By Bill Kammer
Most commentators believe that the bad guys are becoming more sophisticated while cybersecurity defenses are not keeping up with the threats. Our profession is vulnerable because many lawyers don’t like math and don’t benefit from in-house IT support or the resources of cybersecurity professionals. Lawyers continue to be soft targets in the possession of valuable financial and client material. We must reasonably try to avoid responsibility for losing that data, and those efforts should include these seven basic steps.
1. Determine Whether or Not You and Your Staff Have Been Hacked.
Almost daily we read of another company or website such as Target or Equifax whose stored personal information has been stolen and is now for sale on the dark internet. For years, many used work emails to conduct personal business because we had no other reliable email accounts. If any legacy account were hacked, our usernames, email addresses and passwords have been compromised. The simplest way to check is the website https://haveibeenpwned.com. Enter any username or office email address into that search engine, and you will learn whether you have been part of a prior named compromise. That should serve as an initial warning to cease use of all passwords you may have used for those accounts.
2. Beef Up Your Passwords.
A recent headline read “Lackadaisical Employee Attitudes to Cyber Security are the Biggest Risks to Enterprises.” Poor passwords are common and prone to security breaches. The risk is real: 43 percent of login attempts are malicious. But that risk can be solved: length is everything. Our offices should never allow passwords of less than 10 or 12 characters. The longer the better, and you can even use passphrases to avoid the challenge of remembering indecipherable passwords.
3. Use a Password Manager.
Lawyers should never use the same password on multiple sites. However, avoiding redundancy will tax your memory and resources. The simple way around that is a password manager that allows use of a different password for all sites of any consequence. That avoids having to memorize anything other than a master password used to open the manager. Two managers frequently recommended are 1Password and LastPass, and they are inexpensive or even free.
4. Encrypt Everything.
All of the data and documents on office systems should be encrypted . If the bad guys somehow gain access to your data, it will be relatively worthless without the key to your encrypted files. Encrypt your communications and the documents you attach to them, particularly those sent to your clients. Ensure that all of your mobile devices, laptops, phones and tablets are encrypted. We have all heard stories of lost or stolen phones or laptops and the consequences to clients, attorneys and reputations. Finally, encrypt all of the USB drives you and your staff use. A recent study found that 8 out of 10 USB drives used by employees are unencrypted. Easily lost, those devices can contain valuable and confidential client and attorney data.
5. Use a VPN.
Whenever we travel, we probably use public Wi-Fi. We can expose data, passwords and credentials to hackers monitoring or intercepting that network traffic. A virtual private network is the simple solution. Some VPNs such as TunnelBear are free. Others, perhaps more robust and with better options, are reasonably inexpensive. When you have your VPN in place, all of your communications across public Wi-Fi networks are encrypted, and the threat of compromise is diminished.
6. Use Two-Factor Authentication.
We are probably familiar with two-factor authentication because it has been imposed upon us by the banks and financial firms we deal with. Two-factor authentication requires not only a user name and a password to log into a site, but then a second entry of a code received by some other means, usually a text message. Even if your primary credentials have been hacked or stolen, the thief must also have your mobile phone to overcome the barrier posed by two-factor authentication. If we remotely log into our office networks, we should never do so without using two-factor authentication.
7. Be Aware of Cloud Site Security.
Many are switching to cloud-based applications for the creation and storage of professional documents. Similarly, many use cloud sites to exchange electronic discovery or to transmit documents to and from clients. Use due diligence from the outset to determine whether those applications or sites are password-protected, require two-factor authentication and store the data in an encrypted form.
These tasks don’t get easier. For instance, many have only recently discovered the pervasive use of email tracking, particularly by merchants such as Amazon and social media sites such as Facebook. The emails we receive and read contain no apparent indication that information about the receipt or the opening of an email message is being sent back to the originator. Current estimates suggest that 80 percent of commercial email contains trackers and almost 40 percent of private email does also. Claims that someone never received an email or never read it are belied by the tracking information returned to the sender.
We all have ethical and professional responsibilities to safeguard our clients’ data, and we should be motivated by business instincts to protect our own data in the same fashion. Sound cybersecurity practices will also ensure that you can pass client inspections or audits to determine whether the clients feel we are a security risk and subject to the compromise of their strategies or confidential information. It’s not just good housekeeping — it could mean professional and business survival.
Bill Kammer is a partner with Solomon Ward Seidenwurm & Smith, LLP.
This article originally appeared in the March/April 2018 issue of San Diego Lawyer.