There’s a lot more to mobile security than enabling the password on your iPhone or iPad. Unfortunately, very few small law firms have the proper measures in place to protect their confidential client data. If needed, could you convince a Board of Ethics that you had done your due diligence to protect your client’s data? Strong iOS security starts with becoming familiar with the most common threats to compromising firm data on your iPhone or iPad. While many assume they are not at risk since they are not a ‘big’ law firm, the opposite is true.

1. How to Secure
Your iOS Device &
Keep Client Data Safe
Tom Lambotte

2. Less is more.

3. Story 1:
Christine
Senior Paralegal
and Office Manager
Ditcher, Quick & Hyde,
Divorce Lawyers

4. Stats on passwords:
• Half of iPhone users don’t lock their phones (pre-TouchID).
• 10 most common passwords made up 15% of all phones*:
• 1234, 0000, 2580, 1111, 5555, 5683 (LOVE), 0852, 2222, 1212 and 1998.
• The top four codes represent 10.8
• Years between 1990 and 2000 are all in the top 50, and 1980 to 1989 are in the
top 100 passcodes
• With a 15 percent success rate, about 1 in 7 iPhones would easily unlock
http://www.eweek.com/c/a/Security/Top-10-PIN-Codes-Picked-by-iPhone-Users-637446/#sthash.ihFP9INR.dpuf

5. Story 1:
Christine
Senior Paralegal
and Office Manager
Ditcher, Quick & Hyde,
Divorce Lawyers
Lesson:
Trust cannot replace
implementing proper and
enforceable measures.

6. Story 2:
“Johnny”
Project Manager
GlobalMac IT

7. Stats on disgruntled employees:
• Corporate Executive Board survey that showed that 75% of people who leave
their jobs are disgruntled when they do so.
• There is high risk for lawsuits where private information is revealed:
• medical records, mental health treatment records, and drug and alcohol
treatment records.
• Even bigger problem in smaller firms, where we all know each other and trust
everyone. This can lead to complacency which can come back to bite you later
on, when least expected.
You have a duty to protect client confidences –
did you take all reasonable steps to do so?
Were your actions appropriate to the risk,
considering the capabilities of your firm’s data security?

8. Story 2:
“Johnny”
Project Manager
GlobalMac IT
Lesson:
Disgruntled Employees
Can Cause Chaos

9. Story 3:
“Saul Goodman”
Attorney
Saul Goodman
Attorney at Law

10. Stats on theft and stolen devices:
• More than 3 million handsets were stolen in 2013
• Theft has increased by 26% in Los Angeles since 2011, 23% in San Fransisco,
and 18% of all grand larcenies in New York City last year involved Apple
products.
http://www.businessinsider.com/smartphone-theft-statistics-2014-5#ixzz3GnMj29cM

11. Stats on the reporting of thefts:
• Only 50% of respondents reported a loss or theft within one day.
• 38% took between 1 and 2 days
• Nearly 10% took up to five days to notify their employer.
19% of the businesses surveyed reported an incident of a lost or stolen device, and
experienced some form of related data loss, meaning businesses have approximately
a one-in-five chance of losing data if a corporate mobile device is stolen.
*Kaspersky Lab survey of global IT security professionals, 9/2014.

12. Story 3:
“Saul Goodman”
Attorney
Saul Goodman
Attorney at Law
Lesson:
Theft happens and are often
not immediately reported.

13. Story 4:
“Johnny B. Goode”
Senior Partner
Screwem, Goode & Hart
Attorneys at Law

14. Stats on accidental damage:
• Theft is scary, but accidental damage is 10 times more common than loss or
theft
• A study by SquareTrade in 2012, showed that damaged iPhones have cost
Americans $5.9 billion since their introduction in 2007.
• The top five iPhone accident scenarios according to the study are:
• Phone dropped from my hand
• Phone fell into a toilet, sink, hot tub, swimming pool, lake, etc.
• Phone dropped from a lap
• Phone knocked off a table
• Phone drenched by some liquid
How quickly could you get back up and running
if your phone bit the dust?

