firm members cannot maintain optimal productivity and client service because of their technology, any band aid solution you put in place will only compound their frustration and provide a further disincentive to follow protocols.
If your employees are accessing your network with their laptop, phone or tablet, they should have up-to-date anti-virus software with regular updates and patches installed.
Another concern is the risk brought from lost or stolen devices. While most are stolen for the value of the device itself, one should consider that law firms are prime targets for cyber criminals - more than ever, firms are being breached and their data held and ransomed for large sums, costing money, disrupting operations and putting clients at risk.
Next comes the question of support. When drafting your BYOD, firms should determine what level of IT support will capture cost savings. Who is responsible for managing and supporting firm-owned and/or personal mobile devices? If your IT is outsourced, does your current service level agreement cover personally owned devices?
We recommend firms use a Virtual Desktop with Private Cloud to solve these critical challenges. With a Private Cloud, firm data and software are hosted offsite in a secure data centre: this is where are all the computing takes place, with no data stored on individual devices.
Firm members simply log in to their virtual session, which runs in the data centre but delivers the same experience as a traditional computer desktop. Everything is managed behind the scenes by the Private Cloud provider while firm members can focus on being secure and productive in any location.
Firms should be aware that certain risks can arise from an improperly developed or implemented BYOD policy: issues such as employee privacy, employee conduct, overtime, and termination of employment should be considered and addressed. Your policy should follow HR best practices and carefully comply with provincial employment and labour laws. View this Law Society of Ontario podcast discussion, featuring helpful tips for creating a BYOD policy for your firm.
Ensure employees understand the risks: communicate how you will respect their expectations of privacy. Explain that when they transmit, store or interact with firm data, that information is proprietary.
Be respectful of their privacy and choices: provide options for those who choose not to participate. Clearly articulate in writing the repercussions for those who fail to adhere to the policy.
Employees should have input into the policy and should feel comfortable asking questions; you cannot succeed without buy-in from the entire firm.
With these three key considerations in mind, you should be able to begin the process of drafting your BYOD policy and executing a device management strategy that works best for your firm. At the end of the day, the goal is to empower your employees to use the tools they need to achieve success, while maintaining security for the firm.