Are Bring Your Own Device Programs Secure for Law Firms?

This year has forced many of us to adjust to situations we never pictured ourselves in. At the top of that list is the shift to working remotely, particularly for those whose positions typically involve long hours at the office. Law firms across Canada have had to react quickly to the new and unique challenges 2020 has brought. This transition hasn’t always been easy as many firms weren’t set up with the right infrastructure to make the abrupt shift when things changed overnight. However, some of the firms who made the move easiest had “Bring Your Own Device (BYOD)” programs in place.

Bring Your Own Device (BYOD)
A common technology practice that has developed in recent years are bring your own device programs. This means that employees use their own mobile devices for both personal and professional tasks with their employer subsidizing the cost. At the height of COVID-19, getting a hold of cellphones and laptops on short notice was especially challenging. In some cases, the shortage of available devices led firms to implement BYOD programs. These programs provide significant benefits to employers including reduced hardware acquisition costs, higher productivity, and a seamless transition to remote work.

However, BYOD does come with its own set of unique security challenges.

The personal–professional data divide
When an employee uses their personal device for work, there is no clear divide between personal and corporate data. This lack of separation becomes particularly problematic in situations where employees may be obliged to hand over their personal devices to other people or authorities. There is also the reasonable concern of employees for their own privacy.

Ensure your firm has the necessary policies in place that not only enable employees to perform their job functions, but also outline all of the privacy concerns that come with a BYOD program. What data will you as the employer be allowed to access? What happens to personal devices when an employee leaves the company? More importantly, how will the firm maintain data privacy between the firm’s data and the user’s personal data?

Never use unsecured Wi-Fi networks
Hackers like free Wi-Fi for the same reason consumers do: they’re convenient and easily accessed. If you’re working on an unsecured network, you’re leaving yourself vulnerable to hackers who can obtain your emails, login credentials, and credit card information.

Our devices remember Wi-Fi we’ve used before and will connect to it any time we come close. Although this is meant as a timesaver, it’s a liability if that Wi-Fi is unsecured. It only takes a few seconds for someone to access all of your data if you happen to walk by the Starbucks Wi-Fi you used last week. As a precautionary measure, be sure to look at the connections settings on your phone or laptop and remove any unsecured Wi-Fi you may have used previously and saved.

Be aware of the apps you download and their permissions
In an app, “permissions” govern what the app is allowed to do including what information it can access, store, and pass on. In 2019, researchers discovered more than 1,000 apps harvest your data, even when you don’t give them any permission to do so. These apps essentially piggyback on others that you’ve given permissions to. One small but common example of this data harvesting is the ads you see in an app for items you looked up in a completely different app.

Get into the habit of scrutinizing your app permissions and be aware of what apps are doing with your phone. When you download an app, it will usually ask you for permissions to access your calendar, camera, contacts, location, microphone, etc. What permissions does the app actually need to access in order to function? A mapping app for instance, would need access to your location data. Does it also require access to your calendar? By denying permissions the app doesn’t need, you can prevent apps from ever seeing your data in the first place.

Take control of your passwords
If you lost your phone tomorrow, what would be at risk on your device? If your answer is ‘nothing’ because you have a fingerprint lock on your phone, think again. Hackers who work as part a security research team at one company claim they’re able to beat any fingerprint lock in less than 20 minutes. It’s a never-ending race: as technology advances, so do the hackers. Your goal is to make it as difficult as possible for anyone but you to access your information.

Although it feels inconvenient to use different passwords for every application or to use multi-factor authentication, these are valuable tools that help protect you and your data. Multi-factor authentication is a security protocol that requires the user to provide two or more verification factors to gain access to an application, online account, or VPN. An example of one of these factors would be texting your phone a PIN that you then have to enter into the application.

If the application doesn’t offer multi-factor authentication, or you have trouble remembering all of your passwords, research secure password manager apps. Password managers not only keep your passwords secure, but they also generate strong passwords for you. When researching a password manager, make sure you research the company behind the password manager. What are their security practices? Have they published third party security audits?  Then you’ll want to look at whether the passwords are stored locally (on the device you’re using) or on the cloud? If you lost your device, how would you retrieve those passwords? Cloud-based tools are the preferred method for storing passwords as it syncs across multiple devices.

BYOD programs can work in large and small firms alike. However, it’s important to train employees on the risks and what they can do to help keep data secure, both theirs and the firm’s.