Cybersecurity is a crucial concern for any law firm or law practitioner, yet many attorneys pay too little attention to the security of their client's data (and their own). With a few simple practical steps, and by establishing some good habits, you can keep your data much better protected and limit the risk of a data breach.
These tips will be useful for senior lawyers who are retired or who are still practicing:
1. Social engineering. We can't tell you how many times senior lawyers have called us after getting a call from Microsoft Tech Support telling them that their machines were infected and sending reports of the infection to Microsoft. In a large number of cases, the lawyers (by the time they had called us) had allowed the folks on the phone access to their computers by following the instructions the callers gave. No reputable company will call you to tell you that you have an infection. It is a scam, pure and simple. Either they want you to pay money for "fixing" the computer or they want access to your computer to get personal data that they can use themselves or sell for identify theft. If the caller says they are from your IT company, but they are asking for your password and ID, they are not from your IT company. Don't be duped by this form of social engineering.
2. Phishing. These days, breaches are, 91 percent of the time, a result of a phishing e-mail. There are all kinds of phishing e-mails – those that go to anyone with a machine running operating systems or software with unpatched vulnerabilities or those that are targeted to you (this is called spear phishing). Phishing e-mail can look diabolically real. However, most have something that should tip you off that there's something wrong. Perhaps the e-mail appears to come from a court or someone you know (it's very, very easy to spoof – or hack – someone's e-mail), but you weren't expecting it. There's nothing personal in the body of the text, but there is an attachment or a web link. Chances are, once you click, you'll have downloaded malware that will allow access to your machine. Other clues? Poor English, the promise of a client or money, a sender's domain name that is just one character off from the real one. Most legitimate e mails are obviously legitimate. But look with suspicion at any e-mail with an attachment or a link to click.
3. Business e-mail compromises. These are also known as CEO scams, and the FBI reports that they have netted more than $3 billion thus far. From January 2015-June 2016, there was an increase of 1,500 percent in successful attacks. Basically, someone who has authority to order money wired appears to be writing someone who actually does the wiring. Law firms have been hit hard by these scams, so it is critical that employees understand how they work and that they be conditioned to seek affirmation of any order to transfer significant monies. (This tip applies only to those still practicing.)
4. Back-up. Most people have heard about ransomware, which encrypts your data and requires the payment of a ransom (normally in bitcoin) to give you the key to decrypt your data. The way you avoid this is to make sure that you always have one good backup that is not connected to your network. Many of you are backing up to an external hard drive, which is a fine solution, but unplug it when the backup is done. If you get hit with ransomware while that drive is connected, you're toast. Both your active data and your backup files will be encrypted. Have a third backup somewhere – the cloud is fine – to protect yourself. There are many fine choices but we particularly like Carbonite, which will allow you to hold the decryption key. And make sure you do periodic test restores from your backup just to make sure that everything is working as it is supposed to.
5. Change the defaults! Every 12-year-old knows how to get online and get the default ID and password for almost any device. Many of you will have routers for your wireless networks at home. Make sure you change that default ID and password. We can't tell you how many people have found themselves facing a search warrant because their network was being used by a third party to download child porn.
6. Encryption is your friend. Your smartphones should be encrypted. If you have a PIN on your iPhone, that encrypts the data. It is better to have more than four characters in your PIN (or six with the latest version of iOS). Turn off ‘Simple Passcode' in order to enter more than the four or six digits. Why? Because there is software available that can brute force an iOS 4-digit PIN in several minutes. If you are running the Marshmallow or Nougat operating software on your Android, your data is automatically encrypted when you configure a lock code or swipe. If you are running Lollipop or earlier versions of the Android operating system, you simply have to check a box.
7. Your wireless network. It must be encrypted with WPA2 encryption. WEP and WPA were cracked years ago. So make sure your home router is running WPA2. If the router is too old to support WPA2, buy a new one – they are not very expensive. And if you on the road and using a wireless network, make darn sure, when you look at available wireless networks, that the one you choose is secure and protected by WPA2. Many smartphone users will connect to wireless networks in order to avoid the data charges associated with accessing the 3G/4G data network of the cellular provider.
