How to keep company data secure in a WFH world.
Many companies and law firms have had remote working solutions for years, but few were prepared for the long-term challenges COVID-19 would bring as their entire workforce shifted to work from home status overnight and all at once. As WFH practices get extended, and for some, even become a permanent solution, the security considerations, policies, and practices must adapt as well. What might have been fine for unplanned, sporadic remote work by otherwise office-based staff likely isn’t sufficiently safe for permanent remote work.
Our CEO Brian Schrader recently participated in Above the Law’s COVID-focused podcast series, hosted by Joe Patrice and Kathryn Rubino. In the episode, Your Data And Discovery In The Era of COVID, Brian, Joe, and Kathryn discuss many of the challenges triggered by COVID-induced work-from-home mandates, from everyday work life, to the steps organizations should take to help ensure that company data is kept secure, to the impact of WFH reality on eDiscovery practices and the industry as a whole.
The podcast covers:
- How law firms and companies must now also evaluate the data security profiles of their employees’ new primary working environments – their homes.
- Some simple but powerful steps employees can take to protect their home systems, like securing Wi-Fi routers, enabling (often built-in) security and threat protection solutions, making sure their computers, routers and the like are all updated, and more.
- How the “new normal” of working-from-home has created both new data and data sources that may now be discoverable in legal matters, like videoconference recordings, call logs, locally saved documents, and more.
- The current and future impact of fully remote working conditions on those in the eDiscovery trenches, from increased complexity in identifying data sources to how court closures have affected the flow work on cases new and old.
For more on these topics, listen to the podcast today and learn some key steps you and your organization should be taking to help protect your data while your employees work from home.
For help implementing any of those key steps or navigating any number of data security landmines, reach out today to the experts at BIA.
Joe: Hello all. Welcome back to another edition of the ‘Above the Law COVID Cast,’ our special report series, on ways, often unexpected, in which the legal landscape is being impacted by the outbreak. I’m Joe Patrice from Above the Law. I’m joined by co-editor Kathryn Rubino. How are you?
Kathryn: I’m doing well. How about yourself?
Joe: Well, pretty good. So we’ve covered a lot of wide-ranging topics from law schools to architecture over the course of this show, and how all of those have been changed. Now we’re going to talk about something that probably should have been one of our early discussions, quite frankly. It probably strains the unexpected, because I think a lot of these problems are probably very obvious, but learning how to deal with them might not be nearly as obvious. So today we’re going to talk a little bit about security. And when you work from home, how do you make sure that what you’re working on is protected the same ways that it would be if you were in your office? So we’re joined today by Brian Schrader, who’s the CEO of eDiscovery and digital forensics for BIA. And we’re going to talk a little bit about the work from home phenomenon. So welcome to the show.
Brian: Why, thank you. Glad to be here.
Joe: So first, let’s talk about just generally what you do at BIA. What’s the typical work that you are doing? And then we’ll dig into what you’ve seen of the pandemic, and what you’ve been doing since that all broke out.
Brian: Sure. Well, I mean at BIA, primarily we’re a full-service eDiscovery. So that means everything from the first legal hold, to being a collections processing, attorney review, hosting, kind all aspects of the eDiscovery realm. We do a lot of computer forensics, and some regulatory and data privacy support as well.
Joe: So now, when we – eDiscovery is a, I mean it’s been a topic for years, and how do you protect everything, how do you make it searchable, how do you optimize all that? And then we get thrown this curveball in that now nobody can go into the office and work off of the protected servers there. So how has things played out with the work from home world as far as eDiscovery goes? I assume things are probably much better than they would have been if this had struck us even five years ago in that I assume more people are feeling comfortable with Cloud computing.
Brian: Yeah, I mean, it is a different world than it was five years ago. I remember back in 2010, 2009, we started at BIA moving everything to the Cloud. And at that point, it was a struggle because when you’d talk to companies, they’d be like very leery of the Cloud. Today if you’re an organization and you don’t have all your data in the Cloud, you’re kind of crazy because it’s just so much more, not only is it more accessible, but the accessibility of that data is better protected. Everything from things like Microsoft’s advanced threat protection systems, to higher levels of encryption pretty much across the board. The whole idea of putting something in the Cloud is a lot safer for many organizations. And that means the vast majority of organizations that we collect data from today are using things like Microsoft 365, so everything is in the Cloud. So yeah, it’s a different world. It made the transition much, much easier for the companies that were there. But of course, you have companies that still use exchange servers or things like that, or kind of a bit more traditional, call it iron, that poses more challenges. And those companies struggle quite a bit getting everybody remote because they just weren’t ready for it.
