|
Volume 3, No. 3 - April/Avril 2006
|
|
|
|
Essential SecurityStephen Bird* Author’s Note: A November post to the TechnoLawyer Community by Zachary Price offers a number of essential security tips for law firms.1 This article, much like my earlier article on Security and Privacy (www.practicepro.ca/securitybooklet)2 that was based on the booklet by Dan Pinnington,3 will refer to Zachary’s helpful suggestions. Regularly Update Your Software Is there a more accurate statement than “no software is ever bug free”? Sometimes it seems we’re beta-testers for software delivered prematurely, although some companies, such as Microsoft with WinXP SP2 and smaller programmer/vendors like those who sell Vopt (defragger) and HyperSnap-DX (screen capture), seem to be offering more-stable software. While true that hackers exploit bugs for a variety of reasons including fun and profit, update security goes beyond the threat from hackers since a problematic product can result in lost productivity from unexpected crashes, unsaved work, and the loss of time trying to fix things. I agree that software should be updated on a regular basis; however, when should this be done? If you are a lawyer, then you probably have more important things to do than keep track of updates. Configuring the operating system, firewall and antivirus programs to receive regular updates makes a lot of sense.4 Unfortunately, however, not all updates are improvements. The Windows Secrets5 e-zine offers a Windows Patch Watch feature in the paid (very modest) version to assess the quality of patches. For example, in the November 10th issue, Susan Bradley discussed the MS05 0536 security bulletin and new Office patches, offered an example of when a second patch is needed to fix the first patch, suggested that Macromedia Flash player needs updating, alerted readers to Programs that install without warning, and listed her favorite 18+ security blogs. Whew! A recent posting by a well-respected and knowledgeable (in my view) member of the Windows Home7 mailing list says: “Microsoft's new security product, OneCare, which will be sold as a subscription, has been released into public beta (free for now). It's pretty much a ‘security center on steroids’. It includes Antivirus, 2-way Firewall, Tune up (auto defrag and temp file cleanup), and Backup/Restore. So far I haven't found anything to dislike, when it's viewed as a product for consumers. As beta software goes, it looks like a finished product, but don't risk an important machine unless you have a good recent image backup.” Unfortunately I found, for whatever reason, the download of the OneCare Live product is large and thus slow to download via dial-up – I stopped after an hour or so with only about 25% of the download having been completed.8 Install Firewalls Zachary tells us: “Firewalls separate one network from another and are frequently used to separate a company's internal network from the Internet. Firewalls not only mask the identity of the individual computers behind them, they also examine and filter potentially damaging data entering or leaving the network. It is good practice to install both perimeter and client side firewalls.” For more information about personal firewalls, visit Wikipedia;9 and to see if your firewall is effective, visit Gibson Research on the ‘net.10 Watchguard (http://www.watchguard.com), Cisco (http://www.cisco.com) and ZoneLabs (http://www.zonelabs.com) are three firewall providers listed by Zachary. ZoneAlarm Security Suite 6.011 is a frequent pick of the WindowSecrets newsletter as the best all-in-one software firewall,12 anti-virus program, and anti-spam filter (and now with anti-spyware scanning and Windows OS kernel protection). Although I recall using ZoneAlarm a long time ago, my recent experience has been with firewalls from iolo (Kaspersky is bundled with System Mechanic 6), Panda (Platinum 2006 Internet Security), Symantec (Norton Internet Security), and VCom (Sygate is bundled with SystemSuite 6).13 PC World14 magazine recently gave Panda Platinum Internet Security 2005 the top score in the security suite category. Panda is installed on one of my Virtual PC WinXP operating systems. It was easy to install and seems to perform well. I like well-integrated utilities. Install Anti-Virus Protection According to Zachary, “Hundreds if not thousands of new malicious software programs are released each month. These include viruses, worms, Trojan horses, and a host of other programs. Symptoms of infection range from the annoying to catastrophic.” These programs can slip through firewalls posing as a legitimate e mail (one, I recall, attached a password-protected zipped attachment, which defeated the anti-virus program scan) so user