Identify Your Cyber Assets
The path to a more secure firm starts with creating a simple document detailing your practice’s IT assets. Using our template, list all of the technology you use at your firm, to the best of your knowledge. If you have an IT service or office manager, enlist their help to fill in any missing areas. There are four different categories you should explore when completing this template.
Networking Infrastructure
Do you have wired (LAN) and Wi-Fi networks? What is connected to each? Is there a guest network? Who has access to the Wi-Fi passphrase(s)?
Systems and Other Hardware
Take an inventory of all of the PCs, laptops, mobile devices, file servers, and network-attached storage (NAS) that are present in the practice.
Applications and Data
What business software are you using, and what are those applications responsible for? Common software for law firms includes practice management suites, billing and payment solutions, and document management tools. What information do they manage and where does that data reside (both cloud-based and on-premises)? Don’t forget about any backups and archives that you may have residing in different locations.
Users
Make a comprehensive list of any and all users with accounts on your systems, including what privileges and capabilities these users have. For example, you might have administrative rights on your PC, but you may have created an account for your bookkeeper with access restricted to certain folders or files. Ask all members of your staff to help ensure this information is as complete as possible.
Creating a comprehensive inventory of all the assets in your practice is the only way for you to know exactly what items you’ll need to protect. Once you have this information recorded, you have taken your first step toward making your law practice, and your clients’ sensitive data, more secure.
Strengthen Your Passwords
Everything in your office, from your network itself to your personal computer, is only as secure as the password you have created for it. Shockingly, security researchers have consistently found that a majority of people reuse the same password for many, if not most, of their applications. A single insecure website that exposes your password in a data breach could be all an attacker needs to gain access to many accounts that are critical to your practice and your personal life. So what steps can you take to protect your personal information and your firm’s valuable data?
Use a Password Manager
You can significantly strengthen your passwords by utilizing a trusted password manager application, such as 1Password or Keychain on Mac OS. A password manager provides a secure way to store and find all of your passwords and only requires you to remember a single, master passphrase to gain access. Basic password managers work with a single computer, encrypting passwords on your hard drive. More sophisticated versions, however, allow you to share your passwords across multiple devices and computers, including mobile phones and tablets.
As you create new accounts for sites you visit or applications you use, add a new entry in your password manager. Name the entry after the site, include your username, and use the password manager to generate a password. Most generators will let you choose the length and complexity of the password to meet any rules imposed by the site, such as allowed special characters. Some accounts may require you to provide answers to security questions to reset a forgotten password.
Unfortunately, most sites ask the exact same questions and may not adequately protect the answers. If the account requires you to answer security questions, use the password manager to generate your responses, as well. Remember to include the security question in the password entry.
Create a Strong Passphrase
When you first set up your password manager, you will need to choose a strong but memorable passphrase. A passphrase is basically a stronger, more complicated password. Strong passphrases have the following characteristics:
- Contain both upper and lowercase letters
- Have digits and punctuation symbols as well as letters
- Contain at least 12 or more letters, numbers, or symbols—the longer the better
- Are not a word in any language, slang, dialect, or jargon
- Are not based on any personal information, such as names of family members or pets, or important dates
Enable Multi-Factor Authentication
Another step you can take to protect your critical systems is to enable multi-factor authentication—also known as MFA or two-factor authentication. Multifactor authentication is available on many sites and protects you by requiring both your password and a code to access your account. The access code is typically texted to you or provided by an app on your phone, such as Google Authenticator, and changes with each use. Without access to both your phone and your password, an attacker is prevented from gaining access to your account.
Fortify Your Network
Wi-Fi networks make it easy to connect the systems in your practice, both to each other and the outside world. Unfortunately, they can also make it easy for an intruder to gain access to those same systems, and the data therein. The good news is that there are a few important, but simple, changes you can make to your network configuration to significantly reduce this risk.
Secure Administrator
Access Start by using your password manager to set a strong password for administrative access to your wireless router. Many networks are breached because the default password was never changed. Log in to your router’s configuration website to reset this password and update the other security options discussed in this tip. For most wireless routers, you access this website by entering “192.168.1.1” or “192.168.0.1” into your browser address bar. Note: To do this, you will need to make sure you are connected to your network first, either via an Ethernet cable or Wi-Fi.
