Marquez: Implementing a secure BYOD policy at your firm

Well before the current pandemic, BYOD policies were already in place for many law firms. BYOD stands for “bring your own device,” which in general terms allows users to access corporate data on their own personal devices. This of course includes all cellphones that have been configured to receive firm emails.

My experience has been that many in IT are not fans of BYOD implementation beyond letting users receive emails on cellphones. And this is only because it is almost impossible to function in society without receiving email on your cellphone, and no sane person wants to carry two cellphones at all times.

With the pandemic, many companies, including law firms, were scrambling to allow users to work from home. This included blowing off the dust from old laptops that IT had yet to “recycle” in addition to allowing employees to install virtual private network, or VPN, software on their personal computers to access the firm’s resources. In other cases, IT teams were tasked with guiding attorneys and staff through how to access their cloud documents from personal computers.

BYOD policies can become complicated, confusing and have the potential to open many possible security risks to the firm. The expectations of IT to continue to secure the firm’s resources when allowing home users to use personal equipment is not realistic without implementing or updating your BYOD policy so that it has some teeth. So, what should your BYOD policy include?

A personal workstation should be a dedicated workstation

Let’s start with possibly the most difficult requirement right out of the gate. The WFH workstation should be one that is only used by the specific attorney or staff and not by other members in the household. Of course, this type of rule in your BYOD policy is solely on the honor system, but the expectations of who should have access to the workstation should be defined.

To understand this better, you typically would not allow users in your office to share the same “user” profile on a workstation. And outside of clerks and the receptionist desk, you will usually have a 1-to-1 (or sometimes 2-to-1) ratio of workstation-to-user.

Firm-managed security services need to be installed

Any workstation that is connected to the firm’s VPN or given permission to connect to the firm’s cloud resources must have the firm’s security suite installed. This includes antivirus software, remote management and monitoring software and domain name system protection, to name but a few. The important thing here is the centralized management and monitoring of all workstations that access the firm’s resources. Even if the personal workstation has antivirus software installed, IT cannot monitor to know if it is up to date or not.

No matter how secure your firm’s network may be, or your cloud environment, it’s best to not let workstations lacking in the latest updates and virus definitions connect to your network.

Workstations should be encrypted

Many firms do require that laptops have their hard drives encrypted. Encryption protects the contents of a hard drive from being viewed should the laptop be lost or stolen. The same should be required of personal laptops. Windows BitLocker can accomplish this requirement and is a feature many IT professionals are familiar with. Usually, personal computers purchased from big box stores or even online will typically come with a home version of Windows and will need to be upgraded to at least Windows Professional in order to get the BitLocker feature. For users who have MacBooks and iMacs, they will need to enable FileVault to encrypt their hard drives.

Workstations can be wiped remotely

Probably the most controversial, and a deal breaker for many. There are a few important scenarios in which IT needs the ability to remotely wipe and factory reset the personal workstation. These scenarios include if the employee is terminated from their position, they leave the firm or if the workstation is stolen.

It is not likely you will have much success if you ask a user to have a remote session with IT after they have been terminated so that IT can remove any firm-related software, VPN connection or data. Unfortunately, this “nuclear option” is the only way to ensure IT can have a reasonable chance to clean the workstation. It is not possible for IT to know every possible location on the hard drive where the user may have saved sensitive firm data.

Back up the personal workstation

We all know those users in our firms that for whatever reason will save the draft of the brief they are working on to their Desktop or Documents folder on their workstation instead of saving to the document management system (either on-premise or in the cloud) or to the appropriate network file share. Then after several hours or days of tinkering, Murphy’s Law happens and the document is lost with no possible way to restore from backup because IT typically does not back up workstations.

With users working remotely, there may be times when it makes more sense to save the document down locally to work on it and then save back to the appropriate location. It is important to have the ability to restore important firm documents should they be lost due to file corruption, or the workstation is damaged or stolen.

Also, by backing up the user’s workstation, you have the ability to restore any personal data that may be remotely wiped should the employee be terminated from their position.Does your BYOD policy align with expectations?

A strong BYOD policy will have well-defined expectations of the end user and will allow for IT to install the necessary software and tools to protect the firm’s data and resources. It is important for the decision-makers in the firm to understand how their BYOD policy meets their defined security requirements. For example, there are many times when the legal administrator will ask IT to make sure the user has no firm software or data on their personal WFH workstation when IT was never allowed to install any software or tools — or to verify the workstation was encrypted … after it was stolen.

How does your BYOD policy stack up with the firm’s security requirements and expectations? Ideally this would be a topic you discuss with your IT team at least quarterly to make sure everything is aligned.•

• Tino Marquez ([email protected]) is co-owner of the Indianapolis-based legal technology company Modern Information Solutions LLC. Areas of service include traditional IT services, software training and litigation support including trial presentation services. Opinions expressed are those of the author.