LawPay Security Series: Part I

Courtesy of LawPay

Your path to a more secure law firm starts today! Our mission with this Security Series is to promote better data protection in law firms through simple, manageable steps. Throughout the year, we will deliver practical tips you can use to easily update security in your firm. With the increase of cyber-crime and the associated risk to your firm, securing your assets is more important than ever.

Identify Your Cyber Assets

Establishing a more secure office starts with creating a simple document detailing your firm’s IT assets. List all of the technology you use at your firm, to the best of your knowledge. If you have an IT service or office manager, have them fill in any missing areas they know about. This inventory should include:

Networking infrastructure: Do you have wired (LAN) and Wi-Fi networks? What is connected to each? Is there a guest network? What people have the Wi-Fi passphrase(s)?

Systems and other hardware: What PCs, laptops, mobile devices, printers, file servers, or network attached storage are present in the practice? The sample office network map below may help prompt you with the hardware present.

Applications and data: What business software are you using, and what are those applications responsible for? Common software for law firms include QuickBooks or other financial applications, practice management suites, and search and discovery tools. What information do they manage and where does that data reside (both cloud-based and on premises)? Don’t forget about any backups and archives that you may have residing in different locations.

Users: Who are the users with accounts on your systems, and what privileges or capabilities do those users have? For example, you might have administrative rights on your PC, but you may have created an account for your bookkeeper with access restricted to certain folders or files. Ask all members of your staff to help ensure this information is as complete as possible.

Protect Your Passwords

Your network, PC, email, and many other applications have one critical element in common: they are only as secure as the password you created for them. Security researchers have consistently found (and data dumps from breaches have documented) that a majority of people reuse the same password for many, if not most, applications. A single insecure website that exposes your password in a data breach could be all an attacker needs to gain access to many accounts critical to your practice and/or your personal life.

How can you protect yourself? Start with a trusted password manager application, such as 1Password or Keychain on Mac OS. A password manager provides a secure way to store and find all your passwords, and only requires you to remember a master passphrase to gain access. Basic password managers work with a single computer, encrypting passwords on your hard drive; more sophisticated versions allow you to securely share your passwords between multiple computers and devices, including mobile phones and tablets.

When you first set up your password manager, you will need to choose a strong but memorable passphrase. A passphrase is basically a stronger, more complicated password. Strong passphrases have the following characteristics:

  • Contain both upper and lowercase letters
  • Have digits and punctuation symbols as well as letters
  • Contain at least 12 or more letters, numbers, or symbols (the longer, the better)
  • Not a word in any language, slang, dialect, or jargon
  • Not based on any personal information, such as names of family or pets, or important dates

As you create new accounts for sites you visit or applications you use, add a new entry in your password manager. Name the entry after the site, include your username, and use the password manager to generate a password. Most will let you choose the length and complexity of the password to meet any rules imposed by the site, such as allowed special characters.

Some accounts may require you to provide answers to security questions to reset a forgotten password. Unfortunately, most sites ask the exact same questions and may not adequately protect the answers. If the account requires you to answer security questions, use the password manager to generate your responses as well. Remember to include the security question in the password entry (for example “First pet’s name: 3TFhJzbNdnYN1SMXW7q4”).

Another step you can take to protect your critical systems is to enable multi-factor authentication (also known as MFA or two-factor authentication). MFA is available on many sites, and protects you by requiring both your password and a code to access your account. The access code is typically texted to you or provided by an app on your phone, such as Google Authenticator, and changes with each use. Without access to both your phone and your password, an attacker is prevented from gaining access to your account.

In short, it’s very important to remember that your IT assets and accounts are only as strong as the passwords you created for them. A trusted password manager is a great way to organize, secure, and diversify your passwords. Lastly, in cases where even stronger security is required for your systems, enabling multi-factor authentication may just be your saving grace.