Technology Practice Tips: Smartphone Security (Transcript)

This is a transcript of a podcast on securing your mobile wireless or smart phone for your law practice.

Speaker Key:  PB Phil Brown, DW David Whelan

PB: Hi, it’s Phil Brown, I’m here with David Whelan and we’re here to talk about smartphones.

DW: It seems to be the one piece of technology that every lawyer is going to have, although I guess there are still some lawyers who don’t have a wireless phone, cell phone, smartphone, whatever you want to call them.

PB: And I saw a sign recently as I was walking past a Bell store, they’ve started calling them super phones, at least the new ones they’re calling super phones. I don’t know if they do anything much more than a smartphone, but let’s talk about what a smartphone does.

DW: It’s an interesting topic because smartphones used to be a phone that did a couple of extra things – maybe it had a calendar, maybe it had contact management – but the phones that are coming out now, whether it’s the iPhone or an Android powered phone, are essentially small computers. You can do documents on them, you can synchronise documents out to your cloud based file servers, you can do all sorts of things on these smartphones.

PB: And a lot of them you have the ability to connect over a server. For instance, all of the RIM devices or Blackberrys you can connect over a Blackberry enterprise server so your whole firm, if you have a slightly larger firm, can be all on the same server.

DW: Exactly. Actually, funnily about the Blackberrys there’s something called pin to pin communication and it’s the one way that you can send a message to another Blackberry that’s unencrypted, so it’s the one way you don’t really want to send any information in your law practice.

PB: But those types of messages don’t go through the server though, so no one at the server would be able to see that information.

DW: Good point.

PB: And I think that becomes a problem later in terms of the security and that’s why a few other countries got really upset at Blackberry, or RIM rather, a while ago. So let’s talk about some of the advantages I guess we just covered. You can do virtually anything on them, whether it’s surfing the internet or accessing files or storing files. Let’s talk about a few of the possible disadvantages. 2

DW: I think the disadvantages go hand in hand. We say "there’s an app for that", which started with the iPhone, but now really we can download an app to do almost anything on our smartphones but we don’t really know who developed that app and what it will do when we download it. So there’s an element of risk that we probably haven’t had before and I don’t think we even have with laptops, where we could be downloading an app just to try it out and it will be accessing information on our smartphone, which now includes our contact with our clients, it includes documents we’re working on, it might include trial information, and it could be doing things with that information that we’re just not aware of.

PB: And I should say that usually when you’re using those applications there’s that click through agreement that you would click through without actually reading, typically, and that agreement may disclose that you’re sharing all that information with that third party, but most people ignore it.

DW: That’s true. And I think one of the things to keep in mind is that if you are using a smartphone and you’re downloading apps, make sure you’re using one of the well known app stores, whether it’s iPhones with iTunes, whether it’s the Android marketplace from Google or Amazon. If you know that you’re downloading a supported application or through a supported store there’s a good chance that they will already have vetted those apps for any malware, any viruses or other things that might be in them.

PB: So let’s talk about basic smartphone security. At a minimum you should have a strong password on your device.

DW: Right, I would almost even start further back, which is that you should have good habits for handling that smartphone. If you put it in a different pocket each day you’re likely to not realise when you haven’t put it in any pocket and you’ve left it on a counter or at someone’s desk or you’ve dropped it in a taxi. So if you start it off with good physical security and thinking about where you’re putting it each day, and I always put mine in the exact same pocket just so that I know where it is, then you can move on to actually securing the device. But you’re right, a great password is going to be a good way to secure it.

PB: And do most of the smartphones have an ability to encrypt information on them?

DW: That’s still an iffy issue. It will depend on which device you use. In the same way that with the passwords some devices allow you to put a real password in, some will have a little pattern that you draw on the screen, so you should really be keeping your smartphone as up to date as you can so that you’re able to take advantage of the security aspects that are on there. If your phone doesn’t already support encryption, you should be looking to upgrade to a phone that does support encryption so that if you’re putting information on there that needs to be encrypted you’ve got the right tools for it.

PB: And I know with the Blackberry enterprise servers there’s an ability to locate that smartphone in the event that you lose it and also you could wipe all of that information remotely from the device. 3

DW: And this is a great thing to think about early on because you can do it with iPhones and Androids as well as the Blackberrys. Download these apps, set up the accounts that you need so that you can do a remote wipe or that you can do a remote locate of your device.

PB: And I guess the other piece that goes along with that in the event that you’ve lost your device, it’s probably a good idea to have a daily backup of the information on your device.

DW: That was an interesting issue with the T-Mobile Sidekick where they had been doing a backup but the only backup you could do was to their servers and their servers all died, so people who had done backups not only lost everything on their phone but they lost everything on the backup. So to the extent you can synchronise it with a laptop or synchronise it with other site or, again, in the realm of using cloud computing, work with sites that store the information remotely all the time. That way you at least know that if that phone disappears or breaks or dies you’ve still got access to the information that you need.

PB: And I guess in terms of physical security with a phone, knowing where it is at all times would be the prime consideration. Other people in the office or other people having access to the information on your phone could also be a problem.

DW: For sure. And I think one of the things that a lot of people don’t think about is what they’re doing with their phone when it’s just a phone and you’re sitting in a coffee shop or you’re sitting somewhere and you’re talking about your client’s case. It’s amazing what people say when they’re on a phone in a public environment that they really shouldn’t be sharing with others.

PB: And I’m just going to expand the conversation a little bit because it’s bigger than a smartphone but still not a whole computer, and that would be something like an iPad. I’ve seen people on the subway reading client files and I can just look over their shoulder and see information I probably shouldn’t see.

DW: Exactly. The tablet is going to really make this a little bit more problematic because people are using it to consume information, it’s very much a consumer device, and so they’re going to be comfortable with it in ways that they might not have been as comfortable with laptops. So they will have it out in the open, they will be trying to read it, they might even be holding it up in the air like a book and suddenly information that would have been more difficult to read over their shoulder is now right out there in the front.

PB: Right, and that’s a great piece of advice, to know what you’re using and what the vulnerabilities are and especially even just having a conversation on a phone, it could be subject to interception just because someone’s standing beside you.