April 27, 2019 Article

Keep Your Data Secure: Seven Easy-to-Implement Tips

A few ways to protect yourself and your clients from cybersecurity breaches.

By Mike Murray

Remember the emails from a desperate Nigerian Prince? Gone are those days of the easy to spot, and easier to avoid, email scams. Instead, a more sophisticated type of scammer is on scene. This type of hacker uses social engineering to extract far more valuable information. Information used for insider trading, selling trade secrets, committing wire fraud, and more.

Their most commonly used hacking tool is called “phishing.” According to Merriam-Webster, “Phishing is a scam by which an Internet user is duped (as by deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.” Phishing scams result in far more accurate data, leading to far more effective attacks. In fact, according to Allen Paller the director of Research at the SANS Institute, of the successful breaches on enterprise networks, 95 percent are the result of spear phishing.

These attackers take time to research their targets. It only takes a few minutes of perusing a firm’s website to learn who the rainmakers are and some of the top clients. From there, the attacker can target an account with less security, such as a personal email account. Leveraging the personal email, attackers often impersonate attorneys to obtain even more information, and in some cases wire transfers (Turner, LawTechnologyToday.com).

With such sneaky methods at play, it is as critical as ever to protect yourself and your clients. Not only that, there is a lot to lose. Negligence in the area of client information could name you responsible. Per ABA Model Rule 1.1, lawyers are required to “keep abreast of changes in law and its practice, including the benefits and risks associated with relevant technology.” Let’s not forget about the financial impacts as data breaches cost upwards of $3.89 million on average (plus the time and effort to clean up the mess.) according to a recent IBM Cost of a Data Breach Study by Ponemon. All of which makes data security an issue you cannot afford to neglect.

The good news is there are very real, and often very simple, ways to reduce the risk of being the next data breach headline. Here are seven things you can do today to safeguard your data.

1.       Train Employees

The first step to staying secure is realizing that you might be the weakest link. As data security continues to improve (making life increasingly difficult for hackers) many have realized humans remain a vulnerability in most enterprises. Companies spend more and more on data security while often overlooking the all too important area of employee training. Training employees on how to be vigilant with their data security is as critical as applying the latest software update from Microsoft.

Training can range from simply reading articles, all the way to using Security Awareness Training platforms, such as KnowBe4. These platforms provide extensive training videos that detail the nuances of attacks, reiterate what you can do to prevent the attacks, and even include simulated phishing attacks. These are emails that you can send to employees that appear to be a true phishing attack.  Aside from indicating which employees were “phished,” these tests have the added benefit of keeping employees suspicious. The idea being this suspiciousness will keep many from falling victim to a real phishing attack.

Aside from a healthy level of apprehension when viewing emails from unknown sources, there are other ways to keep your data, and more importantly your clients’ data, secure.

2.       Keep Software Up to Date

Companies from Microsoft to Apple have invested tremendous amounts of energy in making their software secure; however, that work will go un-used if software is not updated. Turn on automatic updates and don’t ignore them when prompted. Out-of-date software that hasn’t been patched for security loopholes is often the point of entry for malicious attacks. Updating software can be annoying when trying finish a motion for summary judgment or other urgent client request, but it will be a lot more annoying when it is used against you!

3.       Use Two-Factor Authentication

In addition to your password, two-factor authentication requires you to type in a seemingly randomly generated pin that is sent by push or SMS notification to your mobile device. The benefits of two-factor authentication are that cybercriminals now require two pieces of information to access your account. If you are receiving pin codes while not trying to access your account, you’re alerted that someone else is and you can take the appropriate actions.

4.       Create and Maintain Solid Passwords

Simple passwords are as ineffective as not having a password at all, as they are the very first passwords attackers use. In fact, many “hacking tools” can root out common passwords instantly. Websites like https://howsecureismypassword.net/ are completely devoted to showing just how secure your password is. Though it is not recommended that you actually test your passwords at this website (who knows where they go), it is interesting to see that a password like “123456” or “qwerty” is cracked instantly. But putting in place multiple passwords, especially lengthy ones, can be difficult to remember. To help you with this, consider using a password management tool, such Lastpass, to keep all of your passwords secure and in one place.

Other key points to remember:

  • Lock your computer and mobile devices with a complex password.
  • Use a mixture of characters, including characters and numbers—the longer the better.
  • Don’t write your passwords down.
  • Don’t use the same password for multiple important accounts.

5.       Think Twice and Exercise Skepticism When You
          Receive Strange Emails or Phone Calls

As mentioned above, phishing attacks are common and effective. Just because a link looks safe doesn’t mean it is. Links can be sent in emails or messages that look like a website you know or trust but redirect you to a different website altogether.

To combat this deception, hover over the link in your email browser (without clicking), and the actual address to which the link will direct you will be displayed. Review the URL to make sure it’s where you want to go.

6.       Install Anti-Virus Protection on Devices

In the modern age, it is almost sacrilege to run a computer without anti-virus protection. Make sure to set anti-virus protection software to automatically update or to accept any updates when prompted. Anti-virus protection is only doing its job properly if it is up-to-date to combat the latest cybersecurity threats.

7.       Back Up All Your Data and Information

Last, and certainly not least, back up all data! If something does compromise your device, the only guaranteed way to recover the information is through a backup.  Regular, automatic back-ups can also prevent ransom-ware attacks.  Ransom-ware is essentially having your data “kidnapped” and then ransomed back to you. The most popular and successful ransomware attack was called WannaCry, and this exploit compromised over 300,000 computers in at least 150 countries. In addition to the above six tips on staying secure, this last one is the most critical in preventing attacks like WannaCry. Data back-ups enable you to be up and running shortly after a data breach or compromised computer. Given the pervasiveness of many modern threats, it is also a good idea to have an offline backup of your data—a copy that would not be susceptible to exploits that penetrate your network.

In the never-ending battle to keep data secure, these seven tips should be a start, but keep in mind this vigilance is never over; it is even more critical today as social engineering and sophisticated cyber-attacks are the norm. As the data security of your computer network increases, so too must your knowledge of these security threats. After all, “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See ABA Rule 1.6. Staying up-to-date on the latest technology and data security trends will ensure you make that “reasonable effort” and your clients’ data remains secure.

Mike Murray practices in Costa Mesa, California.

Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).