Untitled Document

LAW OFFICE COMPUTING

April 2004

Winton Woods

Last month I wrote about how easy it has become to set up a wireless network in your home or home office. This week, newspapers around the country carried a story about a company called MetroFi in Mountain View, California. MetroFi is building a citywide wireless network in Santa Clara, a visionary expansion of the wireless Internet phenomenon. Santa Clara has 40,000 homes in the center city and by this summer all of them will have access to the Internet over wireless connections. Later this year the entire twenty square miles of Santa Clara network will be completed. Several other cities and locales are developing similar wireless networks. In eastern Oregon EZ Wireless of Hermiston has created a huge network that covers seven rural towns and over 600 square miles. That network is open to all-- businesses, residents and public emergency crews. Those networks have low access cost on the order of $20-30 a month and provide a level of ease of use and service that is outstanding.

MetroFi, the builder of the Santa Clara network is actively working to expand its operations all over the country. Unlike the wireless Internet service provided by Sprint and some other national telephone suppliers, the MetroFi system is relatively cheap and uses very inexpensive equipment. Unlike the other competitors, the transfer speed of the MetroFi system is about as fast as you would expect from a hardwired DSL service. The short of it is, high-speed wireless access to the Internet and thus to our office computers is a technology that is now upon us. We must develop the tools necessary to use it. The first, and most important, is establishing adequate security for network and office information.

Last month I gave you a couple of simple tools for making sure that hackers don’t break into the simple system that you set up. Those tools are fine for home use but if you intend to do any serious business over a WiFi network you absolutely must implement a much more robust security solution. Credant Technologies has recently published a paper entitled “Best Practices for Securing the Mobile Enterprise” in a white paper that is available from Credant at www.credant.com. Credant is in the business of implementing the kind of high level security that sensitive business and professional information requires and their paper is worth reading full. There are many other national vendors in this emerging cottage industry and they will all be on display at NetWorld+Interop Las Vegas 2004 this month. Whether you choose a vendor or try to go it alone, there are basic tasks that must be completed.

The first step is to perform a careful risk assessment. This is critical to understanding what your needs are and developing a security policy. You need to identify where you are getting information of various kinds such as protected client information, litigation work product and sensitive employee information. You need to know who controls that information and who has access to it and how it is stored and accessed in your office. Most importantly you need to know how it is protected now and how it needs to be protected in the future.

Once you have developed the details of your system and undertaken a careful risk assessment you’re ready to implement a security policy. The focus of the policy should be upon reasonable but careful and prudent security controls on both hardware and software. Particular kinds of information, i.e., client communications, proprietary information, work product, etc. need to be given special protection under the policy.

Once the policy has been established you face the hard process of educating your staff about that policy and its importance. The staff needs to be made aware of the reasons for the policy and the importance of securing various types of information and protecting the system from outside use and interference. For example, many lawyers load important protected information onto their laptops so that they can work during their time away from the office. Recent figures tells us that up to 2000 laptops are lost or stolen every day! Because the individual laptop contains information that needs to be protected the policy must address the possibility that such a device will be lost or stolen and fall into the hands of some one who does not have the same interest as you do in securing a your clients’ personal information. The same thing goes for Blackberries and other PDAs which may have a tremendous amount of confidential information stored in them and at the same time are so small that they are easily mislaid or stolen. Your security policy must address those kinds of hardware specific issues and develop a protocol for ensuring that a strong security technique is implemented on all machines that hold information, whether they are in the office or outside. Part of the control over hardware devices must extend to devices that are owned by employees instead of the firm. The potential for compromising your entire security policy through unthinking use of protected information on employee owned machines or devices is very high. Special rules may need to be implemented in regard to mobile workers. Understanding and appreciating these rules must be treated as “Job One” for the mobile worker. There is obviously a careful balance that must be established between utilizing the incredible productive tools that wireless networking can provide and the lawyer’s unique concerns about security of information.

Beyond the simple password and MAC identification number security techniques that I talked about last month there are much stronger security techniques that can be implemented. These techniques require a considerable amount of technical expertise and should only be undertaken by a skilled technician who is thoroughly trained in their implementation. It goes without saying that the implementation of those security controls must be done in the context of your carefully articulated security policy which the technician must understand and appreciate. Implementing an information security for a law firm is not a candidate for cookie cutter solutions.

Some of the most exciting new technologies relate to any number of new authentication and identification devices that are being developed. Devices that read fingerprints or retinas are only the first step and one can speculate about many other more exotic user-authentication techniques. One of the most controversial is the implantation of a security identification chip in to the hand of the user. That security chip could be used for many purposes where absolutely correct identification is crucial to controlling access to computer networks.

We’re just at the “beginning of the beginning” of the use of wireless network technology but as the Santa Clara story told above indicates, the future is upon us. It has been predicted that over 120,000 wireless “hot spots” will provide access to 200 million wireless devices in the next three years. Such tools as smart phones, tablet PCs, PDAs and Blackberries are now common. They will be ubiquitous before we know it. We need to start planning for implementation of a complete security systems in our offices. Our clients and our malpractice insurers demand it!