The vulnerability to cyber-attack is ever present, but there is no need to panic or to scream "hackmageddon" or "hackpocalypse." The Rules of Professional Responsibility, however, require lawyers to make reasonable efforts to secure client data. A related article,"Let's Be Reasonable: The Ethics of Cybersecurity," briefly summarizes the rules implicated by a lawyer's use of technology.
With the ethics rules in mind, this article provides some "reasonable" measures that lawyers can take today to protect their clients and themselves.
Defining Cyber Risk and Cybersecurity
Before implementing the measures that follow, you need to understand what is cyber risk and what is cybersecurity.
Cyber Risk. Cyber risk generally refers to any risk of financial loss, disruption of business or services, or damage to the reputation of a lawyer or law firm from some type of failure of the lawyer's or law firm's information technology systems.
Cyber risk is not one specific risk: it is a group of risks. These risks differ in the means or path1 by which a hacker2 can gain access to a computer or a network server to install malware, gain external control, or extract user data. Through these different means or paths, a hacker can exploit the vulnerabilities of the lawyer's or law firm's information technology system, including the system's human element.
Cyber risks are frequently categorized as external or internal. The traditional analogy used in this context is a fortress or a castle. The threats to the castle are both external – the perimeter being breached – and internal – the deliberate or inadvertent acts of those inside the castle. Traditional "perimeter-based" security alone, however, is not effective because cybercriminals can often go straight to the end-user devices.
Aviva Meridian Kaiser, Univ. of Buffalo 1979, is the State Bar of Wisconsin assistant ethics counsel.
Tison H. Rhine, Minnesota 2010, is the State Bar’s practice management advisor.
Cybersecurity. Cybersecurity refers to preventive methods used to protect networks, computers, programs, and data from attack, damage, or unauthorized access. These preventive methods include technology, processes, and practices. Cybersecurity requires an understanding of potential information threats or risks, such as viruses and other malicious code.
The following "Cybersecurity Checks" provide "reasonable" ways in which lawyers can increase their cybersecurity and reduce their vulnerability to both external and internal threats.3
Cybersecurity Checks: Reasonable Ways to Secure Data
1. Use Firewalls and Other Perimeter Security Basics
The internet is simply a network of computers that are tied together through communication, which means that every connected computer has the capability to "talk" to any other connected computer. In this day and age, it is impossible for attorneys to effectively (and ethically) serve clients without access to the internet. However, whenever you visit a website, whether for research, email, file sharing, or other communication, your computer will typically leave its address (or at least traceable evidence of its address), which can usually be found in the log files that are automatically generated by every web server. And while knowing the address of someone's castle is not the same as having a key, a hacker can at least attempt to gain unauthorized entry to your computer once he or she knows your computer's address.
For example, some hackers use what is known as "port scanning" software, which scans the internet and attempts to gain entry into every connected computer it can find. Once a hacker gains access to your computer, he or she can access anything that is stored on your hard drive and can install programs that will monitor your key strokes and send passwords, user names, and account numbers back to the hacker's computer.
To protect yourself from such external threats, the first step, then, is to secure the actual connection between yourself and the internet. How? By using firewalls and virtual private networks (VPNs), and by making sure you are using secure router settings (don't worry, we'll explain).
The word firewall originally referred to a wall that was constructed to halt the spread of a fire through containment. In the world of cybersecurity, firewalls are meant to halt the spread of malicious computer code – code designed to steal, corrupt, or otherwise compromise your valuable data, or alternatively, to generally sabotage your computer system – and with it, your ability to do your work.
Firewalls accomplish this by establishing barriers between trusted and secure computers (or internal networks) and compromised or insecure networks, such as the internet (which should be assumed not to be secure or trusted). They then filter network traffic trying to pass into or out of these barriers, allowing (or not allowing) data in or out, based on set rules. In the castle analogy, a firewall is not only the castle walls, but the castle gate and sentries – it keeps out the bandits, but lets in the upstanding knights, lords, and ladies who have been invited to court (and some of the townsfolk going about their usual business).
A firewall can be hardware, software, or both. Hardware firewalls are often also routers (the boxes that route your internet connection to different machines - PCs, phones, tablets, and so on), but they can also be stand-alone pieces of equipment. Software firewalls are generally included with your operating system (for example, Windows Firewall or Mac firewall), but are also available separately or as part of security software packages that include antivirus and other security applications. Generally speaking, both hardware and software firewalls will (by default) block unsolicited incoming traffic, and both can often be configured to block specific types of outgoing data. There are some differences, however.