Joe: Yeah, I always discuss the Cloud with the, it’s attributed to Mark Twain, but probably a lot of things attributed, it probably wasn’t something he actually said. But the idea that you don’t put all, you don’t do the don’t put all your eggs in one basket. You put them all in one basket and then watch that basket. That’s how I describe to people who are leery of the Cloud what the Cloud is. Is that thing in your closet better, or is Microsoft better? And probably it’s Microsoft.
Brian: That’s a good point. I used to make that point quite a bit. Who do you think gives better security – Microsoft and Amazon, or your local small company? No question.
Joe: Okay, now. So when people start working from home, what happened? What was called upon to be done? People were more ready I suppose because of the adoption of Cloud, but I would assume they weren’t actually ready for the idea of a mass –
Brian: No one was ready. Again, it kind of goes back to the overall company kind of profile. For those companies, like one of the things we did years ago was move all of our employees to laptops. Fully encrypted, of course, and protected. But that made us, our transition to work from home. Plus, we also had a policy at our company that you could work from home one day a week as part of your normal schedule. So the fact that we had everybody on laptops and the fact that all of our employees at least had the option to work from home a day a week, transitioning to full-time work from home from us was pretty easy. And we, other than sending some extra docs and things like that to people, it was relatively easy. But I’ve worked with other companies of friends, and business associates, helping them do this transition. And again, if they didn’t have the Cloud, if they didn’t have remote computing, if their employees weren’t used to it. A lot of companies still use VPN to let people in, but if their employees never worked from home before, they weren’t ready. So it’s a huge shock to change the way they work. So again, it just depended on where in the technology spectrum the company lies. Some of them went relatively easy; others saw their businesses close for a week or two while they figured out exactly what they were going to do to enable their employees to work from home. So it’s a mixed bag across the board. And there’s no one area that is prevalent. It’s a little bit of everything, and companies really struggling trying to figure out how to let their employees work from home.
Kathryn: We’ve obviously not seen this sort of en-mass work from home, nation-wide situation before. What security risks are there when you have so many people working from different environments that may not be something that everyone has been thinking of before COVID?
Brian: Yeah. There’s a couple of areas of that. One of the things that I think is overlooked a lot. Usually, companies have some kind of policy about their data and how their company data should be handled by employees, and whether they can take it home. But one of the things that most companies didn’t really ever talk about or train anybody on are the things like teaching their employees how to make sure their home environment is safe. Everything from things like teaching them hey, there is a way to login to your home router. Most people plug in the router they get and just go along with it and never -.
Kathryn: Set it up once and forget about it.
Brian: Exactly. So one of the things that we recommend that companies do is either send out an email corporate-wide, or do a training session, and show people hey look, you should be – not only should you do simple things like don’t use the default password on your router. Which by the way, I just got a new router myself, thrilled to see that the router actually came with a completely randomized username and password for a change. So hopefully, newer companies and newer routers are doing that. Most people still have admin and no password, or admin and abc123 on their home router. People think of their computers as being vulnerable, and they don’t think of their router, the actual somebody’s tapping into that line. And so things like that, things like setting up WPA2 authentication to kind of increase the encryption of your Wi-Fi. And you can do all sorts of things to lock down your home routers. And again, it’s something that most companies never thought of, let alone individuals. And so that was one of the things that we recommend that people do right away.
And then, of course, from that, there’s instructing people how to use data, how to store data. Because now, the big concern in everything from regulatory to eDiscovery is all this company data is sitting on people’s home machines, especially in those companies that weren’t prepared for this. They end up with a lot of company data everywhere. Are those users updating? Do they have Windows update turned on or even the equivalent in the Mac OS? Turning on equipment, or turning on that kind of protection and making sure that they’ve got strong passwords and all that kind of stuff. Now some of that you can manage remotely, even on personal machines. But these are a lot of things that, it wasn’t just about how do we physically enable our employees to work from home, but how do we secure it and get into a lot of these topics that companies, and individuals, have never ever thought about before? So I think that was as much of a concern about securing a connection as it was securing the data.
Joe: And the reason the router is such a dangerous entry point for somebody is, you think, you’re doing your things on your computer, and that isn’t really a problem with the router. But as soon as you try to reach out back to the company or somebody else, that’s a place where having a point of entry into the router is important, right?
Brian: Yeah. And if somebody gets into your router, it makes it that much easier for them to get into any devices on your network, not just your computer. If you have smart devices at home that are connected, somebody is some remote province somewhere could start turning your kitchen lights on and off. We’ve seen things like that. It is about reading that data, but you can also use it as a tunnel in other devices and computers as well.
Joe: The internet of things is the lingo. So one other aspect of how things have changed is that there is new discoverable information out there. We’ve got, we’re recording a conversation right now. And I think even though this is a podcast and we were always going to do it this way, I think a lot of people in potential future litigation are having meetings right now that are being done exactly this way.