education is of major importance (that is, don’t open something you aren’t expecting – if in doubt, call the sender to confirm the message/attachment). Zachary tells users to install the latest version of client side anti-virus software15 and make sure to regularly update and scan the system. He lists a number of well established anti-virus products including Symantec’s Norton AntiVirus,16 AVG,17 Panda Software,18 and McAfee.19 My experience has been with iolo (Kaspersky), Panda, Symantec (Norton AV), and VCom (Trend Micro is the AV product bundled with SystemSuite 6 ).20 Protect the Content of Your Sensitive Files and E mail Again, user education is critically important to avoid sensitive e-mail and files going astray – in other words, think before you send and protect your data. Zachary says: “E mail doesn't have to be a public announcement, yet private messages often turn out to be. E mail and files containing sensitive information, such as advice, contracts, financial information, and more, all too often spread beyond the individuals they were intended for. According to a recent report by the Computer Security Institute, loss of proprietary data was the third leading cause of financial damage to organizations last year.”21 In chapter 7 of the PracticePro booklet, Dan Pinnington talks about the dangers of metadata and in chapter 8 he describes ways to lockdown and protect your data. Zachary talks about using “rights management” software22 to protect sensitive business data. He says such software, “not only encrypts files, but also serves to enforce access and limit usage privileges such as forwarding, editing, and printing.” Apparently this kind of protection remains with the file no matter where it goes. He concludes by saying: “Any business that frequently exchanges medical, financial, legal, or design data should make regular use of encryption and content rights management technologies.” My experience with rights management includes password protecting Word, WordPerfect and zipped files and change/print restrictions on PDF files. While these methods will keep out casual snoops, users should look for better protection from products such as those from PC Guardian.23 Establish a Periodic Data Backup Strategy Periodic backups are required to ensure business continuity in case of an accident such as a hard drive failure or attack. In a networked environment full and incremental data backups can be programmed to take place at regular intervals. Small office environments should backup their sensitive data external hard drive or CD at least once a week. It is good policy for companies to backup e mail as well. Backup data should be stored off site in a secure location. Be sure to test your backup processes to ensure that indeed your data can be restored in case of operational failure. Some secure off site data storage providers (especially important during the last hurricane season) include Iron Mountain (http://www.ironmountain.com), First Backup (http://www.firstbackup.com), and KastenChase (http://www.kastenchase.com). For my take on backups, see “Software for Back ups,” April 15, 2002, and “Better Backups, Part 1,” Hardware (December 15, 2004) and Part 2 Software (January 1, 2005) in The Lawyer’s PC. Use Strong Passwords “Passwords are used to authenticate the identity of an individual user. Unless otherwise protected, once a password is broken, your sensitive data is exposed. With free software that is readily available on the Web, most passwords can be broken in a number of minutes. These programs often use known words and phrases to break passwords frequently beginning with “password” and “admin.” For good password security, use a combination of upper case and lower case letters, numbers, and symbols (i.e. eR8!tJd). Make sure that your employees memorize their passwords and that these are not written down anywhere on the premises.” See also The Lawyer’s PC, May 1, 2005. Hire a Security Consultant Zachary notes that every business is different and requires its own security strategy. He suggests hiring an independent security consultant to assess your individual security situation and to create a comprehensive security policy that will meet your business needs. If your law firm does not have an in house computer/security expert, then outside help should be hired. It makes more sense to hire an outsider who bills at $50 per hour than a lawyer whose time is worth $200 per hour. Either way, it is false economy to say the budget doesn’t allow for such help. How much will it cost if you lose critical data? It is critically important that the outside “expert” completely understands your business so decisions are not made which may make perfect sense to the security/IT