Lawyers are ethically obligated to maintain client security, but remote work has added a new layer of complication for many law firms. If you and your staff are not well-versed in the necessary work-at-home and remote access security measures, now is the time to get up to speed. Sharon Nelson and John Simek welcome David Ries to discuss what lawyers need to know to maintain appropriate security.
Read David’s entire co-authored alert here: Work-At-Home and Remote Access – It’s Time for a Security Review
David Ries is of counsel in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the areas of environmental, technology, and data protection law and litigation.
Special thanks to our sponsor, Logikcull and PInow.
Work-At-Home and Remote Access – It’s Time for a Security Review
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 116th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is “Work-At-Home and Remote Access – It’s Time for a Security Review.”
Sharon D. Nelson: Before we get started, I’d like to thank our sponsors. Thanks to our sponsor Logikcull, instant discovery software for modern legal teams. Logikcull offers perfectly predictable pricing at just $250 per matter per month. Create your free account at any time at logikcull.com/ltn.
We would like to thank our sponsor, PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Today our guest is our longtime friend and co-author Dave Ries. Dave is of counsel with Clark Hill and practices in the area of technology, data production and environmental law and litigation. For over 25 years, he has increasingly focused on cybersecurity, privacy, and information governance. He has recently addressed in his practice such current issues as cybersecurity and privacy programs and policies, contracting for privacy and security, response to security incidents and data breaches, digital and environmental forensics, admissibility of expert opinions, e-discovery, and defense of enforcement actions. He is a co-author of ‘Locked Down: Practical Information Security for Lawyers’ Second Edition and ‘Encryption Made Simple for Lawyers’, the editor of ‘eDiscovery’, Fourth Edition and a contributing author to ‘Information Security and Privacy: A Legal, Business and Technical Handbook’ Second Edition. He is a member of the American Bar Association’s Cybersecurity Legal Task Force as well.
Dave, it’s great to have you with us again.
David G. Ries: Thanks. It’s always a pleasure to work with you and Sharon.
Sharon D. Nelson: Well, we’re glad you’re back and you wrote, or co-wrote, I should say, an alert for your law firm called Work-at-Home and Remote Access – It’s Time for a Security Review, which is the title of our podcast. Can you tell us a little bit about the alert and how it came to be, Dave?
David G. Ries: Sure. My colleague Jeffrey Wells and I wrote the alert to suggest that everyone step back and look at the security they have in place for working at home and for remote access, and today, I’m going to focus on attorneys and law firms as we go through it, but the alert actually covers businesses and organizations of all times.
And all of us went through the shutdown and stay-at-home orders, when law firms of all sizes had to quickly shift to remote access for everyone. Some firms already had the technology in place, others had to start for scratch, and the challenge was it had to be done very quickly, whether it’s starting or moving ahead.
So we suggest that now that everybody is used to working home some folks who are even starting to go back to the office, that everyone should step back and look at the security, make sure that it’s done correctly, and also learn from experience maybe some things went wrong, hopefully they didn’t, but if they did to address them so that they don’t continue.
John W. Simek: Well, Dave, we all have our favorite resources for information, et cetera, I know you and Sharon and myself we’re always trading stuff, notices and things, but can you tell our listeners what some of the best security information resources on work at home and remote access are?
David G. Ries: my favorites are in the alert and they include government agencies and security organizations. So they are CISA (the Cybersecurity and Infrastructure Security Agency) in the Department of Homeland Security, there’s a National Institute for Science and Technology (NIST), and the National Security Agency. There are also security organizations like the Center for International Security in the SANS Institute. In the alert there are links to the most recent information from them on work-at-home and remote access.
For attorneys there’s also the ABA Law Practice Division and the Cybersecurity Legal Task Force, they include some free webinars for ABA members and I know you and Sharon have done some of them.
Sharon D. Nelson: We’ve all been worried about people who are working from home and I know that I’ve heard John lecture that you are 3.5 times more vulnerable when you are working from home. So what are the special considerations for attorneys who suddenly find themselves remote working?
David G. Ries: These are the concerns that you and John and I write and speak on all the time. So attorneys have ethical and common law duties to employ competent and reasonable measures to safeguard information relating to clients. They also often have contractual and regulatory duties. So that’s the Ethics 20/20 amendments to Model Rule 1.1 on Competence and to Model Rule 1.6 on Confidentiality.
In addition, the Pennsylvania Bar Association recently issued a formal opinion, it’s 2020-300 on Ethical Obligations for Lawyers Working Remotely. So it’s a brand-new opinion that pulls everything together on this particular topic.
John W. Simek: Well, Dave, I know you had a list of considerations that we’re in the alert, can you kind of identify the best approach to address those?
