how to secure your ios device and keep client data safe
DESCRIPTION
There’s a lot more to mobile security than enabling the password on your iPhone or iPad. Unfortunately, very few small law firms have the proper measures in place to protect their confidential client data. If needed, could you convince a Board of Ethics that you had done your due diligence to protect your client’s data? Strong iOS security starts with becoming familiar with the most common threats to compromising firm data on your iPhone or iPad. While many assume they are not at risk since they are not a ‘big’ law firm, the opposite is true.TRANSCRIPT
How to Secure Your iOS Device &
Keep Client Data Safe
Tom Lambotte
Less is more.
Story 1:
Christine Senior Paralegal and Office Manager
Ditcher, Quick & Hyde, Divorce Lawyers
Stats on passwords: • Half of iPhone users don’t lock their phones (pre-TouchID). • 10 most common passwords made up 15% of all phones*:
• 1234, 0000, 2580, 1111, 5555, 5683 (LOVE), 0852, 2222, 1212 and 1998. • The top four codes represent 10.8 • Years between 1990 and 2000 are all in the top 50, and 1980 to 1989 are in the
top 100 passcodes • With a 15 percent success rate, about 1 in 7 iPhones would easily unlock
http://www.eweek.com/c/a/Security/Top-10-PIN-Codes-Picked-by-iPhone-Users-637446/#sthash.ihFP9INR.dpuf
Story 1:
Christine Senior Paralegal and Office Manager
Ditcher, Quick & Hyde, Divorce Lawyers
Lesson:
Trust cannot replace implementing proper and enforceable measures.
Story 2:
“Johnny” Project Manager
GlobalMac IT
Stats on disgruntled employees: • Corporate Executive Board survey that showed that 75% of people who leave
their jobs are disgruntled when they do so. • There is high risk for lawsuits where private information is revealed:
• medical records, mental health treatment records, and drug and alcohol treatment records.
• Even bigger problem in smaller firms, where we all know each other and trust everyone. This can lead to complacency which can come back to bite you later on, when least expected.
You have a duty to protect client confidences – did you take all reasonable steps to do so? Were your actions appropriate to the risk,
considering the capabilities of your firm’s data security?
Story 2:
“Johnny” Project Manager
GlobalMac IT
Lesson:
Disgruntled Employees Can Cause Chaos
Story 3:
“Saul Goodman” Attorney
Saul Goodman Attorney at Law
Stats on theft and stolen devices: • More than 3 million handsets were stolen in 2013 • Theft has increased by 26% in Los Angeles since 2011, 23% in San Fransisco,
and 18% of all grand larcenies in New York City last year involved Apple products.
http://www.businessinsider.com/smartphone-theft-statistics-2014-5#ixzz3GnMj29cM
Stats on the reporting of thefts: • Only 50% of respondents reported a loss or theft within one day. • 38% took between 1 and 2 days • Nearly 10% took up to five days to notify their employer.
19% of the businesses surveyed reported an incident of a lost or stolen device, and experienced some form of related data loss, meaning businesses have approximately
a one-in-five chance of losing data if a corporate mobile device is stolen.
*Kaspersky Lab survey of global IT security professionals, 9/2014.
Story 3:
“Saul Goodman” Attorney
Saul Goodman Attorney at Law
Lesson:
Theft happens and are often not immediately reported.
Story 4:
“Johnny B. Goode” Senior Partner
Screwem, Goode & Hart Attorneys at Law
Stats on accidental damage: • Theft is scary, but accidental damage is 10 times more common than loss or
theft • A study by SquareTrade in 2012, showed that damaged iPhones have cost
Americans $5.9 billion since their introduction in 2007. • The top five iPhone accident scenarios according to the study are:
• Phone dropped from my hand • Phone fell into a toilet, sink, hot tub, swimming pool, lake, etc. • Phone dropped from a lap • Phone knocked off a table • Phone drenched by some liquid
How quickly could you get back up and running if your phone bit the dust?
Story 4:
“Johnny B. Goode” Senior Partner
Screwem, Goode & Hart Attorneys at Law
Lesson:
Sh*t happens.
If needed, could you convince a Board of Ethics that you had
done your due diligence in protecting your client’s
information?
Use a Mobile Device Management
solution (MDM)
My Top 3 List:
#1
iCloud is NOT an MDM solution• made for end users, not business • cannot scale up • enforces nothing • once added onto your staff’s devices, they can:
• track where you are • turn on your personal email, notes and photo
stream. • access all your iCloud data. • can also be easily disabled
Top 3 MDM Options#1 - Built-in aka Homebrew solution:
Profile Manager in OS X Server • OS X Server, but this is very technical and is a lot of work. Some of the things
you’ll need: • Static IP, FQDN, SSL certificate, configured Server with proper DNS settings
and more. • This is for the DIY person, who’s a techie at heart who also happens to be an
attorney and does not mind sinking hours into this project. • iOS only, Windows and Android not supported.
Here is an excellent play-by-play manual for those who want to go this route: http://krypted.com/mac-os-x/using-profile-manager-3-in-mavericks-server/
(email me - for the link if you’d like it)
Top 3 MDM Options#2 - Free solution:
Meraki Systems Manager MDM • Very robust solution, developed by Meraki, owned by Cisco. • Cloud-based MDM package with which you can get up and running fairly
easily. • Supported Mobile Devices: iOS, Android, Windows Phone • Drawback:
• no support included with free version • there is a new paid version ($40/device per year) with many additional
features.
https://meraki.cisco.com/products/systems-manager
Top 3 MDM Options#3 - Paid solution:
MaaS360 by Fiberlink, an IBM company
• Maas360 - owned by IBM, paid service ($5/device per month) • All inclusive pricing. They never charge extra for set up, activation, or their
24x7x365 live support. • Supports all platforms (iOS, Android, BlackBerry, WebOS, Windows
Mobile) • No device minimums
Add company data onto iOS devices through profiles
(using MDM solution)
My Top 3 List:
#2
The problem with adding info manually,
is that you have no control; it CANNOT be removed remotely.
Changing the password is NOT the same.
7 Profiles You Must Use
1. Passcode
2. Wifi
3. VPN
4. Mail
5. Calendar
6. Contacts
7. Apps
Have a BYOD policy in place
My Top 3 List:
#3
BYOD boils down to a well-drafted and comprehensive policy
that spells out the rights for both companies and employees.
Such a policy covers a company’s: • right to monitor, access, review and disclose
company or other data on a mobile device • the employee's expectations of privacy with
respect to that device.
*http://www.cio.com/article/2386235/byod/how-to-craft-the-best-byod-policy.html
What does a good BYOD policy look like?
It goes through general rules about personal mobile device usage:
• company's rights with respect to monitoring, accessing and reviewing all the data on the device.
• employee's obligations with respect to keeping the device secure, password requirements, all the things you'd expect to see in a general IT policy.
• what happens if you're terminated or decide to leave the company.
How to get a policy in place?
• No two BYOD policies are or should be alike. Here are 5 BYOD policy templates to help you start:
• 4 samples here, along with steps to implement: http://tek.io/1uLWDsC
• Our MDM Toolkit with a BYOD template here: globalmacit.com/milomdm
facebook.com/globalmac
linkedin.com/in/tomlambotte
@LegalMacIT
www.globalmacit.com/book/
Get a FREE copy of my book: Hassle Free Mac IT Support for Law Firms
Q & A