First, a hardware firewall physically sits between your local network and the internet. Because it keeps track of which local machines initiate connections with the outside world to request some form of data, if an outside computer attempts to start a connection and the firewall does not know which computer to send the data to (because there is no record that a local machine requested it), the attempt is automatically ignored. In this way, potentially damaging code can be blocked from ever making it to a machine in the first place.
Additionally, there are some types of malicious code that, if they do somehow make it onto your system (perhaps you clicked on a link you shouldn't have), are capable of disabling software firewalls – but would leave hardware firewalls enabled. Finally, hardware firewalls can manage the firewall settings for entire networks from one location, so if you operate multiple machines, this can be a big convenience.
On the other hand, because software firewalls sit between your computer and your local network, even if other computers on your network become infected with malicious code (that is, even if bandits have made their way inside your outer walls), you still have an inner wall and gate. Additionally, compared to some of the less advanced hardware firewalls available on common routers, with software firewalls it can be easier to manage network access on a more specific, application-to-application basis.
Ultimately, as a non-IT professional, what you primarily need to know is simple: it's a good idea to have both a hardware firewall and a software firewall enabled, but don't run multiple software firewalls at the same time. If all you have is a router and Windows, enable both the router's firewall and Windows Firewall. If you have a third-party software firewall (either stand-alone or part of your software security package), it is probably better than the one that came with your operating system, so enable it and your router's hardware firewall, but leave Windows Firewall or Mac firewall turned off. If, on the other hand, you have a hardware-based firewall that is separate from your router, you likely have an IT person, or already know what you need to do.
Just remember that while using firewalls can prevent malicious attempts from roaming bandits, it will not protect you from those that you invite in yourself, so be particularly careful when visiting websites and clicking on email links and attachments (more on that later). Also, a hardware firewall installed at your home or office won't do much when you are in a hotel, at the courthouse, or another location, so make sure to use virtual private networks when you are out and about (more on this later, as well).
Finally, to make sure that your router is itself secure, you should change the default username and password and disable remote access (sometimes called remote management). Although remote access can make it easier for you to manage your network settings from outside your local network (using your public IP address), it can also make it easier for hackers to get in. While you're at it, if your router has Wi-Fi, make sure the WPA2 encryption option is enabled in your settings, and choose a strong password (more on passwords later, too).
2. Use Anti-Malware Software
No matter how fireproof a wall is, no wall is foolproof. Somehow, some bandits will inevitably find their way inside your castle walls. In the context of cybersecurity, these bandits take the form of malware. Short for "malicious software," malware is the general term applied to the many different types of software designed to take unwanted actions on a computer system. Such actions, for example, may be intended to gather or corrupt sensitive information, to display undesirable advertising, or more generally, to gain unauthorized access to a private computer system to wreak who knows what bandit-like havoc. Common examples of malware include viruses, worms, Trojan horses, spyware, and increasingly, ransomware.4 It should be needless to say at this point, but let's say it anyway: it is absolutely necessary to have an anti-malware program installed on your computer to help prevent malware attacks.
Windows (8.1 and 10) already includes the Windows Defender antivirus utility, which should be enabled by default. This, however, should be treated as an absolute minimum. Although Windows Defender appears to be improving, independent security tests show that significantly better protection is provided by many third-party security software products, including some of the better free ones, such as Panda Free AntiVirus, AVG AntiVirus Free, and Avast! Free Antivirus. Just be aware that many free products such as these are intended only for noncommercial use.
Generally, anti-malware programs, including most free ones, work by scanning your files for malware when they are accessed, as well as on demand or on a schedule. This protection is desirable because in the arms race between malware creators and security professionals, it can take some time before virus definitions are updated to include the latest threats, and you don't merely want to monitor what is coming into your system – you also want to monitor what is already there.
Paid programs don't typically increase protection significantly when it comes to catching infections in this way, but (in addition to being legal to use for business purposes) they do offer much better technical support, and may also include added features like third-party firewall, spam filtering, credit monitoring, browser tools that scan for bad links, and behavioral malware detection (which attempts, with varying results, to detect malware based on how it acts, rather than relying on a specific definition). Examples of quality paid programs include Bitdefender Antivirus Internet Security, McAfee AntiVirus Plus, and Kaspersky Antivirus.