David G. Ries: Like everything else in cybersecurity, it should be part of a comprehensive program and the program should include technology, policies and procedures and people. Ad hoc security where you just kind of go through a checklist of your things like passwords and security software and things like that, just doesn’t work well by itself. So, it’s best to make it part of comprehensive program. There are various published standards by NIST and the Center for International Internet Security, the groups I mentioned before that have information on comprehensive information security programs, so they provide the overview and each of the steps that law firms and other organizations take for security, it should be part of this overall program. So you start with the risk assessment, look at the risk to the particular kind of information you have and then building into a security program.
One of the steps, which is what we’re suggesting in this alert, is that you periodically go back, do a review, see what’s working, see what hasn’t worked, see what has changed in terms of the risk posture and then build that into the comprehensive program. So that’s the best way to deal with this and most other areas of cybersecurity.
John W. Simek: Is it kind of the wash-rinse-repeat, Dave?
David G. Ries: Yeah, exactly.
Sharon D. Nelson: Exactly, that I think. So what are the security considerations for end-users who are working at home and have remote access? That’s a real issue for most law firms and they weren’t prepared.
David G. Ries: So what I’d like to do with remote access, whether it’s home or on the road, is to break it down into three areas. So, first of all, there’s the users and that’s whatever the attorney or whoever else is connected remotely is using to get in; second is the connection, making sure you have a secure connection from the users and into the network or cloud service that you were connecting to, and finally the security at the other end, this being provided at the law firm’s network or cloud service. So there’s three different steps and this is the first one.
So, first you have to make sure that the laptop, desktop, tablet, whatever you’re using to connect is secure and that includes having it securely configured, having the correct security software and things of that nature on it. It’s particularly important that the user has an up-to-date operating system with all the patches and up-to-date applications with all the patches and finally up-to-date security software with all the current updates to it.
You have to be careful of the network that the end-user is using to connect, whether it’s a home wireless or a home wired, you have to make sure that it’s secure, it doesn’t do any good if the computer is secure if anybody can get into the wireless connection.
Understanding the dangers of bring your own device and shared computers particularly if they are shared with teenagers and to try to protect against that the best you can, to have strong authentication a password or passphrase to get onto the computer that’s being used at home, preferably to have automatic log off after 15 minutes or less of inactivity, and finally to backup whatever is on it that isn’t being done in the network.
So those are the considerations at the user end.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Advertiser: Trying to cut costs, you are not alone. In today’s climate a five-figure eDiscovery bill per month is steep, don’t pay that. Use Logikcull to reduce expense and control your discovery process. Get started today for only $250 per matter and they will waive migration costs from competing platforms. For more information, visit logikcull.com/ltn.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is ‘Work-At-Home and Remote Access – It’s Time for a Security Review’. Today our guest is our longtime friend and co-author, Dave Ries. Dave is of counsel with Clark Hill and practices in the areas of technology, data protection and environmental law and litigation.
John W. Simek: Dave, before the break you talked about the security measures for the actual end-user, can you talk a little bit about how should the security be addressed for the remote connection to law firm network or to a service provider if that’s what you’re using?
David G. Ries: Sure. So you’re going to be going from the computer at home, generally over the Internet to whatever you’re accessing. So just to repeat, it’s important to have a secure wired or Wi-Fi system at home, with Wi-Fi you wanted to have WPA2 or we’re moving into WPA3, and make sure it is securely configured with a password and everything.
Then, you want to use a Virtual Private Network or other type of secure connection so that the communications between the end-user and the law firm or service can’t be intercepted, and make sure that you avoid using public Wi-Fi for anything for law firm or other confidential work.
So that gets you from the end-user and connecting to whatever you’re going to.
Sharon D. Nelson: Okay, so let’s flip it around. What are the security considerations for the law firm network or the service provider that is being remotely accessed, how do you deal with that?
David G. Ries: Well, there’s a number of points there that we list in the alert to quickly run through them. You want to have strong authentication, so that’s the username and password or passphrase that gets you into the system at the other end. It definitely should have multi-factor authentication so that if the password is compromised that it gives you another level of protection.
Again, having the automatic log off that I mentioned before, it should be on the end-user’s computer, you want to have segmentation of the network, meaning it’s based on a need to know everyone who logs in can’t access everything that is in the network or in the service just what they need.
Now in practice that’s somewhat difficult to do, you can’t segment everything, but at least having a reasonable level of it.
Use of a data loss prevention tool, there’s a number of them out there and particularly for mid-sized and large law firms, it’s an important security feature. Having logs of all the remote connections and what they did and keeping the logs so that if there’s a problem later you can identify what happened.
When we do incident response, one of the biggest challenges that we have is that a lot of networks either don’t have logs or don’t keep them long enough, and finally having a system in place for answering user questions or reporting incidents, that should be part of the network when people are in the office, it sometimes can be even more important when they are working remotely.
So those are the basic recommendations that we have for the law firm network or service provider.
John W. Simek: So, Dave, how should end-users be covered in security for work-at-home and remote access?
