As many readers know, we lecture a lot. A whole lot. So, we thought it might be interesting to share the questions we have been asked most often in the past several months. It’s always fascinating to see what is “top of mind” at conferences and continuing-education seminars.
I’ve been thinking about cybersecurity – what’s most important? A security assessment, penetration testing, or employee training?
Penetration Testing. Well … let’s start with penetration testing. For most solo and small law firms, this is probably overkill unless you have major-league clients or extremely high value data. In penetration testing, you are asking a company to pretend they are the “bad guys” and attack you – it is scary stuff and tends to be expensive. The company will generally require a “get out of jail” free agreement, saying that they are not liable for any damages resulting from successful compromises of your network.
Attorney Sharon D. Nelson is president and John W. Simek is vice president of Sensei Enterprises Inc., a legal technology, information security, and digital forensics firm based in Fairfax, Va. (703) 359-0700.
Security Assessment. A security assessment (sometimes also called an audit) is far less expensive. The assessment is usually done using software tools and involves a thorough review of your network. The result is generally a report identifying critical, medium-level, and low-level vulnerabilities. A security assessment tends to come with a proposal for (at least) remediating the critical vulnerabilities along with the estimated cost. We believe it is wise to do these assessments, using a certified third-party cybersecurity company, annually. Many clients and cyberinsurance companies are beginning to require these assessments as well.
Employee Training. There is no getting around the absolute need for annual employee cybersecurity training. It is generally somewhat inexpensive and covers the basics of current threats and how to avoid such things as clicking on suspicious links and attachments, going to sketchy websites, giving information over the phone (duped by social engineering), and many other easy-to-make mistakes. A solid hour of good training each year is a small price to pay for educating your employees and creating a culture of cybersecurity.
What is the best password manager?
The best password manager is one you actually use – because most people don’t use one. Seriously, any good password manager is fine, and the selection is largely a personal one. What features do you need? Does the password manager have to automatically fill in website forms for login? Can the password manager store all the various types of data (for example, passport, credit cards, prescriptions) you need? Is the password database stored in the cloud or locally on your own device? Can the password database be replicated and synchronized across multiple devices, including your smartphone?
If you want a little neutral help, see PC Magazine’s review of the best password managers of 2018: www.pcmag.com/article2/0,2817,2407168,00.asp. The two highest rated are Dashlane and Keeper, but you should review the feature sets and pricing to see what works best for you.
Moving Data to the Cloud
Is it really safe to move my law firm data to the cloud – and is it ethical?
Virtually all cybersecurity experts now agree that the cloud will protect your data better than you will. Is the cloud absolutely secure? Of course not. But do law firms, especially solo practices and small firms, tend to be woefully insecure? Yes, they do.
Most lawyers are using the cloud these days – perhaps for email, perhaps to share files, perhaps because they have Office 365. There isn’t a single state lawyer regulatory system that has a problem with cloud computing – provided you take reasonable precautions to comply with your ethical duties. This means asking questions such as the following:
Where will my data be stored?
Is it encrypted at rest and in transit?
Who holds the master decryption key? (It is preferable that you do.)
How long has the provider been in business?
Is the provider accustomed to working with law firms and familiar with legal ethics?
What happens to your data if the provider declares bankruptcy?
What happens to your data if you change providers? What format is your data provided in? Is there a charge?
If a law enforcement officer appears with a search warrant for your data, will your provider notify you immediately so you have the chance to file a motion to quash?
Who has responsibility for reporting a data breach should information be compromised?
As you can see, there are many questions you might ask. You can find useful expert tips for moving your firm to the cloud at www.attorneyatwork.com/tech-tips-making-move-cloud/.
Virtually all cybersecurity experts now agree that the cloud will protect your data better than you will.
Keeping Up With Technology
How can I keep up with legal technology? It moves so fast!
Trust us – we have the same problem. We each read about two hours per day – and we still can’t keep up. We don’t want to recommend a long list, so here are our favorite two resources.
Bob Ambrogi keeps up at the forefront of legal technology and shares what he learns at his LawSites blog at www.lawsitesblog.com/.
The Attorney at Work blog, which offers a good tip each day, is at www.attorneyatwork.com/. Not all of the tips are legal tech, but all the tips are interesting and many involve technology.
If you sign up for these free resources, you will receive an email each day. The vetting process is very simple – just look at the subject line – you’ll know right away if this is a topic you’re interested in. If it’s not, click the “delete” button.
Beyond these two resources, there are plenty of legal technology podcasts at Legal Talk Network, https://legaltalknetwork.com/. If you drive to work or take public transportation, listening to a podcast is a perfect way to learn – and it makes travel time pass faster!
Don’t forget continuing legal education – and ask your colleagues for recommendations regarding speakers who both inform and entertain. Legal tech can be hard to digest – a few entertaining stories along with the education is always a good mix.
Is it safe to open emails as long as I don’t click on a link or an attachment?
Generally speaking, yes. You are unlikely to have any malware installation if you use a browser to access your email. The majority of lawyers use Outlook for email, which also has safeguards against automatically running scripts. As with all technology, things can change, so be sure you are especially careful when opening a suspicious email.
Which security software do you recommend for smartphones?