It is generally a bad idea to have multiple antivirus software programs running at the same time (this can create conflicts). However, one fan-favorite security program, Malwarebytes Anti-Malware, is actually designed to work alongside other antivirus software. Though it should not be your only security program, Malwarebytes has been known to be able to catch some malware that other antivirus programs have yet to figure out.
Whatever you are using, make sure to install updates as soon as possible (preferably automatically). Having current malware definitions is crucial to the effectiveness of anti-malware software.
3. Keep Operating Systems and Software Up to Date
Virtually all software programs, at some point, contain bugs or vulnerabilities that, left unfixed, can leave computers open to exploitation. This is why operating system and other software updates, which often include security patches, are vital for cybersecurity.
Because these updates are often paired with functionality changes (that, perhaps, we would rather not deal with at the moment), it is tempting to put them off. Don't do this! It may be annoying to go into your iPhone settings to find that something has moved, but you owe it to yourself and to your clients to make sure the software on all of your computers and devices is up to date. So, the next time you receive notification that an update is available and it includes security patches, just do it. For help in figuring out any changes, you can always contact Practice411 at (608) 250-6012; (800) 444-9404, ext. 6012; or www.wisbar.org/practice411.
4. Use Strong Passwords
Think of the traditional castle analogy again. Passwords are the keys to the castle doors. No matter how strong the castle walls are, if doors aren't locked or if the locks are easily picked, the castle is not secure. Passwords protect your devices as well as your online accounts, but hackers can often guess easy passwords such as "1234" and "password" or use computer programs that can work day and night and enter more complex guesses at a far higher rate than any human being could. This is why strong passwords or passphrases are necessary.
A Cybersecurity Checklist: 7 Ways to Protect Data
1) Use firewalls and secure your router.
☐ If your router has a firewall, make sure it is turned on.
☐ Enable one, and only one, software firewall.
☐ Change the default username and password of your router.
☐ Turn off Remote Access.
☐ Use WPA2 encryption for Wi-Fi.
2) Use anti-malware software.
☐ Malware refers to all manner of nasty software, including viruses.
☐ You absolutely should have anti-malware software installed.
☐ Windows Defender is the absolute minimum.
☐ Quality free versions are available, but may not be licensed for commercial use.
☐ Don't install multiple antivirus products at once (but do get Malwarebytes).
☐ Keep your security programs updated.
3) Always keep your operating systems and software up to date.
☐ Set your systems and other software to automatically check for updates.
☐ Install updates immediately.
☐ Contact Practice411 if you need assistance: (608) 250-6012; (800) 444-9404, ext. 6012; or firstname.lastname@example.org.
4) Use strong passwords to protect desktop computers, laptop computers, tablets, smart phones, and accounts from unauthorized access.
☐ Weak passwords are not very secure. Use strong passwords or passphrases.
☐ Do not keep a list of your passwords near your computers or in an unsecured file.
☐ Use a password manager to more easily manage your online accounts.
5) Back up your data.
☐ You need backup. This is nonnegotiable.
☐ You want full backup and disaster recovery to be able to boot your entire system – not just to access files.
☐ It is a good idea to back up both locally and to the cloud.
☐ Make backup easier with services such as CrashPlan, or use a commercial service.
6) Practice safe surfing.
☐ Consider browser extensions or add-ons for additional security.
☐ Use a secure web connection, https://, whenever possible.
☐ Use a VPN connection, especially when traveling or using public Wi-Fi.
☐ Consider an ad blocker to protect against malvertising.
7) Change behavior.
☐ Stop and think before you click on a link!
☐ Check the legitimacy of websites.
☐ Know what you don't know.
You can create your own strong passwords or passphrases or use a password manager. If you choose to create your own passwords, keep in mind these few tips. First, make your password hard to guess. For example, do not use birthdays, anniversaries, nicknames, or names of pets (yours or family members'). This type of information about you and those close to you may be readily available online! Second, make passwords as long and as complex as you can. Mix up upper case, lower case, numbers, and punctuation or special characters. A good password may look like this: "Pznq*U#8*nQ0xjIc20Z5j." Finally, use a different password for each account.
This, of course, can be difficult. Good passwords are by nature hard to remember, and writing down all of your passwords and storing the document in your desk is not a good solution. So, if your application or website supports it, you may want to try an easier-to-remember passphrase, consisting of multiple words. For these, it is best that the phrase be memorable to you, but nonsensical to others. For example: "Osmosis experts dedicate ashen squirrel dimple."