consultant, but fail to protect the law firm, its business, and its responsibility to both clients and the governing body for lawyers in your jurisdiction. Educate Your Employees No security plan is effective unless followed by staff. While measures can be taken to severely limit user privileges (internet browsing, reading e mail, or reading/writing of files from/to USB or CD drives), draconian security measures can interrupt workflow as well as damage productivity and morale. Zachary makes a good point when he says: “A better policy is to limit some user privileges while educating your employees about your company's security policies.” See the section of Dan Pinnington’s booklet “take care with current and departing employees” and see the advice from Law.com “Protect Your Network From the Enemy Within.”24 Final Thoughts Zachary Price’s comments provide a good reminder and nicely complement Dan Pinnington’s booklet. Hopefully, the articles I referenced and my upcoming look at security software (in its broadest terms) will help keep your data secure. Windows Secrets subscribers were recently offered PDF eBook excerpts of two new books: Hardening Windows25 by Jonathan Hassell, 2nd Edition, and WindowsXP Security Solutions26 by Dan DiNicolo. Both books seem worthwhile – visit Amazon.com for more information and current prices. What was true last spring is still true now that it is winter: Law firms must actively manage their electronic data! * Stephen Bird is a lawyer and long time contributing editor of The Lawyer’s PC newsletter. He can be reached at StephenBird@lawyer.com. 1 The TechnoLawyer post, Essential Security Tips for Law Firms, is an expanded version of IT Security Tips For Small Business found at http://tinyurl.com/dbbf7. Used with permission of the author. 2 The Lawyer's PC, May 1, 2005. 3 http://tinyurl.com/5y9gg. 4 See the 16th November 2005 Editorial, "Is Your Windows Update Working?" and the useful tips offered in the Support Alert Newsletter, Premium SE Edition B an eZine found at http://tinyurl.com/793lp. To update MS Windows visit: http://tinyurl.com/gedj and to update the Mac OS visit: http://tinyurl.com/2jzxr. 5 http://windowssecrets.com. 6 http://tinyurl.com/bmznr. 7 http://tinyurl.com/7ql8n. 8 Sign up and download it here: http://tinyurl.com/a6ozr. Microsoft is also offering a Windows Live Safety Center (http://tinyurl.com/a5pmn) where users can check for and remove viruses, learn about threats, improve a PC's performance, and get rid of "junk" on the hard drive. 9 http://tinyurl.com/bqpta. 10 https://www.grc.com/x/ne.dll?bh0bkyd2 for Shields Up! (grc restricts tinyurl redirection or refreshing sensitive security areas) and a firewall LeakTest at http://tinyurl.com/4k3fk. 11 Installation problems with version 6.0.631 (July 21) were reportedly corrected with an updated version 6.0.667 (September 6) of the ZoneLabs product line, which includes ZoneAlarm Pro and ZoneAlarm Security Suite. 12 WindowsSecrets likes offerings from Linksys for hardware firewalls. 13 VCom's SystemSuite Pro 6 was reviewed in The Lawyer's PC on October 1, 2005. 14 http://tinyurl.com/9kk5o. 15 I've read that antivirus "engines" don't significantly change that often, so it is possible to use program versions that are a year or two old provided you know how to obtain and update the virus/data signatures. Sometimes it is less expensive to purchase a new version than to renew one's subscription, which tend to be for a year. It is important to follow installation instructions, especially if one must first uninstall an older version before installing a new version. Hopefully the program is "smart" enough to detect an earlier version and then ask if you want to first uninstall it before installing the new version. 16 http://tinyurl.com/88qj3. 17 http://www.grisoft.com. 18 http://www.pandasoftware.com. 19 http://tinyurl.com/4epxt. 20 Unfortunately the TrendMicro updating function is not kind to those of us with dial-up connections because it requires a download of the entire virus database rather than just the new signatures by way of an incremental update used by the other AV programs. 21 See, for example, http://tinyurl.com/ccd7h. 22 His list of established providers includes: Authentica (http://www.authentica.com), Essential Security Software (http://www.essentialsecurity.com), and Microsoft IRM (http://tinyurl.com/tv9d). 23 GuardianEdge (http://www.guardianedge.com) is the encryption software spin off from PC Guardian (http://www.pcguardian.com) which has been making and selling anti theft devices since 1984. See also my "Data Lock down" article in the May 15, 2005 issue of The Lawyer's PC. 24 http://tinyurl.com/9r6rg. 25 Published October 2005 by Apress, includes Chapter 4, WindowsXP Security, and Chapter 7, Patch Management, ISBN: 1-59059-539-4, 216 pages. Chapter 4 and more information can be found at the Publisher's web site: http://tinyurl.com/7r2f2. 