All smartphones, even iPhones, should have some security software. Many of the major desktop security suites (for example, Symantec, Trend Micro, Kaspersky) also have agents for mobile devices. The advantage is that the same centrally managed administration console can monitor desktops, servers, and mobile devices. We suggest investigating Lookout or Sophos for stand-alone installation of security software for mobile devices.
Recognizing Suspicious Email
How do I recognize a phishing email, and what should I do with a suspicious email?
There are obvious red flags to be aware of and to tell employees about regarding bogus emails. Here are some of them:
You don’t know the sender.
You do know the sender but if you look closely, the address is one letter off (this one happens a lot).
Nothing in the note seems personal to you.
You weren’t expecting the email.
Reference is made to a financial institution, product, or service you don’t use.
Words are misspelled.
The grammar is poor.
The email doesn’t address you by name.
The message asks for personal information.
There is an attachment that seems suspicious in conjunction with other factors or a link to a website. (And no, hovering over the link doesn’t necessarily ensure that you will go to the address shown – drive-by malware infections from visiting malicious sites are quite common.)
The list goes on and on. You should advise your employees and coworkers to be on the lookout for anything suspicious and not to be click happy. If something about an email doesn’t seem right, forward the email to your IT or cybersecurity folks.
What’s the most important security tip for 2019?
Beyond a doubt, the most important security tip is do not reuse passwords! The bad guys are now using computer bots to force attacks using passwords revealed from past data breaches. If you continue to reuse passwords, there is a high probability that the password will be used against other systems. This is another great reason to use password managers; doing so makes it easier to have unique passwords for every system.
It is especially important to never reuse the password you use to log into your law firm network.
Beyond a doubt, the most important security tip is do not reuse passwords!
Securing Operating Programs
I’ve heard that Office 365 and Windows 10 are not inherently secure – what can I do to make them secure?
Default configurations are never good – and Microsoft acknowledges that, though users seem blissfully unaware of it. Microsoft has developed a program called Secure Score. Microsoft first introduced Office 365 Secure Score, to help users understand their security position by giving advice on which controls to consider enabling and to compare the users’ scores to those of other organizations. As an example, enabling MFA (multi-factor authentication) is worth 50 points. The higher the score the better the security posture.
The program was so successful that it has been expanded to include Windows Secure Score because there are also options and features you can enable in a Windows environment. As a result, the program is now called Microsoft Secure Score and includes Office 365 and Windows. Just do a search for “Microsoft Secure Score” and you’ll see information on how to grade and improve your Secure Score.
Causing Data Breaches
What is the most common cause of data breaches and who is behind them?
Every year, the Verizon Data Breach Investigations Report answers that question. You can download the report at https://enterprise.verizon.com/resources/reports/dbir/. Hacking is the most common threat, with 81 percent of the hackers using stolen credentials (that is, ID and password).
Here are some additional useful stats:
73 percent of the breaches were perpetrated by outsiders while 28 percent involved internal actors (this could mean simple errors as well as malicious actions).
50 percent of breaches were carried out by organized criminal groups.
12 percent of breaches involved actors identified as nation-state or state affiliated.
Handling Wiring Instructions
What should I do when I get an email with wiring instructions from a client or one of the law firm partners?
There should always be a verification process – a written policy is a very good idea. A good way to get verification is to walk down the hall to see the person in your office who allegedly sent the instructions. You can also call the partner or the client, but never use a phone number contained in the email about the wiring instructions. Use a number you know to be that of the partner or client.
The same advice applies to requests for W-2 information, a scam that tends to peak every year around tax time.
What are new rules for making passwords?
New Digital Identity Guidelines were published by the National Institute of Standards and Technology (NIST) in June 2017 and are available at https://pages.nist.gov/800-63-3/sp800-63b.html. First, passphrases are recommended – they are much easier to remember. “Breaker19,you’vegotabearintheair” is a perfectly good choice (for fans of Smokey and the Bandit).
While the guidelines call for a minimum of eight characters, most experts recommend 14. NIST says passwords should be allowed to be as long as 64 characters, which we know isn’t something lawyers are going to do. Passwords should allow all printable ASCII characters, including spaces, and should accept UNICODE characters too, including emojis. (However, we saw emoji passwords demonstrated on The Today Show, and no one could remember them just a few minutes after making them.)
Every time you make a new password, it should be checked against a database of known compromised passwords, so you can’t choose one of those. This is slowly being automated as we write. Very soon, this will be standard.
Also, for those of you with security fatigue (and isn’t that everyone?), you don’t need to have passwords expire without reason. Passwords should only be reset when they are forgotten, if they have been phished, or if there is reason to believe that they may have been compromised.
Securing Home Wireless Network
How do I secure my wireless network at home?
First, change the default settings of the wireless router. You should change the settings for the network name (SSID), IP address range, administrator ID, password, and so on.
Next, configure the Wi-Fi to be encrypted. Currently, there are three types of Wi-Fi encryption – WEP, WPA, and WPA2. WEP and WPA have been cracked and there are free tools available to break the rather weak encryption. WPA2 has also been cracked, but vendors have developed patches to improve the security. That means that you should be configuring your wireless router to use WPA2 encryption at this time.
The good news is that the WPA3 standard has been approved. We should start seeing products supporting the new standard in 2019, perhaps even by the time this column is published. Keep an eye out and upgrade or replace your wireless router to one that supports WPA3.