Alternatively, for online passwords, you can use a password manager, which not only will make up complex, random, nonsense passwords for each of your accounts, but also will remember all of them for you. Password managers work by setting up a vault containing all of a user's online passwords, which can then be unlocked with one single (strong) password. Combined with browser plug-ins that autofill user names and passwords when you visit sites, password managers can be both secure and convenient. LastPass, KeePass, and 1Password are examples of password managers.
When it comes to physical devices, such as your phone, tablet, laptop, or desktop, passwords are only effective when you actually use them. So, make sure to always secure the data on your mobile devices using a pattern, PIN, passcode, or password. If the device is lost or stolen, this precaution can prevent others from accessing your email, calendar, contacts, and other data. Also, even though your office may feel secure, you really must also secure the data on your desktop with a strong password as well.
5. Back Up Your Data
No matter what type of lawyer you are, or how advanced your computer skills, you should absolutely back up your data. When thinking about backup, one important thing to note is that backup is not the same thing as file storage. And although it is definitely recommended to back up your working files, one of the most effective ways to protect your data is to back up bootable images of your entire disk drive(s) or system. A complete backup and disaster recovery (BDR) that images your entire drive will allow you to restore your entire system, including your OS and other software, and get you back to work without needing to spend hours or days installing programs, adjusting settings, and returning things to normal. This type of backup is important not only to protect against equipment failure and disasters, such as fire and flood, but also to counteract cyber threats that corrupt your data or otherwise make it unusable.
One of the most prevalent current cyber threats of this type is ransomware. Ransomware is a type of malware that locks your computer or your data, typically by encrypting it. The hackers then demand a ransom in return for the code to unlock your computer or data. While most anti-malware tools offer some form of protection against ransomware, ransomware is more often encountered as a result of direct human actions that anti-malware is prone to missing, such as clicking on bad links in an email. For this reason, the best protection is to have your data backed up.
So, how do you do that? The best backup plans back up both locally and in the cloud. You never know when one or the other may become inaccessible. To make this easier, you can use a good commercial service (check a local computer reseller), or you can try a relatively inexpensive service such as CrashPlan, which you can set up yourself to automatically create backups both on site and in the cloud.
6. Practice Safe Web Surfing
Whether you are in your office or out of your office, you need to be cautious when surfing the web. When out of your office, be aware of the dangers of surfing a free, public Wi-Fi hotspot. The greatest danger to security is the hacker's ability to position himself or herself between you and the connection point. So instead of talking directly with the hotspot, you are sending your information to the hacker, who then relays it on. The hacker has access to every piece of information that you are sending: important emails, credit card information, and even security credentials to your business network. Once the hacker has that information, he or she can access your systems as if he or she were you. Hackers can also use an unsecured Wi-Fi connection to distribute malware.
Using a virtual private network (VPN) connection offers important security when using such unsecured connections, like public Wi-Fi hotspots and hotel Ethernet. If you are using a public Wi-Fi connection, your surfing activity on non-HTTPS websites is visible to everyone nearby, if they know how to look. If you want to protect your surfing activity, you can connect to a VPN. The local network will only see a single, secure VPN connection. Put simply, a VPN is a group of computers networked together over a public network, the internet. A VPN secures your computer's internet connection to guarantee that all of the data you are sending and receiving is encrypted and secured from prying eyes. Cellular connections are generally very secure, unless you have legitimate reasons to believe you are being specifically targeted or monitored. Even if a hacker manages to position himself or herself in the middle of your connection, the data is strongly encrypted by the VPN. Using a VPN, both on computers and mobile devices, may be the single best thing you can do while traveling to increase data security. Using a VPN offers a privacy feature: the VPN provider and its address will be identified, while your own IP address and personal details will remain hidden. Some examples of VPN service options are Private Internet Access, CyberGhost, IPVanish, and Cloak (for Mac). These services are easy to set up, and are either relatively inexpensive or free up to certain data limits or with speed reductions.
No matter where you are, safe surfing practices are necessary to avoid malicious websites. Most browsers today can detect known malicious websites and block them by default. There are, however, many websites that are dangerous, even though they may not yet be identified as such. Consequently, some additional safe practices may be desirable, especially when the computer or network is used by firm members or employees to check social media or to shop online.
Browser extensions or add-ons, which are commonly used to improve security, are available for all major browsers. Some security software packages (see earlier section on anti-malware software) contain these, but there are other options as well. For example, there is a free browser extension, Web of Trust, which tells you the websites you can trust. It provides an icon next to the web address and search results that tell you if the site is safe (green), dangerous (red), or untested (gray). As with any tool, browser extensions or add-ons are not 100 percent fail-safe.