8. Security Suites. Long gone are the days when an anti-virus program was enough. Now you need a security suite that protects you from all kinds of malware, spam and phishing e-mails. Any of the major products are fine. We are keen on Trend Micro and Kaspersky.
9. Install patches promptly. Yes, patches can be annoyingly long, especially when you want to get out the door. But there is a reason that manufacturers release them – they fix vulnerabilities in software which can be exploited by hackers. Failure to patch promptly is one of the major reasons people get breached. For operating system and browser patches, in particular, you may want to automate the patching process so you take human error out of the equation.
10. Passwords. Don't use the same password over and over. If you're compromised in one place, you'll be compromised everywhere. The rules of passwords have changed recently. It is now widely agreed that length outweighs complexity, so make your passwords 14 characters or more, but make a passphrase that you can easily remember, something like "Ilovebeingalawyer!"
11. Password managers. Can't remember all your passwords? Neither can anyone else, senior moments or no senior moments. Any of the major password managers are fine, but we'll recommend eWallet for three good reasons: it is cheap, it can be shared across multiple devices, and you can put in all sorts of things that aren't passwords, including doctor and emergency contact info, your air and hotel rewards info, your passport number, your AARP number – and almost anything else you'd want to have with you on your smartphone.
12. Software that is out of support. Just don't use it. Ever. Out of support means it isn't receiving security updates. There are still a lot of lawyers using Microsoft XP – and yes, it still works. But it is unsupported, with well-known vulnerabilities that bad guys exploit. Besides Microsoft XP, Server 2003 and Office 2003 are now out of support as well as Internet Explorer 10 and earlier. Office 2007 and Exchange 2007 both go out of support in 2017, meaning that you must plan an upgrade if you are using these. Many hacks occur through outdated Adobe software, including Adobe Acrobat and Reader. If you downloaded either of these products a long while ago and haven't updated them, you may well have versions 8, 9 and 10 (all out of support). Unsupported software is another very preventable cause of data breaches.
13. Lost and Stolen Devices. Make sure your devices are encrypted to protect your data. But also make sure you can remotely wipe the devices. A laptop is lost or stolen every 53 seconds in the U.S. and over 2 million cell phones are stolen each year as well. Assume the worst and protect yourself. On an iPhone, users would enable the ‘Find My iPhone' feature through iCloud. Many lawyers are not aware that the ability to locate your smartphone must be turned on before you lose your phone. Android users can install the free Lookout application, which has device location capabilities. Location services are included in the latest version of the Android OS so no add-on product is required.
14. Cloud computing. Most senior lawyers tend to use Gmail or another cloud-based e-mail system. We often find that lawyers are using cloud computing without knowing it. If the data isn't stored on your system, you are using the cloud. Clouds are not fail proof, but any reputable provider will undoubtedly protect your data better than you will.
15. File syncing software. Many lawyers are using Dropbox, which seems have laid claim to the beachhead. But realize that Dropbox holds the decryption key – not you. So don't put anything sensitive in Dropbox unless you encrypt it first using a third party product such as Boxcryptor, Viivo, Sookasa, etc..
16. Public computers. If you are in a hotel business center, a public library or an Internet café, it's fine to check last night's game score, but don't do any legal work or access any of your financial data online. Studies have shown that these public computers have an average of seven pieces of malware on them – at least a couple are sure to be keystroke loggers that can record everything you type. Don't print your airline boarding pass either since you'll have to logon to your account, meaning the bad guys can "steal" your miles.
17. Social Media. Be careful out there. Don't post client information – or your own personal information. Social media posts tend to live forever, so think before you post.
We have an almost endless list of tips, and this is a good beginning. If you follow the advice above, you'll go a long way toward keeping your data safe!