15. Story 4:
“Johnny B. Goode”
Senior Partner
Screwem, Goode & Hart
Attorneys at Law
Lesson:
Sh*t happens.

16. If needed, could you convince
a Board of Ethics that you had
done your due diligence in
protecting your client’s
information?

17. Use a Mobile Device
Management
solution (MDM)
My Top 3 List:
#1

18. iCloud is NOT an MDM solution
• made for end users, not business
• cannot scale up
• enforces nothing
• once added onto your staff’s devices, they can:
• track where you are
• turn on your personal email, notes and photo
stream.
• access all your iCloud data.
• can also be easily disabled

19. Top 3 MDM Options
#1 - Built-in aka Homebrew solution:
Profile Manager in OS X Server
• OS X Server, but this is very technical and is a lot of work. Some of the things
you’ll need:
• Static IP, FQDN, SSL certificate, configured Server with proper DNS settings
and more.
• This is for the DIY person, who’s a techie at heart who also happens to be an
attorney and does not mind sinking hours into this project.
• iOS only, Windows and Android not supported.
Here is an excellent play-by-play manual for those who want to go this route:
http://krypted.com/mac-os-x/using-profile-manager-3-in-mavericks-server/
(email me - for the link if you’d like it)

20. Top 3 MDM Options
#2 - Free solution:
Meraki Systems Manager MDM
• Very robust solution, developed by Meraki, owned by Cisco.
• Cloud-based MDM package with which you can get up and running fairly
easily.
• Supported Mobile Devices: iOS, Android, Windows Phone
• Drawback:
• no support included with free version
• there is a new paid version ($40/device per year) with many additional
features.
https://meraki.cisco.com/products/systems-manager

21. Top 3 MDM Options
#3 - Paid solution:
MaaS360 by Fiberlink,
an IBM company
• Maas360 - owned by IBM, paid service ($5/device per month)
• All inclusive pricing. They never charge extra for set up, activation, or their
24x7x365 live support.
• Supports all platforms (iOS, Android, BlackBerry, WebOS, Windows
Mobile)
• No device minimums

22. Add company data
onto iOS devices
through profiles
My Top 3 List:
(using MDM solution)
#2

23. The problem with
adding info manually,
is that you have no control;
it CANNOT be removed remotely.
Changing the password
is NOT the same.

24. 7 Profiles You
Must Use

25. 1. Passcode

26. 2. Wifi

27. 3. VPN

28. 4. Mail

29. 5. Calendar

30. 6. Contacts

31. 7. Apps

32. Have a BYOD
policy in place
My Top 3 List:
#3

33. BYOD boils down to a well-drafted
and comprehensive policy
that spells out the rights for both
companies and employees.
Such a policy covers a company’s:
• right to monitor, access, review and disclose
company or other data on a mobile device
• the employee's expectations of privacy with
respect to that device.
*http://www.cio.com/article/2386235/byod/how-to-craft-the-best-byod-policy.html

34. What does a good BYOD
policy look like?
It goes through general rules about personal mobile
device usage:
• company's rights with respect to monitoring,
accessing and reviewing all the data on the device.
• employee's obligations with respect to keeping the
device secure, password requirements, all the things
you'd expect to see in a general IT policy.
• what happens if you're terminated or decide to leave
the company.

35. How to get
a policy in place?
• No two BYOD policies are or should be alike. Here
are 5 BYOD policy templates to help you start:
• 4 samples here, along with steps to implement:
http://tek.io/1uLWDsC
• Our MDM Toolkit with a BYOD template here:
globalmacit.com/milomdm

37. tom@globalmacit.com
facebook.com/globalmac
linkedin.com/in/tomlambotte
@LegalMacIT
Get a FREE copy of my book:
Hassle Free Mac IT Support for Law Firms
www.globalmacit.com/book/
Q & A