Moreover, not all browser add-ons are legitimate: there are malicious add-ons that can steal your data and track your movements. Before installing any add-on, research the name and publisher of the add-on. Google the name and read the reviews.
Another safe practice is to use a secure web connection (https://) whenever you can. Some websites automatically use secure connections, but others – even though they are capable of doing so – do not. You can force these websites that have the capability to use a secure connection by installing the HTTPS Everywhere add-on if you use Chrome or Firefox.
Installing an ad blocker, such as AdBlock Plus, is another protective surfing practice and perhaps the most effective to guard against malvertising – malicious advertising. Malvertising is the use of online advertising to distribute malware. In 2015, Google disabled more than 780 million bad ads, a nearly 50 percent increase over 2014.5 Because malvertising often lives on reputable sites, it can attack without the user's knowledge. You do not even need to click on the ad to activate it: all you need to do is visit or "drive by"6 the webpage hosting the ad. You could be reading the latest news on a site like bbc.com and, without ever having clicked on an ad, a tiny piece of code hidden deep in the ad directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the "right" malware for you finding security flaws hiding in your system. That is another reason why it is so crucial to keep your operating system, browsers, and software up to date.
7. Change Behavior
Frequently, the weakest link in cybersecurity is human behavior. The most robust technical and physical safeguards can be bypassed by lack of cybersecurity knowledge, carelessness, or refusal to follow security policies and procedures.
Changing our behavior is crucial, and even a few simple changes can yield much protection. For example, treat every email with caution. Most "phishing scams" happen by email. Phishing scams are generally an attempt to get you to hand over sensitive personal details. They often appear as emails or messages from a legitimate company and request that you send personal details in reply or click a link in an email to be taken to a website where you will be asked for log-in details. These website fronts are false, although they may look like the real thing, and if you input your details then the scammers can use them to steal your identity. Before clicking on a link in an email, stop, take a deep breath, and think. Check the email for spelling mistakes. Often the sender's address will look like the address of someone you know, but on closer inspection, it will have a misspelling. Rather than clicking on the link, open your browser and type in the address to determine if the website is legitimate.
Phishing scams often appear as pop-up pages. For example, Windows dialog boxes claiming that your computer has been infected or needs to be updated are common. Again, treat any of these pop-up pages with caution. Before you do anything, stop, take a deep breath, and think. Do not try to close the dialog box, because doing so may actually activate it. Instead, use Task Manager to close the program.
Many times, a link shared on social media is shortened to save space. You can find out where that short link takes you and check the safety ratings by going to CheckShortURL at http://checkshorturl.com. Make a habit of checking the legitimacy of websites by using tools such as Web of Trust. (See "Practice Safe Web Surfing.")
A large part of behavioral change is to know what we don't know. It is perhaps the most effective way to protect against risky behavior.
Lawyers are tasked with keeping client information confidential, which means lawyers must keep up to date on technology and make reasonable efforts to secure client and law firm data from unauthorized or inadvertent disclosure. Reasonable efforts need not necessarily be cumbersome or expensive, but they do require an understanding of potential information threats or risks, such as viruses and other malicious code.
The cybersecurity checks presented here provide reasonable ways in which lawyers can increase their cybersecurity and reduce their vulnerability to both external and internal threats.
1 The means or path by which a hacker can gain access to a computer or server is frequently referred to as an "attack vector" or "vector."
2 In this article, the term hack is used in its broadest sense for the reader's ease. For example, hacking includes phishing. Hacking and phishing are related in that they are both ways of obtaining information, but they differ in their choice of methods. A phish, which is ultimately a hack, occurs when a user is baited with an email, phone call, or, perhaps, a text message and tricked into "voluntarily" responding with sensitive information.
3 It is impossible to provide specific requirements for all information technology systems because the systems vary and technology is continually changing. Specific requirements would soon become obsolete. It is possible, however, to provide some valuable guidance.
4 Computer viruses are small programs or scripts that can create files, move files, erase files, consume your computer's memory, and cause your computer not to function correctly. Opening an infected email attachment is the most common way to get a virus. Spyware can gather data from a user's system without the user knowing it. This data can include anything from the web pages a user visits to personal information, such as credit card numbers. A Trojan horse is a type of malware that is often disguised as legitimate software, which misrepresents itself to appear useful or routine.
6 A drive-by download refers to the unintentional download of a malware onto your computer or mobile device.