Brian: Yeah. I mean, almost every meeting is virtual now, right. And it’s so easy to hit that little record button. And it’s tempting to do it because especially if it’s a meeting that you may not be really paying close attention to or something along those lines. Click the record, and you can watch it later if you need to. But that then creates discoverable information on every single computer used for that, and those may be corporate or personal. So one of the things that we’ve, actually right along that, we updated guidance recently on custodian questionnaires. For those who don’t know, custodian questionnaires are surveys that you send out to custodians asking them where their data is. And updating those custodian questionnaires, we send out a thing that most of our clients say you should make sure that your custodian questionnaire now has a work from home section that talks about things like Zoom recordings and team recordings, and just storing regular data at home. Now it kind of depends. If you’re using something like Teams or Slack or whatever, even if you have a local copy, a lot of that stuff still stays in the corporate environment. So it’s always been kind of an unwritten rule of eDiscovery that does duplicate stuff. Duplicate items don’t have to get collected from every location as long as you have a copy of it. But for those companies that aren’t doing that and are saving a lot of documents locally and things like that, then it really does expand the scope and expand the eventual cost of it all.
Joe: Saving things locally is something that you don’t necessarily think of all the time. But just because you can access a document from the Cloud doesn’t mean that somebody isn’t pulling it onto their hard drive to futz around with it and make edits, especially if they’re in a place where their internet connection isn’t great, and it’s easier to do things locally. But now you’ve got confidential information potentially that is not within the corporate environment, and that is something you’ve gotta go track down when you’re doing discovery.
Brian: And it could raise regulatory issues; it could raise issues with privacy laws. Like I’m sure there’s an interaction there with the CCPA, the California Consumer Privacy Act is what it stands for. If all that data is sitting everywhere, it just makes it that much harder to do every bit of corporate data security and cleanliness. So, good thing to avoid.
Kathryn: On the question of cybersecurity, can we talk a little bit about the question of education and just making sure that all of your employees are aware of all the various risks? I know we’ve covered at Above the Law, that there’s been kind of an outbreak of phishing scams where folks falsely pose as the recipient of various transfers and some other, or situation where they pose as folks who are supposed to be getting monies. And firms have been falling for it. And it’s not necessarily something that is specific to Covid-19, although now that everything, nothing is in person, they have been sort an uptake in these sorts of scams because it’s easier to fake someone’s identity in an online-only kind of world. But those are not necessarily something where your security programming is out of date as much as the folks who are responding to these emails or responding to these scams are not as up to date on what’s out there and what can happen as they should be. So what are we seeing in terms of what kind of educational systems or programs should companies, particularly big law firms, make sure that they are doing for their employees?
Brian: I can’t stress enough that when it comes to data security, education. Of course, you want to turn on all these data protection systems and advanced threat protection and all that. But all of that means nothing if you don’t train your employees on a regular basis.
Kathryn: They’re willing to give up their passwords, there’s only so much you can do.
Brian: Exactly. I mean it is amazing to me sometimes that the kind of, bush-league phishing examples where it’s got kind of messed up logos and stuff, and people still click on it. It’ll take them to a page that kind of looks like something they’re used to seeing, and they put in their username and password. There are some things to prevent that. You can do things like go prevent access to your organization from outside of certain geographic areas. That kind of helps, even if someone kind of gets the information, they can’t login and dual-fact authentication helps with that as well. But when it comes right down to it, you’ve gotta drill into your employees heads the importance of being diligent, and show them examples, real-world examples, that you’ve seen of exactly what some of these things look like. We do training either once a quarter or once bi-annually, kind of depending on the topic. And one of the things we hit on all the time through training, through emails, through video training, through in-person training, and even testing employees, is on that phishing. Because it is the number one way that companies – more and more when you see data breaches a lot of it is either one of two things. It’s either somebody on the inside was compromised into doing illegal activity or decided to participate in it, or phishing. Those are kind of the two biggest areas, and where whenever you read about these big breaches, it tends to be one of those two. And even ransomware. A lot of way ransomware gets in is through phishing. Some of them come with bad grammar and bad English, and it’s kind of easy to tell that this is obviously not legitimate. But some of them are getting really good at making it look like it’s a legitimate sharing request from within the Microsoft system, and it’s easy to fool people.
So not only is it important to train people on how to identify that stuff, and it’s better to be safe than sorry and things like that, but also, give them real-world things. Like what should they do? If you’re getting something like that from somebody that you don’t expect, call them. Reach out to them. Don’t just reply to that email because you’re just going to go continue the loop. It all comes down to telling people and giving them real-world examples on a regular basis. Routinely reminding them and showing the latest, greatest malware and threats out there, and phishing threats out there, and how those can work. And it’s not just about your computer either. It can be social engineering. If you have a receptionist, you should be training that person on how to identify malicious callers. I’ve seen that before. In some of the investigation work we’ve done, we’ve easily gotten around some security on stuff just by calling and talking to somebody whose like, here it is. Voila. So it’s not just about the data technology, you have to make sure you’re training pretty much everybody who stands at the outer edges of your company, whether that’s data, incoming calls, visitors, things like that. But all of that stuff is important.
