• Insights

Requiring use of firm computer vs allowing personal equipment: advice from Kraft Kennedy CTO

Tracy Kraft

2 min read

All Insights

An International Legal Technology Association (ILTA) member posed an important question in the community forum on February 4. Below is the advice shared by Kraft Kennedy CTO, Chris Owens.

ILTA Member Question: Looking for some input

For those employees working remotely, are you requiring they use a firm computer, or can they use their own equipment?
If using their own equipment do you require specifics such as:

Age or type of personal equipment (apple/Dell/HP)
Antivirus/Microsoft Updates required
Does your IT dept. check for periodically for security?

Response from CTO, Chris Owens:
I have seen all combinations of formats within law firms, everything depends on the technology the firm deploys for delivering applications to lawyers and the security requirements for the firm. Here are some things I would always consider:

  • If there is a chance someone can download or otherwise locate Firm data on a personal device – it needs to be Firm-managed. Adding Intune, or any other MDM solution, to any machine (not just a mobile device) allows you to ensure you have options to protect the Firm in a variety of scenarios.
  • Never allow a VPN from a non-managed device and best practice is to only allow from Firm-owned devices. In addition, use certificates to ensure that no one can connect from an unknown device as we have seen too many security incidents start with someone figuring out that they can go to vpn.myfirm.com and connect right up to the internal network from their personal PC.
  • If someone is opposed to the Firm putting management software on their personal PC, you can still offer up a thin client solution like Citrix Virtual Desktops, Azure Virtual Desktop, or VMware Horizon, but do not let data traverse the connection. Ensure a zero footprint on that personal PC.

As for the security component, it too can come in a variety of technologies. We see many law firms complete attestation tests before a device is allowed to access Firm data. Typical requirements are a valid operating system (not jailbroken), absence of unapproved applications, and an active, up-to-date antivirus application. In addition, we see many firms pushing web management platforms to Firm-managed (not just Firm-owned) devices. Microsoft Defender for Endpoint or Zscalar are not just for web traffic management, they are part of the larger data exfiltration barrier that starts with a cloud app security broker (CASB). Lastly, more and more law firms are starting to inquiry about penetration tests for mobile and Firm-managed PC as lawyers are doing significant percentages of their work away from the Firm-owned device.

COVID has redefined so many of the technology areas and their respective requirements within law firms. Many firms have found tremendous success in 2021 through providing flexibility to their lawyers and supporting evolving work styles and business processes. Ensuring you maintain the appropriate level of protection should always be part of that evolution equation.

Please reach out to continue the conversation, or explore policy management