chevron-down Created with Sketch Beta.
August 04, 2023 Feature

Ten Easy Steps to Reduce Your Risk of Cyberattack or Data Breach

By Scott R. Davis

Judges and lawyers are facing a rapidly growing number of cyber threats as more aspects of everyday lives are being stored electronically—from personal health information (PHI), social posts, and electronic communication, to thousands of third-party apps and other apps and services that encourage sharing. When data from all of these personally identifiable information (PII) sources are combined and indexed for a court case, the data for a potential cybercriminal are a treasure trove.

As more of the legal industry becomes digitalized, the requirements of data security must not only strengthen but also become part of the everyday culture for lawyers and judges.

According to the 2022 American Bar Association Legal Technology Survey Report, 27 percent of respondents answered that their firm has experienced a security breach at some point. It continued that 25 percent of respondents reported not knowing if their firm had ever experienced a security breach.

I often discuss the lack of knowledge or tools to identify when a security breach has occurred. It is essential to remember that every lost phone, lost laptop, or email sent to the wrong person is a security incident and possible breach. Additional threats like open WiFi networks, USB drives, unused network jacks in public areas, and phishing emails can all lead to ransomware attacks, data breaches, and the sharing of client PII data.

It’s easy to highlight the risks, but what are 10 easy steps you can take today to improve your office and courtroom cybersecurity posture?

1.   Ongoing Cybersecurity Training Standard

Compliance requirements require annual cybersecurity awareness training, but that is not enough in today’s advancing battle with cybercriminals. With services like ChatGPT and artificial intelligence (AI), drafting and creating new cyberattack phishing templates and scripts are easier than ever before. These enable novice hackers the advanced ability and skills to mirror sometimes the most experienced cybercriminal gangs online today. Annual cybersecurity awareness training must be required; monthly and quarterly refresher courses should be provided as well to ensure the content is current and the message is not lost in translation or just a repeat of the same. When building a culture of cybersecurity training into your day-to-day, your team will be better prepared for the latest social engineering threat or red flags.

Simulated Phishing (email), SMSishing (text message), and Vishing (phone call) are effective ways to gauge if your employees are able to identify social engineering threats and are designed to help craft future trainings to cover failures.

Remember, the cybercriminal’s goal is to utilize the emotional response of a person to get them to click a link, allow them in the door, or download that file. Fear of being in trouble, trying to be helpful, and even sadness are all emotions that can outweigh training that has been completed.

2.   Keep Your Work and Personal Lives Separate

It is essential that we keep personal and work accounts separate. When using your work email or passwords for personal accounts, you can compromise the security of both your personal and your work-related data.

Each of us should have two online profiles or images of us: one being our personal and the other our work or professional. Every employee should be provided the necessary technical equipment to complete their job, and it should be limited to only work. Home computers should be for family sharing, gaming, social networking, personal banking, and more.

One of the hardest components of data security is knowing what data are where, and if we have a technical environment where anyone can use any device, then it’s impossible to know where data are and if that USB drive is lost, what was on it. A breach of data is still a breach even if the company is unaware the data were ever lost. Acceptable use and data protection policies (DPP) should outline your accepted and standardized use and management of systems and data.

3.   Use a Password Manager with Unique, Longer, and More Secure Passwords

Using strong passwords is one of the easiest and most effective ways to improve cybersecurity. Passwords that are too short or too simple are easily hacked and can put your data at risk. Choose passwords that are at least 12 characters long and contain a combination of upper- and lowercase letters, numbers, and symbols. A 12-digit password containing all four components of complexity would take a hacker tens of thousands of years to crack, whereas the same complex password with eight characters can be cracked in a day. Roughly every two years, the time to crack a password is halved as processing power continues to advance.

The use of an enterprise-grade password management tool like Dashlane, Keeper, PasswordBoss, and others allows your users to have unique and complex passwords for each of your accounts without having to remember them all. The reason you want to look at an enterprise-grade password manager is you want to ensure the capability of single sign-on (SSO) and multifactor authentication (MFA) are supported and enabled for your team members, ensuring a single weak password doesn’t expose every secure one.

