The ABA Journal reports on a blog post from attorney Sharon Nelson,
the president of security company Sensei Enterprises, in which Nelson
says that a 50-person law firm (which she does not identify) abandoned the iPhone because of the
security risks that Nelson described in this article
from the ABA Law Practice Magazine. The article says that if a
sophisticated hacker gains access to your iPhone, using the right tools, he can bypass iPhone security features and access data.
Security is very important for lawyers, but articles like this frustrate me a little. First, the hacking required is very sophisticated. The hacker mentioned in that article is Jonathan Zdziarski, the foremost authority on iPhone security who literally wrote the book on iPhone Forensics. I have no doubt that if Zdziarski gets your iPhone and wants to do you harm, you are in trouble. The random guy who picks up the iPhone you left on a subway will almost certainly not be Jonathan Zdziarski.
Second, the iPhone is not unique when it comes to security risks. What about the risk of losing a briefcase containing confidential client papers? What about the risk of losing a laptop computer containing hundreds of gigabytes and many years of confidential information? Is it reasonable for a law firm to bar its attorneys from using briefcases or using laptops? It would take a skilled hacker to bypass the password on your laptop (assuming that you are using one), but I have no doubt that there are a larger number of skilled Windows hackers and folks who can figure out how to open a briefcase out there than skilled iPhone hackers.
Law firms need to be concerned about security. Just last month, the FBI issued issued an advisory that it had seen "noticeable increases" in efforts to hack into the law firm computer systems. Smart hackers can exploit holes in network routers to tunnel into a law firm, especially one that doesn't have the latest security patches. Moreover, security experts will tell you that while computer crime is an important risk, so is social engineering. How easy would it be for a person to walk into your law firm, perhaps wearing a genuine looking uniform, or perhaps entering when a receptionist is away or distracted, and gain access to all sorts of paper files or computer terminals? And if a criminal calls lawyers and staff pretending to be from IT and asking for the user's password, would anyone at your firm give it to them?
I can't fault security firms such as Sensei Enterprises for issuing news stories which scare people. It helps to get them new customers, and if all law firms hired smart security consultants, the trend noted by the FBI last month would surely start to reverse itself. I also understand that because the iPhone is not only popular, but also a pop culture symbol, one can get a lot more attention writing a story about iPhone security than talking about Palm Treo security or Android security. Nevertheless, I think that people need to look at the big picture.
The problem is not iPhone security. The problem is security. Period. This includes computer security, smartphone security, physical office security, social engineering security, etc. If an attorney puts confidential information anywhere — be it on an iPhone, a laptop, or a legal pad — the attorney needs to be very cautious about what happens to that information. If you lose your briefcase, there is little you can do besides retrace your steps and hope to find it. If you lose an iPhone, you have the option of trying to determine its location using a service like MobileMe or you can immediately tell your system administrator (or use MobileMe) to remotely wipe the iPhone. It won't work if a thief has already removed the SIM chip, but at least those are options that you don't have with a lost briefcase or even a lost laptop.
Apple has already done a lot to improve security on the iPhone, and I'm sure that they will continue to do more. A lot of smart IT folks at major law firms have analyzed the state of iPhone security, and most of the most profitable firms in the country allow the use of iPhones. Indeed, just a few days ago, John Cox wrote an article in Network World entitled iPhone Winning Over Some Corporate Security Skeptics. That article quotes Andy Jurczyk, the CIO at Chicago-based law firm Sonnenschein Nath & Rosenthal LLP and a self-described security extremist, who says that there are currently more security measures for the Blackberry than for the iPhone, but nevertheless he became satisfied with the level of iPhone security once Apple added Microsoft ActiveSync support in 2008.
Each law firm needs to make its own decisions on security. Do you let your attorneys use a laptop at all? Have you ever hired a consultant to do a security audit? How easy is it to gain physical access to your office? What policies do you have in place when a disgruntled employee leaves? Each firm needs to decide what is best for its users, but when I hear that a firm decides to prohibit the use of laptops or iPhones or any other particular device, I can't help but wonder whether the right focus is being placed on the most critical security risks.
Having said that, if you are an attorney using an iPhone, please use your iPhone's passcode lock feature, and please don't expose your iPhone to potential trouble by jailbreaking your iPhone.