With administrator access locked down, you should now secure access to the network itself. Most wireless routers today support a primary Wi-Fi network, one or more guest networks, and wired, local area network (LAN) ports to connect directly to the router. We recommend that you keep your office devices and staff on the primary Wi-Fi (your “private” Wi-Fi network) or LAN, and use a guest network for any clients or visitors who need internet access.
Enforce Wi-Fi Authentication
Access to all of your Wi-Fi networks needs to be password-protected. For small businesses, the predominant standard is referred to as WPA2-PSK or WPA2-Personal, or just WPA2. WPA2-Enterprise can provide more flexible authentication options for larger practices with many users, but requires additional configuration that may require IT services. With WPA2-PSK, a shared password is used to access the network. Use your password manager to generate differing, strong passwords for both your private and guest Wi-Fi networks.
Limit Guest Access
Your guest network is there to keep your clients and visitors separate from your private network—and out of reach of your confidential information. If you are not careful, however, you may inadvertently allow your guests much greater access. When configuring your guest network, you may see an option to allow guests to access your LAN, local network, or intranet. Make sure you do not allow LAN access so that your guests cannot reach office systems that are wired directly to the router.
Keep Physical Security in Mind
Keep in mind that wireless routers can typically be reset to their factory configuration with just the push of a button or a straightened paper clip. Once reset, the default password is the only defense between an attacker and your network. If possible, keep your wireless router in a locked enclosure or cabinet with the reset mechanism inaccessible.
Protect Your Internal Systems
As systems and processes become increasingly digital, computers are simultaneously becoming an increasingly attractive target for online attackers—providing a jumping-off point to access numerous systems and accounts. There are multiple routes into these systems, from open network connectivity to targeted malware—so let’s explore some simple tools for protecting against these threats.
Keep Your Systems Updated
One of the greatest threats to your internal systems is malware—software that is created specifically to damage or disable computers and their systems. Many malware threats operate and spread by taking advantage of problems in software for which fixes have long been enabled. Unfortunately, these fixes are often not applied to vulnerable systems. Modern operating systems such as Windows and Mac OS X support automatic installation of critical updates—you just need to enable it.
A number of application packages, such as Microsoft Office and Adobe Acrobat, also support automatic updates. Given their widespread use throughout business, these applications offer a rich target for hackers. If the applications you use offer automatic updates, make sure this feature is enabled. Install Anti-Malware Software Clicking a link in an email that looked legitimate, downloading a file from a site you thought was secure—these are all common actions taken every day that infect systems with malware, and the damage can range from keyloggers stealing passwords to ransomware holding your data hostage.
You can greatly reduce your risk of falling victim to these attacks by making sure antivirus or anti-malware software is installed and configured properly on all of your systems. Once installed, make sure real-time checking is enabled so that security analysis is performed immediately, as actions are performed. You should also schedule full computer scans weekly at a time that doesn’t interfere with your work. If you are using Windows 8 or later, Windows Defender antivirus is pre-installed and needs only to be configured.
Enable Your Firewall
A firewall inspects the communications coming in or out of your PC and determines whether to allow the communications to continue or block them. Firewalls can prevent attackers from gaining access to your computer and data, as well as halt the spread of malware from one computer to another. Windows and Mac OS X both have built-in firewalls that you can configure to meet the needs of your office. You should enable your firewall and configure it to block all incoming connections except for applications that you specifically enable. Typical exceptions include instant messaging and file-sharing applications.
Limit Access
One final recommendation for protecting your systems is to limit what users are able to access and modify. In computer security circles, this is known as the “Principle of Least Privilege” and states that users should have the minimum privileges necessary to do their jobs. By limiting users in this way, your confidential information is only accessible to specific individuals and non-administrative users can not make system changes that may threaten the security of your office.
We suggest creating an administrator user with full privileges to configure your PCs and individual, non-administrator accounts for each user in your office, including yourself (avoid using an administrator account for your primary account). Then, share files and folders with specific users based on their need to access information.
Any weakness in your system can expose a wealth of sensitive data to those looking to exploit it. Fortunately, by taking the steps above, you can help ensure your systems are significantly less vulnerable to hacks and data exfiltration from both within and outside of your office.
The responsibility you have to protect your firm’s and your clients’ sensitive data is significant, but fortunately, taking steps to protect this data is well within your ability. By prioritizing the security steps covered in this e-book, from your network to your passwords, systems, and data, your law firm will be on a much stronger security footing.