David G. Ries: All right, so we’ve talked about the technology for all three steps in it, and this is dealing with the people part of it, and the main thing is having adequate training in remote work security both initially and repeating it so that people don’t forget about it particularly when they are working away from the office for two or three months and for some it may even be more. And that training should include protection against phishing and social engineering, which is one of the biggest threats, both inside the law firm network and for folks working remotely.
And the third thing which comes from training but it is a step beyond training and that’s constant security awareness. Every time that someone is using the computer every day and keeping it the whole time they are there. Multitasking and distraction are two of the big enemies of security. So we want to avoid that when people are working at home.
Sharon D. Nelson: Well, here’s the 60 million dollar question, and the one that fuels all the flames of controversy, what are your suggestions for secure collaboration and conferencing services?
David G. Ries: Well, we’ve all been learning about that and be learning a lot about it. The first step is doing due diligence on the service that you’re going to use and whether it’s GoToMeeting, Microsoft Teams or Zoom, it’s understanding its features, particularly its security features and understanding any limitations that it has.
Zoom got a lot of bad press, probably deservedly so, because of some of the security issues with Zoom bombing and things like that. Zoom has done a lot to upgrade its security, but even with the Zoom bombing if it had been configured correctly, it probably wouldn’t have worked.
Interestingly, one of the resources that I listed earlier and there’s a link to it in the alert, is that the NSA has published security standards for collaboration and conferencing tools to be used by Federal agencies and it includes Zoom as meeting the standards for Federal agencies, not for classified information but for other information that may be confidential, but it depends on configuring it securely, using things like a password, not having everybody be able to share their screen unless the host allows them to, and things like that.
So doing the due diligence to understand the features, making sure that all users know how to use it, particularly hosts, because as I mentioned a couple times if it’s not securely configured, it can be really dangerous.
And then caution with recording it. You can have situations where an end-user can record it on their own device and you really can’t prevent that, there’s also a Zoom feature, I think the other ones also have it for recording conference calls and meetings. If you’re going to do that where is it going to be stored, what security is there, and things of that nature.
So I mean just to summarize it, it’s the due diligence, learn how to use it, and use it securely.
Sharon D. Nelson: And we’ve been teaching a Zoom for lawyers for about two months now and I can’t tell you how many people come to those things, but we are stuck in Virginia with a lot of WebEx and the courts, and there’s no particular enthusiasm for that platform that I can see, it is very secure, but Zoom seems to us to be a more robust and user-friendly platform.
David G. Ries: Yeah, and I think I actually sent you this, Zoom has been focusing on security and they’re actually opening an office in Pittsburgh, where I live, and they’re locating it here, because they’re going to be working with Carnegie Mellon University on security issues among other tech.
John W. Simek: Well, Dave, are there any other security issues related to COVID-19 that the attorneys and the law firms should consider? I know you mentioned phishing earlier and we’re certainly seeing a bunch of phishing flying around in relation to this pandemic, but other security issues you want to talk about?
David G. Ries: Yeah, well, I mean along with phishing and everything else to protect against social engineering and malware, there’s a couple. One is security for home printers. If you are going to print confidential client information or other confidential firm information, there can be security issues with the printers storing it, if it’s a wireless printer that isn’t configured securely, someone may be able to intercept that. So printers are a second thing other than the phishing and protection against the usual security threats.
A third one is paper documents. If you are printing confidential law firm or client documents at home what do you do with drafts, what do you do with old ones? We all over our shredding bins and security in the office, don’t just throw it in regular trash at home and we actually did an alert on that earlier before the current one on the importance of paper in cybersecurity during the work-at-home.
Also backup and business continuity are the devices that you are using at home being backed up, if things are just backed up in the network when you are using a Document Management System or Office 365, now Microsoft 365, or one of those tools where you have a backup through the system, if you just do something locally on a computer at home it may not be backed up.
So those are the additional security considerations that at least I can think of as we go through this for working at home and remote access.
Sharon D. Nelson: Well, we sure want to thank you for being our guest today, Dave. In spite of the fact that we lecture on this topic, I never fail to learn something from you. So that made me think maybe there is a webinar in this, you gain for another outing with the two of us?
David G. Ries: Sure.
Sharon D. Nelson: Alright, Sharon has a brilliant idea while podcasting, that’s a good one.
Thank you again for joining us for taking the time and for decades now of friendship and just it’s been so much fun working with you, so thanks for joining us on the podcast today.
David G. Ries: Well, I am always glad to do it, but we always learn from each other when we do something like this, and one of the things that I enjoy about lecturing where you have an audience that can interact with you, as you always learn from the audience too, so it’s always a great learning experience doing these kinds of things.
John W. Simek: Well, that does it for this edition of Digital Detectives, and remember, you can subscribe of all the editions of this podcast at legaltalknetwork.com or in Apple Podcast, and if you enjoyed out podcast, please rate us on Apple Podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
John W. Simek: Thanks for listening to Digital Detectives on the Legal Talk Network, check out some of our other podcasts on legaltalknetwork.com and in iTunes.