Login | September 25, 2020

Ensuring WFH employees are keeping firm data safe

RICHARD WEINER
Legal News Reporter

Published: September 4, 2020

So one day, everybody was at the office. The next day, they weren’t. And probably, when you read this some time in September, much of your office functions will be from someone’s home.
The jump from office-bound to remote working was startling. It was, therefore, easy to overlook some of the basic requirements of the kind of data-intensive remote working required in a law office. Everyone is used to certain data security practices in the office, but the problem is how (or if) those office security practices made it out into the home offices of firm employees. Remote computers logging into and out of office systems are an extremely vulnerable process for keeping data secure.
I have written several columns laying out some best practices for doing so, because it looks like, even if things return to “normal” someday, normal is going to look a lot more like it does now than it did then.
Now that we have all settled in to this new process, let’s go back over some data security best practices.
First, make sure that all remote workers are fully trained in data security measures. In the home office the risks of phishing and other attacks are far higher than in a secure office environment. Offices should be having continual conversations and information sharing on home computer (and smartphone/tablet) security.
Next, “beware the family.” The office computer should be completely discrete from the family computer, and it is the responsibility of the law office to supply that discrete computer to the employee.
Third (again and again) employee a VPN at the home. The office should pay for this, and purchase one that is up to date. Free stuff won’t work well enough. K?
Fourth, streamline the employee software in the office-provided computer to what is needed to function for the office, and nothing else.
Fifth, encrypt everything, and equip the home computers with remote access controls and remoted deletion capabilities in case a device is stolen or an employee leaves the firm.
Sixth, in conjunction with the previous action, employ threat monitoring with cyber forensics capabilities. This needs to be applied both to the remote computers and to the traffic coming in from those computers. This will likely require the use of outside vendors.


[Back]