Effective device management is a balancing act between risk, productivity and firm culture: one size doesn’t fit all. In this article we look at common approaches to device management and present key considerations for developing an effective BYOD policy.
Lawyers and law firm staff use mobile devices every day for personal and professional reasons, both in the office and while working remotely. Most prefer to use their own, familiar devices for convenience and efficiency.
Phones, laptops and tablets have replaced the heavy briefcases and rolling file carts of the previous generation; on a mobile device, you can now access your firm’s filing system and software through a single login. Unfortunately, this means that others can potentially access it as well - firm managers should be aware that allowing employees to use one device for personal and business purposes can expose the firm to significant risk.
A conservative approach is to completely bar staff from accessing firm networks from their personal devices, which effectively eliminates all associated risks. Some firms choose to purchase or lease their own mobile devices for employee use, giving them more control over how their systems are accessed and control of the devices themselves, with IT management ensuring they’re updated, protected and functioning optimally. In the event that a firm device is compromised or stolen, its files can be remotely wiped and access to networks promptly severed.
Other firms prefer to avoid the considerable expense of purchasing mobile devices, and allow employees to use their own with one big caveat: they must consent to installation of mobile device management (MDM), a type of security software that manages, monitors and secures the device and its access to firm systems. This includes measures such as regularly updating the OS, installing and updating anti-virus, using two-factor authentication, restricting sensitive file access and more.
Firm managers should be fully aware of the implications of using MDM on employees’ personal devices, with particular consideration for privacy and HR best practices. For this reason, we recommend firms implement a Bring Your Own Device (BYOD) policy.
If your lawyers and staff are using their own devices to conduct business to any degree, at the very least your firm should draft and implement a BYOD policy to mitigate risk and ensure employee needs are addressed.
Three key considerations will determine the extent of the practices and controls your firm will need to put in place: your risk tolerance, tech infrastructure and employee culture.
Employee technology practices are a law firm’s greatest point of vulnerability. A successful BYOD should educate staff about risks and best practices while also restricting technology use to safeguard the firm against potential threats.
It’s unlikely that your employees will be careful to separate their professional and personal use, and they may be unaware of the potential dangers. A small act, such as clicking a phishing email link, saving files to a device’s hard drive (which can be stolen), logging into public WiFi or installing a nefarious phone app can bring disastrous consequences for the firm.
Many firms aren’t even aware of what technology their staff are using to access their systems; employees are using any number of free and accessible third-party apps to complete daily administrative tasks. Programs like WeTransfer, Google Drive and Sync are very popular and commonly used to transfer large files between systems. Are you aware of all the technology your staff is using to access and transmit firm data?
Assess the technology your employees are using independently and determine whether your current system is adequately serving their needs. Why are they choosing to work around your system?
If they are using Google Drive to transfer files, perhaps you need a more accessible file sharing system. If they’re downloading free PDF editors online, it may be time to review your firm’s software licenses. If your employees are frustrated with your firm’s technology, any band aid solution you put in place will only compound their frustration and provide a further disincentive to follow protocols.
If your employees are accessing your network with their laptop, phone or tablet, they should have up-to-date anti-virus software. Free software like McAfee can provide basic protection, while more comprehensive protection runs from $25 and up per user license: determine how much malware protection you require, and who will be responsible for fitting the bill.
Another concern is the risk brought from lost or stolen devices. While most are stolen for the value of the device itself, one should consider that law firms are prime targets for cyber criminals, and an opportunistic thief may recognize the potential value of your clients’ data on the black market. Measures such as two-factor authentication and remote file deletion should be put in place.
Next comes the question of support. When drafting your BYOD, firms should determine what level of IT support will capture cost savings. Who is responsible for managing and supporting firm-owned and/or personal mobile devices? If your IT is outsourced, does your current service level agreement cover personally owned devices?
If your IT support is provided in-house, where do you draw the line between firm and personal device support, and what are the staff resource implications? What are the cost and liability implications?
Firms should be aware that certain risks can arise from an improperly developed or implemented BYOD policy: issues such as employee privacy, employee conduct, overtime, and termination of employment should be considered and addressed. Your policy should follow HR best practices and carefully comply with provincial employment and labour laws. View this Law Society of Ontario podcast discussion, featuring helpful tips for creating a BYOD policy for your firm.
Ensure employees understand the risks: communicate how you will respect their expectations of privacy. Explain that when they transmit, store or interact with firm data, that information is proprietary.
Be respectful of their privacy and choices: provide options for those who choose not to participate. Clearly articulate in writing the repercussions for those who fail to adhere to the policy.
Employees should have input into the policy and should feel comfortable asking questions; you cannot succeed without buy-in from the entire firm.
With these three key considerations in mind, you should be able to begin the process of drafting your BYOD policy and executing a device management strategy that works best for your firm. At the end of the day, the goal is to empower your employees to use the tools they need to achieve success, while maintaining security for the firm.