4.   Always Enable Multifactor Authentication (MFA)

MFA is an additional layer of security that requires a second form of identification in addition to your password. This can be in the form of a security token or a biometric identifier such as a fingerprint or facial recognition. Most services today utilize a six-digit code via a mobile app, email, or text message to confirm you are who you are to accomplish this. Mobile apps such as Microsoft Authenticator, Google Authenticator, Duo, and others provide this mobile app functionality typically free.

It is recommended to utilize the mobile app authentication method as it is the hardest to compromise, and cybercriminals may already have access to your email or text message accounts directly or indirectly. You also should remember and remind others never to share those codes as often it’s the only thing keeping the cybercriminal out of your system.

5.   Data Classification and Storage of Sensitive Data

Classifying data based on its sensitivity can help you identify which information needs the highest level of security. PII, such as social security numbers, birthdates, and financial information, should always be secured with extra care.

Data that are introduced during a court trial—including PII, PHI, social posts, electronic communication, and potentially the thousands of third-party apps and other apps and services that encourage sharing of data—should all be considered sensitive. A breach of these data is likely to include the name, contact information, online accounts, biometric data, and more—which, when packaged in a case file, makes for an easy identification theft process.

Sensitive data should always be stored in file servers on the local network. The recommendation would be for the use of a virtual private network (VPN) connection when out of your office to connect and access those files, but internet access is not always the fastest or most reliable, so the need for data to be stored locally or on a USB drive may be necessary. When using a VPN, data are encrypted and transmitted securely, making it more difficult for cybercriminals to intercept. If that’s the case, then the system or drive must be encrypted with policies ensuring the system is locked automatically and whenever unattended.

If data are being stored locally, then that should also be documented with the information technology (IT) director so that policies can be deployed which enable any device containing sensitive data to be remotely wiped in the event of loss or theft.

6.   Back Up Data Locally and Offsite

Regularly backing up your data is essential in case of a cyberattack or data loss. Backups should be done both locally and offsite so that in the event of a physical disaster such as a fire or flood or a cyberattack like ransomware, your data remain accessible. Make sure to use encryption when backing up your data so that even if the data fall into the wrong hands, they remain secure.

Backing up data on servers is easy, but it’s amazing even this year there are cases where files have been lost due to inadequate backups or untested recovery of backups. Even files that are stored in a cloud service need to be backed up; for example, Microsoft 365 natively only stores backups for 14 days, and if you would have to go further back, it’s likely the data are gone.

Let’s focus on the personal devices we use. Do you know if your laptop is being backed up, and if you know, do you know when was the last time it successfully completed a backup? That’s important to know, especially if you are working on local files and folders. Simply trusting that the process is working is not enough and is typically how you end up losing files and data.

7.   Patch Your Software, Systems, and Devices

Patching software, systems, and devices is crucial to maintaining their security and preventing cyberattacks. A patch is a piece of code that is released by a software vendor to fix vulnerabilities or bugs in their product. These vulnerabilities can be exploited by cybercriminals to gain unauthorized access to systems, steal data, or spread malware.

By not patching systems, software, and devices, you are leaving yourself vulnerable to potential cyberattacks. Hackers often exploit known vulnerabilities in outdated software or systems to gain access to sensitive data. By applying patches and updates, you can close these vulnerabilities and reduce the risk of cyberattacks.

Moreover, patching is not a one-time event but rather an ongoing process. As new vulnerabilities are discovered, vendors release new patches and updates to address them. By regularly patching your software, systems, and devices, you can stay protected against new and emerging threats.

Your systems are your computers that are used to save and access your data. Windows or Apple Mac updates should be done automatically and on a monthly basis. If you are running a system that is no longer supported, like Microsoft Windows 7, it’s time to replace that hardware and run the latest operating system.

Software is any software from Microsoft Office to PracticePanther, MyCase to Clio, and any other application you have on your system. The software updates ensure the software titles stay secure and limit risk.

