We owe our clients a duty of confidence, and we owe it to ourselves to keep our business data secure. But in fact, security means more than keeping data out of the hands of the bad guys: it also means having steady access to our data and maintaining its integrity. Keeping a law firm secure isn’t a one-time fix, but instead involves implementing ongoing policies. In this post, we’ll lay out some straightforward practices that can increase your law firm's security. These steps are:
- Using 2-factor authentication wherever possible;
- Installing OS patches;
- Encrypting your disks;
- Using a password manager to set strong passwords;
- Educating users about phishing attacks.
1. Use 2-Factor Authentication
Two-factor authentication puts an extra barrier in the way of someone who wants to access a service such as your email account, Cloud storage provider, or other system that stores confidential data. Without two factor authentication, if an attacker guesses your password: game over. Similarly, if an attacker accesses to your email account: game over (once in the email account, resets can be triggered on other accounts). With two factor on the other hand, a password is not sufficient to gain access. Instead, it’s necessary to have something else—typically a code sent to your smartphone via SMS message or via an app like Google Authenticator. Therefore, obtaining access would generally require either having your smartphone or convincing your phone company to send SMS messages to a different number—both unlikely.
Our Recommendation: sign up for 2-factor for all services / apps that house sensitive data. Use services that offer this feature.
2. Update Windows or Mac OSX
Does your computer regularly annoy you that it has updates to install? Good—that means it is trying to help you be more secure! Installing updates is strongly recommended for security reasons. Many updates involve fixing known bugs in the operating system (Windows or Mac) that create security vulnerabilities. Yes, installing these things (particularly in Windows-land) can be slow and can even seize up the computer, but you’ve got to do it, or else you’re a sitting duck. It’s also a good practice to be on the latest version of your—e.g., Windows 10 or Microsoft’s El Capitan (as of this writing). Not surprisingly, these businesses spend more time and energy making their new product line better—and more secure!
Our Recommendation: install those pesky OS updates as soon as they’re available and stay on the latest version of your computer’s operating system. If your computer is too old or slow to handle the latest version, get yourself to the store and buy a new one! The computer is where we do much of our legal work, and it pays to have a good one.
3. Encrypt Your Disks
It’s quite simple to encrypt the entire disk of both Mac and Windows computers. The benefits are enormous and the costs are negligible. In fact, I haven’t noted any performance difference on my Macbook Pro with FileVault turned on. Same with BitLocker on my Windows machine. With the disk encrypted, its contents are unreadable unless you’ve logged in with your password. Without encryption, a hacker or thief could easily read the entire contents of your disk (all active files, folders, and even deleted files with the right equipment) without having your password. Laptops get stolen all the time, and desktop computers are also vulnerable. No matter who you are, you have to assume that your computer could get stolen (from your house, car, whatever). In light of that fact, it’s borderline irresponsible not to encrypt the disk.
Our Recommendation: if you haven’t already, encrypt your disk using FileVault or BitLocker. Don’t delay!
4. Use a Password Manager to Set Strong Passwords
The human brain can only hold so many passwords. Well, it can only hold so many good passwords. We can remember tons of bad passwords based on things like the names of our pets, our street, or simply the word “password”, or “12345678.” Weak passwords can be:
- Guessable based on facts a smart attacker could gather about your life;
- Any password that appears on a list of most common passwords; or
- A short password – less than 8 characters
All of the above are bad because they can be either guessed or iterated over quickly by a so-called brute force attack. Good passwords are random and long. Here are a few examples:
- sightly shoofly north workman aquaria
I generated these from a password manager. A password manager means that I only have to ever remember one good password. This password is my skeleton key. It gives me access to all of my other passwords. My bank, e-mail, Dropbox, etc. now all have uncrackable passwords like the example at the top without my needing to remember them. Given that most of us have credentials at many dozens of services, we need a password manager if we’re going to use strong and unique passwords. There are several great options available, such as 1Password, Dashlane, and LastPass.
Our Recommendation: use a password manager so you only have to remember one password, but all of our other passwords are super strong.
5. Educate Users About Phishing
Many security breaches result from hackers tricking users into doing things like (1) downloading a file infected with malware, (2) sending sensitive data to the hacker, or (3) sharing account credentials with the hacker. Hackers can be very clever. For example, they can research your firm to learn who regularly sends emails to the firm (perhaps a prominent client or accountant) and then impersonate the regular sending with a subtly different email address. Here, vigilance is the price of security. Users in your firm must be educated about the various red flags that indicate an email or link could be dangerous. Consider what happens without training: a study at JP Morgan found that 20% of the bank's employees were duped by a fake phishing email. And the power of technology is on your side as well. If you use Google Apps for Business as your email provider, you can harness Google’s powerful algorithms for identifying risky emails. Your users will see prominent warnings for any dubious emails, which is extremely helpful given the impersonating skills of some bad actors.
Our Recommendation: ensure that all members of your firm (staff & lawyers) are educated about phishing and know the red flags to look for. Also use a mail server or cloud email service with strong spam and threat detection algorithms. There are guides for spotting these at CNET and TechRepublic.
Concluding Thoughts ...
We lawyers often have a lot of sensitive data to protect. Following the steps above will go a long way towards keeping client data and critical business data out of the hands of the wrong people. While this list is a good start, you can’t rest on your heels after completing it. Additional steps to consider include
- Ensuring you have strong physical security of your premises;
- Choosing vendors and service providers with strong security features;
- Running regular backups and keeping offline copies; and
- Implementing measures to ensure you don’t lock yourself out (e.g., downloading backups codes in case you lose your device for two-factor authentication)
We also recommend subscribing to several blogs that provide excellent coverage of security issues, including