Where has my data gone?

There are many challenges in keeping track of data for barristers.  Firstly, you are free (quite rightly) to manage your electronic content in the way that you see fit.  Secondly, you often store personal content – files, personal email, pictures, music – on the same portable or desktop device that you use for day to day running of your practice.  In data security we assign content to a category and appropriately protect those categories that are of the highest risk to the business in terms of reputation, compliance and confidentiality.  All data is important, but we must take additional measures to protect the data most precious to us.

This is easier to achieve in an environment which has controls in place to limit the distribution of specific categories of data through mechanisms such as DLP (Data Leakage Prevention) and ADRMS (Active Directory Rights Management Service). In a “Bring Your Own Device” environment, what is the best way to track data and indeed, is it at all possible to do so in a cost effective, hassle free way?  Remember, it is not always the bad guys that take our data, often the biggest risks are internal.  Consider the multitude of ways that data can leave a typical organisation – USB stick, email, personal email, mobile phone, online file sharing, printing.  Believe me, the list goes on.  We can and do address all of these risks.

As we are thinking about risk, I thought I will use myself as an example to highlight some of the potential problems.  Like you, I routinely access content from devices which I both own myself, are owned by the business and less frequently, that I do not own nor have any control over.  So, where has my data gone and should I be concerned?

I have a home laptop which I share with my wife, two unencrypted USB drives, and the content of a hard disk drive that I removed from an old home PC before it was disposed of.  I have an old iPhone, an online backup of our laptop and my personal email account.  I expect you will all have as many storage devices as I do, even if you can’t quite recall where they are.

I would like to say that I only found personal content in these various locations, but the fact is I did find two tender proposals dating back several years.  The iPhone had already been wiped (or if it was not, would have wiped itself had I entered the incorrect PIN 8 times, you can do the same).  The USB drives only stored copies of a paper my wife is writing and the online backup replicates only our laptop, not the old PC drive where I found the proposals.

Is it really surprising that the “IT guy” keeps most of his business content separate to his personal?  Even though I do, where on earth is that personal content (think cameras, SD data cards, basic old Nokia phone, backup USB drives, iCloud Drive, OneDrive, Dropbox and the like).

Personal data can be just as significant a risk to our reputation or indeed privacy as would be a compromise of professional data that is not in the public domain.  Naked children enjoying a splash about in the paddling pool on a hot day, or a late night out with friends might both result in pictures that hold certain value to a proportion of our society, however small that proportion may be. If that content is immediately replicated to multiple locations via a backup or a data replication service, where does it now reside, how is it secured and who has access to it?  More worryingly, what if your professional data resides alongside it.

At this point, I expect most of you who use Dropbox, OneDrive, iCloud and similar services will shrug your shoulders and admit that you don’t know where the replicated content resides.  Such is the simplicity of cloud services it matters little, until, of course, it all goes horribly wrong.

Imagine this scenario.  Remote access to Chambers X is painfully slow and often disconnects.  Barrister X therefore saves his documents to his laptop and has set up the automatic forwarding of chambers email to his Hotmail.  Some of his peers are using Dropbox (a great product by the way, not for barristers though!) so he has installed it on his laptop, home PC, iPad (though this usually sits on the coffee table at home) and on his Android phone.  Sometimes, if he is in a rush, he will save whatever he needs on a USB stick as a failsafe.  Immediately, we have significant risk as although his chambers laptop and Android phone are encrypted, the iPad, home PC and USB stick are not.  Furthermore, the iPad and home PC, being shared devices, don’t even have a password.  Forget the fact that all the Dropbox content is replicated to the United States. His Hotmail password is “password123”, his friend’s computer that he used to access his chambers webmail was infected with a keylogger virus that by virtue of having no two factor authentication in place for chambers’ remote access means, that the miscreant who installed it, now has the username and password required to access his chambers email, files, diary and shared drives.

It all snowballs rather quickly.  That is why we, as a business, banned unencrypted USB sticks and drives long ago for storage of client and business data.  In fact, aside from the two I found at home, I don’t have a use for portable storage as my business data remains in a central location that I access securely via a virtual desktop and two-factor authentication.  The content that I do want to take with me is synchronised (and encrypted) using a secure Dropbox alternative and those devices that contain that replicated content can be remotely wiped as they are centrally managed.  All sounds rather expensive?  It needn’t be, and in comparison to a single ICO fine, it is positively cheap.

I agree that all this technology sounds rather tedious.  All you really want to do is get on with your day job, work from wherever you chose and be safe.  What do you have to do to achieve this?  1) Give up some of your freedom; I know this is not an attractive suggestion, we work daily with barristers and know this is a lot to ask. 2) Standardise the set of products that you and your peers use to share and access data. 3) Work to a common security policy. 4) Most importantly, allow your staff and perhaps even yourselves to be educated about the security risks that exist at almost every turn in your digital day.

Oh, and another thing, Barrister X just had his Twitter feed hijacked as a password reset request was sent to his compromised Hotmail account.

Cloud data storage and file sharing services are now common place.  Their evolution and that of other cloud services are changing the IT landscape, I believe, on a whole, for the better.  However, we must all be careful that any selected service meets all of our requirements.  For barristers, that most often means data not leaving the EU, and for those that use CJSM, not leaving the UK.  Dropbox is not the solution as the content is stored in the United States.  Same can be said for Microsoft OneDrive and iCloud.

In the Bar Council guide “Guidelines on Information Security”, 16.1, they recommend, “Passwords used to access computers or encrypted data should be sufficiently memorable that you can avoid writing them down, but not obvious or easily guessed. Optimally, they should be at least 9 characters long and contain three out of the four types of keyboard character (upper case, lower case, numbers and symbols – by way of example only – bArr!sTer)”.  We have occasionally met with resistance from a minority of members (less than 1%) to this recommendation and that of changing passwords every 90 days (as the CJSM contract sets out).  The reason for updating passwords is to limit the time of exposure brought about by a compromised password.  The password length is more important than you may realise, the longer the better – this is what defeats the password crackers.

Remember, if we did not think it prudent to do so, we would not recommend password changes as it generates calls to our Service Desk, especially after holidays.  We have a solution to that problem that allows users to reset their account and password using a self-service portal. It uses two pieces of information you know, and one that you don’t – a one-time password.

To summarise, this is not the end of your professional freedom, being dictated to by an IT company.  Simply an acknowledgement, and a warning, that many of your files and other digital content might have a value to someone other than yourself.  With careful planning, the right technology, a chambers security policy and IT security awareness training you will enjoy simplified mobile and remote working, safe in the knowledge that your precious data is appropriately protected.

– By Danny Killeen, Director Sprout Legal IT Specialists

Share this post