Systems and software are no-brainers, but it’s the other devices that we often forget. Upgrading firmware on Internet of Things (IoT) devices and printers is just as critical as they are on our network and can be used to gain access to the network. In the world of IoT, we have picture frames, window blinds, cameras, mobile phones, appliances, and, well, everything up to the kitchen faucet. Not only do you have to stay on top of updating the firmware for these, but you also should place any of those devices on a network that is separate from your primary network or a virtual local area network (vLAN).

Without getting technical, the latest Verizon Fios and Comcast modems typically include an IoT device wireless network as well as your standard and guest networks out of the box. If they don’t and you are working out of your home more than your office, you should consider working with your IT team to improve your modern workplace security (your home).

8.   Limit Plugging in Unknown Devices

Plugging in unknown USB devices, even those from your clients, can pose significant risks to the security of your system and data. These risks include:

  • Malware infections: Malware can be easily transferred through USB drives, and unknown drives may contain malicious code that can infect your system.
  • Data theft: Unknown USB drives may be designed to steal data from your system, including sensitive information such as login credentials, personal data, and financial information.
  • Sabotage: Unknown USB drives may contain files or software designed to cause damage to your system or disrupt your work.
  • Backdoor access: Attackers can use USB drives to gain unauthorized access to your system or network, potentially giving them access to confidential information.
  • Network intrusion: If your system is part of a network, plugging in an unknown USB drive can pose a risk to the entire network by providing an entry point for attackers.

This doesn’t just extend to the standard USB drive but also to USB fans, unknown USB charging cables, and other USB-related promotional devices you may pick up at your local trade show. I’ve seen USB fans containing ransomware team up with a hot conference hall to find success.

Plugging in unknown USB devices can pose significant risks to the security of your system and data. It is essential to exercise caution when plugging in USB drives, especially from unknown sources. It is recommended to scan USB drives for malware before use and to use only USB drives from trusted sources.

9.   Stop Scanning and Using QR Codes

Scanning a QR code can pose certain risks to your security and privacy. While QR codes are a convenient way to quickly access information or download apps, they can also be used to deliver malicious content or steal personal information.

Like plugging in an unknown USB device, simply scanning a QR code can open your device to malware infections, phishing attacks, data theft, device takeover, and physical security risks.

Some of the most common QR code attacks are phishing attacks where a cybercriminal will replace or cover a valid QR code at a restaurant, sign, or other places where they have become common with a hijacked QR code. The hijacked code will often redirect you to another website, where malware or software may be deployed to your device, or a login page to Microsoft 365 before directing you to the actual page you were intended to visit.

This method of attack happens while the user is simply loading the content you are looking to view. To the average user, it’s normal and, surprisingly, the user will provide the permissions, install the app, or even provide their login credentials as QR codes are presumed to be safe in nature. Even the simple safeguard of looking at the link before you click doesn’t work because almost every QR code contains a short URL, and you have no idea where it will actually take you.

To reduce the risks associated with scanning QR codes, it is important to exercise caution and scan only codes from trusted sources or request a paper printout. Additionally, be wary of QR codes that direct you to suspicious or unfamiliar websites and avoid scanning codes in public places where your privacy and physical security may be at risk.

10.   Finally, Use Your Gut

If the offer sounds too good to be true, it is. If you want to learn more, open a web browser and visit the site directly versus clicking on the link. The entire world is looking to gain access to your data, and you must take actions to protect your own data, so treat all data the same and think of it as your own.

The above tips are not the latest trends or recent revelations. These are tried-and-true, familiar tips that you’ve already likely heard repeatedly. The reason we are still repeating them is so many of us forget the basics, but the basics are advancing, as finding a spelling error in a phishing email five years ago was common, whereas today they are well-designed and spell-checked emails that look just as good as the legitimate ones.

AI is going to continue to push the boundaries, and while the foundation above will be the same, it’s how we look at and consider each step that will evolve and change.

Improving cybersecurity is and will always be a critical concern for judges and lawyers. Cyber threats are becoming increasingly common, and it is essential to take the appropriate steps to protect your data. By taking these steps, you can reduce your risk of cyberattack and help protect your client’s sensitive data.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Scott R. Davis

    Cybersecurity Association of Pennsylvania

    Scott R. Davis is president of the Cybersecurity Association of Pennsylvania.