26 Published November 2005 by Wiley (for PC Magazine), includes Chapter 3, Using Built-In Tools and Settings to Improve Windows XP Security and Chapter 4, Security Your Web Browser, ISBN 0-471-75478-1, 400 pages. A visit to http://tinyurl.com/cg5lv will get you more information as well as Chapter 1, Implementing User Accounts, Groups, and Logon Security. Good Management Is Hard to Get – and KeepRichard G. Stock* This article was previously published in Lexpert, June 2003. Law firm management comes in all shapes and sizes. Its configuration and effectiveness depend on the scale, the culture and the evolution of the firm. For many partners, management is easily confounded with leadership and administration. Law firms need all three, and require it in many different ways. The first significant wave of change to hit law firms in the last 5 years was increased centralization of leadership and management responsibilities with individuals rather than groups. Standing committees dealing with administrative functions are not as apparent in today’s firms. Committees responsible for finance, technology, human resources, space planning, and even marketing have been supplemented by experienced professionals in all but the smallest firms. Only major resource decisions and policy questions are typically referred to executive committees. Professional matters, such as student recruitment, professional development, knowledge management, precedent and opinion banks, are handled by permanent work groups or referred to standing committees. Firms with more resources are investing in professional positions, usually given to individuals with legal training, to lead programs and initiatives in those areas. There is good evidence that such investments in professional positions are yielding dividends in two ways. Firstly, they reduce the amount of time other lawyers must spend in meetings that are unproductive (read non-billable), even if they are interesting. Non-billable time is best spent on getting client work and on building competencies in others and in oneself. Secondly, performance can be better managed for results when an individual rather than a group is held accountable. Practice Groups Firms with as few as 25 lawyers can have viable practice groups. These can be organized by competency (area of law), industry sector (type of client), or geography. Law firms are opting for a matrix arrangement, because several goals can be achieved at the same time. The classic organizational design is by competency, since it is the most easily controllable and lends itself well to local and regional markets and to individual business development. Specialized teams, such as tax, immigration, labour and employment, and intellectual property, tend to operate as service groups to other practice areas in full-service firms. This is in marked contrast with specialty (boutique) firms, which must have clients of their own and will organize along industry lines. Firms with an institutional client base are beginning to map along market/industry sector, as well as along competency lines. Membership in these industry groupings is typically multi-specialty and cuts across the line of classic competency-based practice groups. Clients populating these industry sectors often have multiple legal requirements, and do not pay particular attention to provincial and national borders. Law firms struggle to find partners who can lead and manage practice groups and industry/market sector groups. It is even more difficult to find office managing partners with the skill to balance professional and market imperatives, such that the firm can move from peaceful co-existence to strategic business results. The Managing Partner Law firms have Managing Partners, Chairpersons, Chief Executive Officers, and Chief Operating Officers, depending on their affinity for corporatization. Regardless of the name given to the positions, there remain an irreducible number of functions most Managing Partners should carry out by virtue of office, and can do well with the right focus and training. These include spending half of their non-billable time meeting with significant clients of the firm, acquiring senior legal talent for the firm, and ensuring that the firm’s strategic business priorities are clear and understood by everyone in the firm. Add to this the alignment of compensation systems for partners, other lawyers and staff with the firm’s business strategy, and the work order becomes more complex. And underpin all of this with values and operating principles that must be