How to keep mobile data safe: The case for on-device AI

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, chief information security officers, chief information officers, chief technology officers, corporate counsel, internet and tech practitioners, and in-house counsel. Visit the website to learn more.

For over a decade, mobile devices have unleashed new levels of productivity, efficiency and collaboration. Many companies have already moved their IT applications onto mobile platforms for workers who aren’t tethered to a desk (about 70% of the workforce, according to Deloitte). In fact, Deloitte contends that in the next five to 10 years, the 100% mobile employee will be the majority of all workers.

While mobile lawyering means freedom for the always-on attorney, it also creates serious challenges for their firm. BYOD (Bring Your Own Device) is one of the biggest compliance-related issues companies face today, and when it comes to security risks, law firms are prime targets. Considering law firms are built on their reputation, firms must make every assurance that the technology they use will protect their data.

Cybersecurity can no longer be an afterthought. Stakeholders across the company — not just CIOs — must factor risk into every business decision to avoid the potential for any catastrophe. This means that firms must only partner with vendors that take a “security by design” approach when building their systems to ensure security is coded in from the start.

Related: DOJ: Law firms targeted by banking malware

Email has its risk factors

According to the American Bar Association 2018 Legal Technology Survey Report, 23% of respondents reported that their firm had experienced a data breach at some point. No firm is immune, resulting in increased pressure from clients who demand greater value and security from attorney-client relationships.

Email is a weak point for organizations because there is often a transfer of large and sensitive documents, and an email in transit is an easy point of entry for hackers. For this reason, firms turn to Document Management Systems (DMS) to reduce the need to distribute files via email by enabling users to share directly from the system interface. Organizing emails through a DMS is also how firms stay compliant with legal regulations; however, lawyers still depend on a grab bag of manual drag-and-drop features in Microsoft Outlook that are highly susceptible to human error.

New innovations are improving how we use email though. Management tools that apply the power of artificial intelligence (AI) are transforming workflow behaviors and processes. For example, research has shown that human beings become bored and start to make mistakes after filing approximately 45 emails; by automating the process with AI, accuracy jumps to 95%. These high-performance actions — like predictive filing to a DMS or wrong recipient detection — are greatly enhancing compliance and security (not to mention efficiency) for law firms today.

There are barriers to adoption for mobile AI technologies, however, because of sensitivities around data security vulnerabilities. Historically, AI on mobile has been a security challenge because most applications send data to the cloud for processing, which means moving data in and out of your device. This is when it’s easiest to steal, hack into or simply access files. This simple fact has made many mobile solutions out of reach for most firms adhering to compliance policies. Yet, according to a Deloitte study, 39% of enterprises still prefer cloud-based services as the delivery platform for AI and advanced technology-based applications, versus just 15% who favor on-premise.

Nevertheless, there is an alternative approach that eliminates these security weaknesses. With the advent of edge computing, data processing can now take place on the device itself. Instead of using third-party cloud or storage processing, on-device AI is similar to an on-premise system but works by operating inside the mobile device to ensure all data remain completely inside the firm’s security perimeter. Edge computing requires exceptionally sophisticated engineering, and the ability to write code that is tight enough, and efficient enough, to fit, literally, in the palm of your hand.

Related: Third-party breaches are a threat — and many companies aren’t ready

On-premise AI architecture

Ensuring that sensitive data never leaves a device is the only failsafe way to prevent an attack. Hardware providers like Apple use 256-bit AES encryption as the default on every iOS device, while a unique identifier (UID) is used as the key for encryption. Because iOS supports industry-standard networking protocols for data transmission, most other apps — including calendar and email clients — automatically use these same protocols to enable an encrypted communication channel between the device and network services.

On-device AI — or edge computing — provides a decentralized way to process data so that it’s nearly impossible for bad actors to access. The method for computation on edge is to fetch the raw data (e.g., email, DMS, timekeeping) from on-premise or cloud services, and then analyze it to provide productivity features for the user. In order to fetch this data from each service, different APIs should be implemented, and industry authentication standards need to be met — including certificate-based authentication, two-factor authentication, and different types of SSOs.

For some networks, mostly cloud services, connecting through REST (representational state transfer) API over HTTPS is enough; however, in the case of on-premise services, other challenges exist. Because these networks are not visible from the Internet, a VPN or per-app VPN is required to access internal resources at the application level. In addition, some legacy services do not support modern REST API and there is a need to implement law level TCP/IP level protocols.

Once there is a secure connection, it’s critical to organize the fetched data and sync it with the providers. Because some on-premise legacy systems were not designed to connect with outside devices, it’s vital to have a minimal and balanced load transfer. In the same way, it’s important that battery usage on mobile devices is used wisely to minimize drain, designing for optimal data performance is essential for effective edge computing architecture.

For instance, it’s important to use light and efficient Natural Language Processing (NLP) libraries and Machine Learning models for data preprocessing on mobile devices in order to provide output to the user quickly and accurately. The stored data at rest should then be secured by strong encryption so that in the event of unauthorized access or theft, the data remains invisible and can never be compromised.

Related: 4 ways to boost cybersecurity

Mobile device management

Purchasing innovative technology isn’t the only security measure a law firm needs to take. Vigilance is a continual effort and IT management must be executed from the top down. As the BYOD approach has become popular among corporations, a well-defined Mobile Device Management (MDM) strategy is a critical aspect of the policy.

MDM systems allow administrators to control, secure and enforce policies on smartphones, tablets and other endpoints. It gives employees the flexibility to use the device (and applications) of their choosing while providing the firm layers of protection. In the event of a lost or stolen device, all stored data can be remotely wiped from the device.

There are best practices strategies that keep in mind when developing your firm’s mobile device policy. IT administrators should consider the following to safeguard from potential security incidents:

• App management: Seventy-six percent of mobile apps have a vulnerability, so controlling which mobile apps are being used is an important consideration for BYOD. The most common vulnerability is insecure data storage, which opens up opportunities for attackers to stage phishing attacks or steal user credentials. Exploitation most often happens through malware, which puts users at risk of being hacked remotely without the need for physical access to the device.
• Require a PIN: Look for applications that require users to set a PIN code. Remote intruders are deterred because it involves manual data entry, and intruders that do try face a PIN system with a limit for unlock attempts before shutting down the app or device. A four-number pin offers 10,000 possible combinations, so given four attempts to authenticate against the universe of 10,000 codes, the intruder has only a .04% chance of success. That’s why some people say PIN security is actually better than password security.
• Auto-lock: Administrators can set the complexity of the passcode. They should also set a time interval (in minutes) after which the user is able to login without re-entering the PIN.
• Prevent data leakage: This policy enables administrators to enforce (via MDM configuration) restrictions on users and prevent them from exposing content. When enabled, users are not able to copy, cut or paste data from an open screen to the clipboard, and the prints screen is also disabled.

Modern digital technologies such as smartphones have impacted the everyday workflow for the better, making us all more effective. But they’ve also introduced new security risks to law firms and created the need for vigilance.

Whether a firm deploys its applications in the cloud or decides to keep them on-premises, data security will always be paramount. But for law firms, there’s a peace of mind knowing data stays inside the IT infrastructure.

Given the potential for reputational damage and more, CIOs and IT administrators should prioritize vendors that deploy on-premise AI to make these security concerns irrelevant once and for all.

Related: Executives likely to be targeted for cybercrime, report warns

Gevorg Karapetyan is co-founder and chief technology officer at Zero, He holds a PhD in computer science and has over a decade of experience developing intelligent automation systems.