Most lawyers and law firms know what they should be doing to maintain a secure computing environment in order to comply with ethics rules regarding confidentiality, as well as data breach notification laws. This list includes maintaining firewalls and up-to-date anti-virus and anti-malware, maintaining vigilance when opening attachments and surfing the Internet, using strong and different passwords for each important login, scrutinizing the security protocols of cloud providers, maintaining adequate backup files, and keeping operating systems patched. However, there are still reports almost daily of companies – and even law firms – experience breaches. What else can be done to minimize risk? In a fascinating four part discussion in Forbes, security expert Alan Paller, director of research for the SANS Institute, writes of a conversation with a managing partner and IT partner at a large New York law firm. The topic? A data breach at the law firm. The firm was notified by the FBI that client data had been found on servers in China. The partners wanted Paller to explain how this could have happened – and how to avoid a recurrence. What can you do to keep hackers at bay that you aren’t doing now?
1. Protect Your Email Address
Many law firms use easy to guess email addresses such as email@example.com or firstname.lastname@example.org. A quick check of a firm’s website will usually confirm the pattern. This makes it easy for hackers, coupled with your IP address, to spoof email and send a Trojan or other malware disguised as an attachment that appears to be from someone inside the firm. This is an example of social engineering, or tricking someone into helping perpetrate a hack. So, what to do? On the open web do not post email addresses for the individual members of the firm. Use a contact form, or an ‘info@’ address that is generic and can be scanned and routed upon coming into the firm. Alternatively use something like the Hivelogic Enkoder form to avoid actually posting your email address on your website. In social media profiles do not include your email address, as most provide the ability to message you from the platform, such as Twitter’s direct message or LinkedIn’s Inbox. You can have these messages forward to your Outlook or Gmail account so you don’t miss them.
Another thing to do is scan all email attachments by default. There are settings in most antivirus applications that will do this, and Gmail does this by design.
2. Practice Safe Patching
Recently headlines have been buzzing with zero day exploits, including those for Java and Internet Explorer. While these exploits have made news, many others do not. It is essential to keep all applications, add-ons, and applets patched on your machine. Easy targets for hackers include Adobe Flash, Apple’s QuickTime, Adobe Reader, and the aforementioned Oracle Java. These programs run in the background most of the time and are usually called up only when needed by a web site. Do not ignore reminders to update these applications. If you are unsure whether the message to update is in itself a virus a quick Google search will usually confirm whether a patch has been issued.
3. Revoking Power
In many large organizations end users do not have administrative privileges on their machines. IT departments can reduce security threats by locking down computers on the network so that they do not have the permission to actually install anything. Most people are resistant to this policy, so IT is constantly battered with requests to make an exception, just for them. However, this is one of the best ways to keep a computer from unintentionally installing malware or viruses in the background. While Apple’s OS X and Windows 7 have made major strides in alerting the user to provide permission to install software, these alerts will also be bypassed by smart viruses. By removing administrative rights, this threat is significantly reduced. Even solos running non-networked computers should set up the system so that the primary login does not have administrative rights.
Another tactic, which is considered “security through obscurity” rather than an actual security software or policy, is to change administrative defaults and privileged accounts. When possible change the default administrative name, ports, or directory names for things like routers, network installed software, individually installed software, or network shared ports.
All mobile devices that have the ability to connect with the firm’s network (including via Outlook Exchange or Dropbox) must have strong password protection, and the firm must be able to remotely wipe the date. Firm policy should require that users notify IT staff or the office administrator if the device is lost or stolen immediately.
4. Quarantine Those Files
Many firms keep information that could be classified as sensitive. This includes files with personally identifiable information (social security numbers, date of birth, credit card information) as well as confidential client information. Depending on the practice area, lawyers may have other sensitive information like health records, trade secrets, and employment information. All of this sensitive information should be protected by extra methods and encrypted. Encryption is a relatively easy way to keep sensitive information protected. Windows 7 and Mac OS X come with built in encryption tools to protect information on the hard drive and in folders, and third party products like the open source TrueCrypt let you encrypt specific disc partitions, as well as storage devices such as external hard drives or USB flash drives.
If you resist using a password manager such as LastPass or Roboform, but still keep passwords in a file on your computer, consider something like Steganos LockNote for passwords and other information that needs special consideration.
For lawyers sending files to third party sites like DropBox or SugarSync, consider adding encryption to sensitive files using tools like BoxCryptor or SecretSync.
5. Avoid Targeted Attacks
Firms must maintain constant vigilance against social engineering, and train all staff and lawyers to be wary. Social engineering is a method of tricking a person to open the door for malicious attacks, and usually prey on fear, vanity, or the desire to help someone in need. You have all seen them: the direct message from Twitter from someone you know asking “what are you doing in this video?”; the email from a friend needing you to send money via electronic transfer because she lost her wallet while traveling outside of the country; the email from the Better Business Bureau requesting you to click through to see a negative report that has been filed; and the list goes on. Learn to recognize the signs, practice defensive computing, and exercise skepticism to avoid having one of these tricks best you.
Security is a cat and mouse game, unfortunately with the hackers often having the upper hand. Maintaining computer defenses requires awareness, and sometimes procedures that seem draconian or time consuming. However, today’s currency is information and law firms have legal and ethical duties to protect client information. Take the time and trouble to protect it as well as you possibly can.