demonstrated everyday to produce a mission that is nearly impossible. It should come as no surprise that management is hard to find and hard to keep. You Don’t Know What You’ve Got ’til It’s Gone Few partners want to make a career as Practice Group Leaders or Managing Partners. Accountability for resources and for the performance of others appeals to too few individuals with law degrees. Almost everyone will consent to a tour of duty in such positions – 3 to 5 years is usual. But the price in political capital and in personal life mounts up. Romancing the Stone was only a two-hour movie. Firms would do well to keep the management and leadership they have and then find new combinations of projects and responsibilities to keep them interested in their portfolios. Partners should be better compensated for taking on these positions than if they practiced full-time. Still, every firm should be more demanding than ever by insisting that 4 to 5 measurable goals each year be assigned to every department head, group leader, or managing partner. As the adage goes, “You get what you measure and you get what you pay for.” * Richard G. Stock, MA, FCIS, CAdm, CMC, is a partner with Catalyst Consulting. The firm has been designated the Preferred Supplier for Legal Services Consulting by the Canadian Corporate Counsel Association. Richard can be contacted at (416) 367-4447 or through the website at http://www.catalystlegal.com. Roman’s Laws of AdvocacyAndrew J. Roman* In his over thirty years of practice as an advocate before courts, boards, commissions, and tribunals across Canada, Andrew J. Roman, a Partner in the Toronto office of Miller Thomson LLP, prepared these observations for an in-house seminar. While humorous, they also provide real and practical advice. Introduction These laws are partly facetious, but their slightly dramatic excesses have a purpose: to highlight a basic truth about advocacy. Law 1 There is no such thing as “the law.” There are only winning and losing arguments. Neither a case nor a statute is “the law,” merely some support for a legal argument. Legal arguments are not a case strategy, merely the potential elements of a strategy. Until you have a clear strategy, you cannot know which legal arguments, supported by which cases or statutes, you will need. Law 2 The “reasons for decision” are not the real reasons. They are the public explanation for an intuitive result. Rather than the reasons explaining the result, the result explains the reasons. That is why presenting one good argument based on sound principles is worth more than a dozen Supreme Court of Canada cases cited out of context. Law 3 There are no binding precedents. The judge’s preferred outcome determines which precedent the judge will follow. A judge whose sympathy you have gained can distinguish any case your opponent cites. A judge whose sympathy your opponent has gained can find any case you distinguish to be binding. Law 4 There are no hopeless cases. There are only lawyers with communication challenges. Meet the challenges and you will have a winnable case. Law 5 No case has a predictable outcome. There are only lawyers willing to predict the results of their advocacy. Law 6 There are no complex cases. There are only lawyers who have failed to simplify their arguments. Law 7 No judge is purely rational. A lawyer, who appeals only to the head and ignores the heart, may well receive a heartless decision. Law 8 There is no such thing as an “objective” test. The court merely replaces the parties’ subjectivity with its own. A reasonable person is one the judge finds reasonable. Due diligence is what the judge would do in the position of the accused if time and money were no object. A patently unreasonable decision is one that is so unreasonable that even the judge can see its unreasonableness. Law 9 There is no such thing as a perfect argument. That is no reason to stop striving for perfection. An argument that is merely “good enough” is not good enough. Law 10 Effective advocacy, whether written or oral, never goes out of fashion. Be more creative and you will be more persuasive. * Andrew J. Roman is a Partner with Miller Thomson LLP. He can be reached at (416) 595-8604 and aroman@millerthomson.com. Or, to read more about Andrew and his practice, visit www.millerthomson.com. Publications
Multimedia Products
Section Executive 2005-2006Chair: Lori Brazier, LL. B., MBA Secretary (Sections): Robert A. Muir Newsletter Editor: Ginevra Saylor Technology Liaison: Richard B. Potter,
Q.C. Member-At-Large: David Chaiton Member-At-Large: David B. Debenham Member-At-Large: Charles E. Humphrey Member-At-Large: John M. Sotos Staff Liaison: Janet Green | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||