One of the things that I think was a shock to a lot of people we trained was if you ever find a USB key laying around, the last thing you want to do is plug that into your computer. It doesn’t happen much anymore, but one of the tricks was you go to a company, and you just drop a couple of USB keys in the parking lot, and somebody sees it, takes it, takes it in, plugs it in, tries to take it out. You know, want to help one of my employees, lost their USB.
Kathryn: Who could this be?
Brian: Yeah. And guess what? You just installed malware on the company, and you’re good to go. It’s important to do all that stuff. And there’s a lot of research. There’s tons of videos on YouTube, LinkedIn learning has some great resources, a lot of which they’ve made free during COVID, Microsoft has a lot of great resources. There’s a never-ending source of good information out there; it’s just you can’t just send an email to your employees saying “read this” You have to take action and make sure they actually do that.
Joe: What’s going on with the pace of eDiscovery? Like a lot of what’s happened with the lockdown as we’ve heard, this got stopped, and this courthouse wasn’t open for a while, and this practice area had a spike, and this one went down. How is the pace going? I assume obviously there’s a lot of litigations where it’s moving at a pace, but I’ve also gotta assume some cases they managed to negotiate to hold things off. What’s happening out there in eDiscovery?
Brian: You know, it’s interesting. We did see a bigger slowdown earlier on when people were just – I think that was more due to people trying to figure out how to work. You know, kind of getting back to our original thing is a lot of people and a lot of companies just weren’t ready for this. So kind of everything stopped while they figured that out. But in general, we’ve seen slower activity in some sectors, mainly for cases that really hadn’t gotten started yet. We have some corporate clients that will come to us and be like, oh, we’re going to be filing this, and just a heads up, and let’s start planning. Some of those cases have just been put off indefinitely. A lot of them are like IP cases; they’re not really time-sensitive, so to speak as much as contract disputes or something might be more timely, or need to be handled more quickly. But yeah, it depends. We do a lot of construction litigation, and the kind of injury side of the construction litigation has slowed down. But not the bigger contract disputes and things like that. At the end of the day, discovery doesn’t really involve a lot of court hearings. There’s status hearings and things like that, but unless you have a dispute, it kind of tootles along. So the court being closed doesn’t really impact anything. And even when it does, those kinds of areas can easily be handled via telecom or Zoom. So I think that original slowdown was much more due to people figuring out how to work, not necessarily stopping cases.
That all being said, there will be some slowdown because cases get filed, they usually go through a couple of months of motion practice and answers and things like that before discovery starts. So you’re going to see that kind of delayed impact in the discovery industry, I think, a couple of months down the road when discovery would have normally started for cases filed in the early part of the year just aren’t there anymore. So I do expect there to be a little bit of a lag in eDiscovery. And then again, beyond that, it’s just more challenging to collect data and figure out where everything resides. Those challenges we talked about earlier are really out there.
Joe: Alright. Yeah. So I guess we’ve been going for some time now. So yeah, is there anything else you want to share about this? This has been super informative.
Brian: I think we got all of the big parts. I mean, there’s a ton of other stuff we could talk about in security, from multi-factor authentication to not giving access to data if people don’t need access to it, or the least privileged access rules. Those are more kind of general every day; it’s not just COVID. Those you should have had in place. It’s just all the more important that you have them in place now.
Joe: See, words like ‘should have’ in this space. I feel like what’s going on with COVID is people are starting to realize finally the things that should have been happening.
Brian: Yeah, there was a great quote by Warren Buffett during the economic collapse of the 2008, 2009. He said that when the tide goes out, you see who’s not wearing a bathing suit. It’s kind of that thing now. A lot of people talk security and say oh yeah, we’re taking all these plans. But when the rubber hits the road, you find out who really was, and who really was ready for it and those that struggle. So, but then again, it’s one of those things that if you were prepared, great, if you weren’t, you’re paying for it now.
Joe: Well, great. Thank you for joining us, and thanks everybody for listening. You should be subscribed to the show, so you get new episodes, you should give reviews, not just stars, write a couple of words, it helps those algorithms realize that we have an engaged audience and helps us spread out to get in front of more people! You should be reading ‘Above the Law’ as always. You should be following @JosephPatrice, @Kathryn1 on Twitter. Check out the other shows; we have ‘Thinking Like a Lawyer,’ which we host, which is a little bit more of a mad calf run down of the week in legal news. The Biglaw, which Kathryn hosts about diversity issues in law firms. And check out the various offerings of the ‘Evolve the Law’ group. There’s a few podcasts in that world as well talking about legal tech and stuff. So with all that said, we’ll check in with you all later.